Two weeks ago, Anthropic’s secretive AI model known as Claude Mythos was discovered because unpublished information about it was sitting in a publicly accessible database. Now the company is announcing that it is teaming with the biggest companies in the world to let that model loose to flag potential security vulnerabilities within their systems.
The limited release of Mythos, dubbed Project Glasswing, includes about 40 organizations that will have access to a preview version of the model that is supposedly better than “all but the most skilled humans” at finding software vulnerabilities. Launch partners for the project include Amazon Web Services, Apple, Google, JPMorganChase, Microsoft, and NVIDIA, among others. According to Anthropic, the early returns from the collaboration have been jarring, as the company claims to have found “thousands of high-severity vulnerabilities,” including some in every major operating system and web browser.
It’s unsurprising, given those apparent revelations of serious security flaws, that Anthropic believes the model “could reshape cybersecurity.” Its benchmark tests certainly seem to show that, as Mythos Preview consistently outperformed Claude Opus 4.6, including on the CyberGym test that seeks to identify how well AI agents can detect and reproduce real-world software vulnerabilities. The anecdotes support it, too. Anthropic says Mythos found a bug in the open-source operating system OpenBSD that had been there for 27 years and spotted a chain of vulnerabilities in Linux that could be used to completely hijack a machine.
What’s interesting is that just weeks ago, when Mythos was first discovered (due to a very simple security slip-up, curious how that one wasn’t caught by the all-seeing machine), Anthropic was apparently positioning the model as being so powerful that it would present unprecedented cybersecurity risks. The company hasn’t totally backed off that notion—it said that it won’t make Mythos Preview available to the public because of the risks it poses to facilitate cybersecurity attacks. But to go from keeping it under wraps because it’s too powerful to release to deploying it across essential tech infrastructure is a bit of a leap.
It’s hard to remove Anthropic’s positioning of Mythos from the long history of AI hype cycles, in which these tools are presented as world-altering (and potentially world-destroying) entities, only for them to be incapable of answering how many times the letter “r” appears in strawberry. Way back in 2019, when Elon Musk was still at OpenAI, the company warned that it had developed a text-generation tool that was too dangerous to be made public. A few months later, it was released anyway, and the world kept spinning, just with a bit more machine-generated nonsense in it.
Anthropic has run a version of this playbook already as it relates to cybersecurity. When the company dropped Claude Opus 4.6, it touted how the model had found hundreds of previously unidentified security vulnerabilities that managed to exist undetected in the wild.
AI models like Mythos almost certainly will play a role—likely even a significant one—in the future of cybersecurity, working both as a tool for exploitation and protection. It’ll also likely have a never-ending flow of work in front of it, because AI models like its cousin Claude keep producing vibe-coded outputs filled with flaws. That’s one way to ensure job security.
