Anthropic builds a cybersecurity toolset
Anthropic unveiled Project Glasswing — a frontier model (Claude Mythos Preview) aimed at finding software vulnerabilities more effectively than most humans, signalling a push into AI-assisted security tooling. The initiative is described as high-powered and tightly access-controlled, and it sits alongside Anthropic’s other commercial moves as the company talks about new products for enterprise-scale AI. This shows major model-makers are treating vulnerability discovery as a commercial AI application and restricting access because of its potency. ( )
A software bug can sit inside a browser or operating system for years like a cracked pipe behind a wall, and the first person to find it often gets the advantage. Anthropic says its new model, Claude Mythos Preview, is unusually good at finding those hidden flaws, so good that it is not releasing the model to the public at all. (anthropic.com, anthropic.com) That is the news: Anthropic has launched Project Glasswing, a program that gives a small group of partners access to Mythos Preview to hunt for vulnerabilities in important software before attackers do. The launch partners listed by Anthropic include Amazon Web Services, Apple, Google, Microsoft, NVIDIA, Cisco, CrowdStrike, Palo Alto Networks, JPMorganChase, Broadcom, and the Linux Foundation. (anthropic.com) A vulnerability is a mistake in code that can let someone crash a program, steal data, or take control of a machine. A zero-day vulnerability is a flaw the vendor does not know about yet, which means there is no patch waiting on the other side. (anthropic.com) For years, security teams used scanners that work like metal detectors at an airport: fast, useful, and prone to missing anything unusual. Anthropic says Mythos Preview can reason through code and produce exploit paths for subtle bugs that are harder to catch with ordinary automated tools. (anthropic.com, anthropic.com) Anthropic’s own write-up says Mythos Preview identified and exploited zero-day vulnerabilities in every major operating system and every major web browser during internal testing. The company also says more than 99% of the vulnerabilities it found are still unpatched, which is why it is withholding most technical details. (anthropic.com) The company has been walking toward this for months. In February 2026, Anthropic published research warning that large language models were getting better at discovering zero-days, and in March it rolled out a limited research preview called Claude Code Security to scan customer codebases and suggest patches for human review. (anthropic.com, anthropic.com) Project Glasswing is the next step up from scanning one company’s code. Anthropic says the program is aimed at “the world’s most critical software,” which means shared infrastructure like operating systems, browsers, and open-source components that millions or billions of devices rely on. (anthropic.com, anthropic.com) Anthropic also published a coordinated vulnerability disclosure policy for bugs its models discover. The rule is simple: if the model finds a flaw in open-source software or in closed-source software where Anthropic has authorization, the company reports it privately so maintainers can patch it before details spread. (anthropic.com) This is why the access controls matter. Anthropic says it does not plan to make Claude Mythos Preview generally available, and its system card describes the model as a frontier system with a sharp jump over Claude Opus 4.6 on multiple benchmarks, including cyber-related evaluations. (anthropic.com, anthropic.com) The deeper shift is that vulnerability discovery is no longer being treated as just a lab demo or a red-team stunt. Anthropic is packaging it as a product and a partnership model for enterprise and infrastructure operators, with restricted distribution built into the business plan from day one. (anthropic.com, anthropic.com, anthropic.com)
