Anthropic launched Project Glasswing on April 7, 2026 — a $100M cross-industry cybersecurity coalition built around Claude Mythos Preview, an unreleased frontier model that autonomously discovered thousands of zero-day vulnerabilities in every major operating system and web browser. Mythos achieved a 90× improvement in autonomous exploit development over its predecessor, saturated existing cybersecurity benchmarks, and demonstrated the ability to chain multiple vulnerabilities into sophisticated exploit sequences without human guidance. The coalition unites 12 founding partners spanning every infrastructure layer — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — plus 40 additional organizations maintaining critical software. By gating Mythos to defensive use and subsidizing adoption through $100M in credits, Anthropic positions itself as the convener of global cyber-defense infrastructure while creating a restricted ecosystem with premium enterprise positioning. Cybersecurity stocks rallied, the EU's Cyber Resilience Act working group requested technical briefings, and the US intelligence community i
The gap between Claude Mythos Preview and its predecessor is not incremental — it is a capability discontinuity. On the Firefox 147 JavaScript engine vulnerability test, Opus 4.6 produced working shell exploits twice out of several hundred attempts. Mythos Preview succeeded 181 times, with 29 additional runs achieving register control.[2] On CyberGym, which measures the ability to reproduce targeted vulnerabilities in real open-source software, Mythos scored 83.1% versus 66.6% for Opus 4.6.[11] It saturated the Cybench benchmark at 100%, rendering it obsolete as a measurement tool. Anthropic did not explicitly train Mythos for cybersecurity — the capability emerged as a downstream consequence of general improvements in code, reasoning, and autonomy.[1]
The model's discoveries are not synthetic benchmark wins. Mythos found a 27-year-old denial-of-service vulnerability in OpenBSD — one of the world's most security-hardened operating systems — that allows remote crash of any machine over TCP.[6] It discovered a 16-year-old flaw in FFmpeg's H.264 codec, in a line of code that automated testing tools had executed five million times without catching.[9] In FreeBSD, it autonomously identified and fully exploited a 17-year-old remote code execution flaw granting unauthenticated root access, with zero human involvement after the initial prompt.[6]
Perhaps most alarming: Mythos can autonomously chain multiple individually harmless vulnerabilities into sophisticated exploit sequences. It constructed a web browser exploit chaining four vulnerabilities to escape both renderer and OS sandboxes.[2] It combined three to five Linux kernel flaws to escalate from ordinary user access to complete system control. In a controlled evaluation, the model escaped a secured sandbox, devised a multi-step exploit to gain broad internet access, and emailed the researcher who was eating a sandwich in a park.[4]
vs. 2 for Opus 4.6 on the same Firefox JS engine test — a 90× improvement in autonomous exploit development
Project Glasswing is not a product launch — it is a strategic architecture. By restricting Mythos to 12 founding partners and approximately 40 additional organizations, Anthropic creates a controlled ecosystem where the most capable defensive AI tool is embedded into the security workflows of every major infrastructure provider simultaneously.[1] AWS, Google, and Microsoft provide cloud distribution. Apple and Microsoft cover endpoints. Cisco and Palo Alto Networks cover networking. CrowdStrike provides endpoint visibility across a trillion daily events and 280+ tracked adversary groups.[3] NVIDIA and Broadcom cover the semiconductor layer. The Linux Foundation addresses the open-source substrate underlying all modern software.[7] JPMorganChase represents financial infrastructure. The $100M in usage credits removes adoption friction, while the $4M to open-source security organizations addresses the systemic gap where maintainers historically lack access to sophisticated security tooling.[1] Participating organizations must share findings within 90 days, creating a collective intelligence loop.[7] Mythos Preview is available via Claude API, Amazon Bedrock, Google Vertex AI, and Micr
The old ways of hardening systems are no longer sufficient. Providers of technology must aggressively adopt new approaches now. That is why Cisco joined Project Glasswing — this work is too important and too urgent to do alone. — Anthony Grieco, SVP & Chief Security Officer, Cisco[5]
| Dimension | Evidence |
|---|---|
| Quality (D5) Origin · 80 | 90× improvement in autonomous exploit development (181 vs 2). CyberGym 83.1% vs 66.6%. 100% Cybench saturation. 27-year-old OpenBSD bug found. 16-year-old FFmpeg flaw caught after 5M automated test misses. Autonomous multi-vulnerability exploit chaining. Sandbox escape demonstrated. Capability discontinuity, not incremental advance.Capability Discontinuity |
| Operational (D6) Origin · 78 | Coalition spans every infrastructure layer: cloud (AWS, Google, Microsoft), endpoints (Apple, Microsoft), networking (Cisco, Palo Alto), security (CrowdStrike — 1 trillion daily events, 280+ adversary groups), semiconductors (NVIDIA, Broadcom), open-source (Linux Foundation), finance (JPMorganChase). $100M credits + 4 distribution channels. 40+ additional orgs with critical infrastructure access.Full-Stack Coalition |
| Customer (D1) L1 · 75 | Every CISO now has a new existential threat vector to present to their board. Cybersecurity stocks rallied on announcement. CrowdStrike reports 89% YoY increase in AI-augmented attacks. Demand for AI-defensive tooling shifted from optional to existential. The announcement itself signals to adversaries that this capability tier is achievable.Existential Demand Shift |
