Anthropic’s Mythos preview

# Anthropic’s Mythos preview Anthropic has launched a new cybersecurity initiative called Project Glasswing, built around a gated early-release model named Claude Mythos Preview. The company says the model is being used to find serious software flaws in critical systems before attackers do, and it has named launch partners including Amazon Web Services, Apple, Google, Microsoft, NVIDIA, Cisco, CrowdStrike, Broadcom, JPMorganChase, Palo Alto Networks, and the Linux Foundation. (anthropic.com) The basic idea is simple: modern software is full of bugs, and some of those bugs can be turned into break-ins. Anthropic is pitching Mythos as a machine that can inspect huge codebases and software behavior at a speed that human security teams cannot match on their own, then help defenders report and patch what it finds. (anthropic.com) That framing matters because the systems in scope are not niche apps. Anthropic says Project Glasswing is focused on “foundational systems” that make up a large share of the world’s cyberattack surface, including software tied to banking, medical records, logistics, power grids, browsers, and operating systems. (anthropic.com) Anthropic’s own description of Mythos is unusually blunt. In technical material published alongside the launch, the company says Claude Mythos Preview is especially strong at computer security tasks and has shown the ability to identify and exploit zero-day vulnerabilities in every major operating system and every major web browser during testing. A zero-day vulnerability is a software flaw that defenders do not yet know about or have not patched, which makes it especially valuable to attackers. (red.anthropic.com) The company also says the model can do more than spot obvious mistakes. According to Anthropic, Mythos has been able to reverse-engineer exploits in closed-source software and turn known but not yet widely patched vulnerabilities, often called N-days, into working exploits. That suggests the model is useful not only for finding brand-new holes but also for accelerating the race around recently disclosed ones. (red.anthropic.com) Because of that capability, Anthropic is not releasing Mythos as a normal public product. The company says it does not plan to make Claude Mythos Preview generally available, and that Project Glasswing is meant to be a controlled, defensive deployment with selected partners and additional organizations that maintain important software infrastructure. (red.anthropic.com) Anthropic says the preview has already found thousands of high-severity vulnerabilities, including some affecting every major operating system and web browser. The company has not publicly disclosed most of the technical details, saying that more than 99% of the flaws it found had not yet been patched and that revealing specifics would be irresponsible before coordinated fixes are in place. (anthropic.com) That is where the “company-backed” part of the story comes in. Instead of publishing findings immediately, Anthropic says it is routing discoveries through a coordinated vulnerability disclosure process, the standard security practice where vendors are privately notified and given time to prepare patches before details become public. Anthropic published its disclosure framework in March 2026 specifically for vulnerabilities found by Claude systems. (anthropic.com) Project Glasswing is also being funded at a meaningful scale. Anthropic says it is committing up to $100 million in usage credits for Mythos Preview across the effort, plus $4 million in direct donations to open-source security organizations. It also says it has extended access beyond the headline launch partners to more than 40 additional organizations that build or maintain critical software infrastructure. (anthropic.com) The partner list is part of the message. Apple, Amazon Web Services, Google, Microsoft, and the Linux Foundation sit in different parts of the software stack, from consumer devices and cloud infrastructure to core open-source components. By naming companies that often compete with one another, Anthropic is arguing that vulnerability hunting at this level works better as shared defense than as isolated in-house testing. That is an inference from the structure of the program, but it matches Anthropic’s stated goal of sharing lessons so “the whole industry can benefit.” (anthropic.com) The launch also fits into a broader pattern in Anthropic’s recent security work. In February 2026, the company introduced a limited research preview called Claude Code Security, which scans codebases for vulnerabilities and suggests patches for human review. In April, Mythos appears as a much more capable step in the same direction, aimed at the hardest and most sensitive security work rather than ordinary developer tooling. (anthropic.com) Anthropic is presenting this as a race against the spread of offensive artificial intelligence capability. On its Glasswing page, the company says frontier cyber capabilities are likely to proliferate soon, potentially to actors who are not committed to safe deployment, and that defenders need a head start now rather than later. That argument is reinforced by Anthropic’s own earlier reporting on an artificial-intelligence-assisted cyber-espionage campaign, which it said showed unusually autonomous use of AI across the attack chain. (anthropic.com) There is still a large gap between Anthropic’s claims and what outside researchers can independently verify in public, because the most important findings are deliberately being withheld until patches exist. But on the facts Anthropic has disclosed, Project Glasswing is not a normal model launch. It is a controlled rollout of a highly capable security-focused system, paired with major vendors and a disclosure pipeline, built around the idea that the next generation of bug hunting may look less like a lone researcher with a laptop and more like coordinated industrial defense. (anthropic.com)