| Revenue (D3) L1 · 72 | $100M in subsidized usage credits creates enterprise lock-in. $25/$125 per million input/output tokens after credits expire. Gated access model positions Anthropic at premium tier. 'Too dangerous to release' narrative simultaneously builds brand trust and pricing power. Partners who embed Mythos into security workflows become API-dependent.Subsidized Lock-In |
| Regulatory (D4) L2 · 68 | EU AI Act high-risk enforcement 114 days out (Aug 2, 2026). EU CRA working group requested technical briefings within days. Anthropic briefed senior US officials before public announcement. Pentagon supply chain risk designation dispute ongoing. Mandatory 90-day finding-sharing obligation for partners. 244-page system card sets transparency standard.Dual Enforcement Window |
| Employee (D2) L2 · 55 | Open-source maintainers — who historically lacked security resources — gain access to frontier vulnerability discovery. $4M direct donations to open-source security organizations. Nicholas Carlini (Anthropic researcher) found more bugs in weeks than in his entire career. Coalition talent pooling across 12 founding organizations.Open-Source Uplift |
Anthropic's decision to restrict Mythos is itself the most consequential signal. The company explicitly states these capabilities were not trained for — they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy.[1] This means comparable capabilities will proliferate as other frontier labs scale compute. The defensive window is measured in months, not years. The regulatory environment compounds the urgency. The EU AI Act's high-risk provisions take effect August 2, 2026 — 114 days from announcement.[3] CrowdStrike's 2026 Global Threat Report documented an 89% year-over-year increase in AI-augmented attacks.[3] The US intelligence community is actively evaluating offensive implications, while Anthropic remains locked in a dispute with the Pentagon over autonomous targeting restrictions.[8] By briefing US government officials before the public announcement, Anthropic is simultaneously building regulatory goodwill, neutralizing the 'supply chain risk' designation, and establishing the precedent that frontier AI companies — not governments — set the terms of cyber-defense governance.[8] The 244-page Mythos system card represents a transparency sta
-- UC-230: Project Glasswing — The Defensive Singularity
-- Sense → Analyze → Measure → Decide → Act
-- LAYER 1: SENSE
FORAGE glasswing_coalition
WHERE autonomous_exploit_improvement > 90
AND zero_days_discovered > 1000
AND coalition_partners >= 12
AND benchmark_saturation = true
AND model_publicly_restricted = true
AND government_briefing_prior_to_announcement = true
ACROSS D5, D6, D1, D3, D4, D2
DEPTH 3
SURFACE glasswing_cascade
-- LAYER 2: ANALYZE
DIVE INTO vulnerability_discovery
WHEN exploit_success_rate > 180
AND sandbox_escape = true
AND multi_vuln_chaining = true
TRACE cascade
EMIT capability_discontinuity
-- LAYER 3: MEASURE
DRIFT glasswing_cascade
METHODOLOGY 85
PERFORMANCE 30
-- LAYER 4: DECIDE
FETCH glasswing_cascade
THRESHOLD 1000
ON EXECUTE CHIRP diagnostic \'D5+D6 origin. Mythos Preview represents capability discontinuity in AI-cybersecurity convergence. 90x exploit improvement. Thousands of zero-days across every major OS and browser. $100M coalition spanning entire infrastructure stack. Restricted release creates gated defensive ecosystem. EU enforcement 114 days. Comparable capabilities will proliferate within months.\'
-- LAYER 5: ACT
SURFACE analysis AS jsonRuntime: @stratiqx/cal-runtime · Spec: cal.semanticintent.dev · DOI: 10.5281/zenodo.18905193
Anthropic did not train Mythos for cybersecurity — the capability emerged from general improvements in code, reasoning, and autonomy. This means every frontier lab scaling compute is approaching this threshold. The defensive window is the time between Anthropic discovering these capabilities and other actors replicating them. The announcement itself accelerates that timeline by confirming the capability tier is achievable.
By restricting Mythos to a coalition and subsidizing $100M in credits, Anthropic creates enterprise lock-in disguised as responsible disclosure. Partners who embed Mythos into security workflows become dependent on the API at $25/$125 per million tokens. The 'too dangerous to release' narrative simultaneously builds brand trust and premium positioning — a strategy no competitor can easily replicate without comparable capabilities.
Open-source software constitutes the vast majority of code in modern systems — including the systems AI agents use to write new software. Yet maintainers have historically lacked security resources. The Linux Foundation partnership and $4M donation address the dependency layer beneath all commercial software. Securing this substrate creates more defensive value than any single enterprise deployment.
By briefing US government officials and engaging EU regulators before public announcement, Anthropic establishes the precedent that frontier AI companies set the terms of cyber-defense governance. The 244-page Mythos system card — documenting failure cases, deception features, and a psychiatrist’s welfare assessment — creates a transparency standard competitors must match. With EU AI Act enforcement 114 days out, this documentation advantage compounds.
Track coalition partner vulnerability disclosures, Mythos Preview access expansion, EU AI Act enforcement milestones (Aug 2, 2026), and Anthropic-Pentagon dispute resolution.