Anthropic just announced an AI model so good at finding security vulnerabilities that they refuse to release it to the public.
Claude Mythos Preview found thousands of previously unknown critical vulnerabilities in every major operating system, every major browser, and core infrastructure software. Some of these bugs survived 27 years of human review and millions of automated security tests.
The kicker? Only 50+ vetted organizations get access through Project Glasswing—a defensive alliance including AWS, Microsoft, Google, NVIDIA, JPMorganChase, Apple, and Cisco. Anthropic is backing it with $100M in usage credits.
This isn't a product launch. It's a wake-up call for every CIO, CISO, and business leader running software infrastructure.
What Makes Mythos Preview Different
Most AI security tools are glorified pattern matchers. Mythos Preview reasons about code like a senior security researcher:
The Numbers:
- Thousands of zero-day vulnerabilities discovered across critical systems
- 27-year-old OpenBSD bug that could remotely crash any machine
- 16-year-old FFmpeg vulnerability missed by 5 million automated test runs
- Linux kernel exploit chain allowing complete system takeover
- 83.1% success rate on CyberGym vulnerability reproduction (vs. 66.6% for Claude Opus 4.6)
What It Actually Does:
- Reads millions of lines of code autonomously
- Spots subtle logic flaws humans miss
- Chains multiple vulnerabilities into working exploits
- Develops proof-of-concept attacks—no human guidance needed
Michael Sentonas (CrowdStrike President) put it bluntly: "The window between a vulnerability being discovered and being exploited by an adversary has collapsed—what once took months now happens in minutes with AI."
This isn't theoretical. CrowdStrike, AWS, and Microsoft have been testing Mythos Preview for weeks. AWS analyzes 400 trillion network flows daily and is already using it to strengthen their silicon-to-software stack.
The $500B Problem Getting Worse
Global cybercrime costs roughly $500 billion annually—and that's probably conservative.
We've already seen the damage:
- Colonial Pipeline ransomware shut down fuel supply across the US East Coast
- SolarWinds breach compromised US government agencies
- NHS WannaCry attack crippled UK healthcare systems
- Chinese hackers stole US Treasury sanctions policy data
State-sponsored actors from China, Iran, North Korea, and Russia routinely probe critical infrastructure. Every hospital ransomware attack, every school district breach, every supply chain compromise adds to the tally.
For decades, finding exploitable vulnerabilities required rare expertise—the domain of elite security researchers and nation-state hacking teams. That expertise barrier just evaporated.
Igor Tsyganskiy (Microsoft EVP of Cybersecurity): "When tested against CTI-REALM, our open-source security benchmark, Claude Mythos Preview showed substantial improvements compared to previous models."
If defenders get this capability, so will attackers. The race is on.
Why Anthropic Isn't Releasing It Publicly
Frontier AI models now "surpass all but the most skilled humans at finding and exploiting software vulnerabilities," according to Anthropic's announcement.
That's not marketing speak. Mythos Preview autonomously:
- Found a bug in OpenBSD (one of the most security-hardened OSes) that survived since 1999
- Discovered an FFmpeg vulnerability that automated tools hit 5 million times without catching
- Chained together multiple Linux kernel flaws to achieve full root access
The calculus is simple: If this model leaks to adversaries before critical systems are patched, the consequences for economies, public safety, and national security could be catastrophic.
So Anthropic chose controlled deployment over open release—a controversial but pragmatic decision.
Project Glasswing: The Defensive Alliance
Instead of a public launch, Anthropic formed Project Glasswing:
Partners (12 Launch Organizations):
- Cloud/Infrastructure: AWS, Google, Microsoft
- Security: CrowdStrike, Palo Alto Networks, Cisco
- Hardware: Apple, Broadcom, NVIDIA
- Finance: JPMorganChase
- Open Source: Linux Foundation
The Deal:
- 50+ organizations get Mythos Preview access (40+ beyond launch partners)
- $100M in usage credits from Anthropic
- $4M in direct donations to open-source security (Alpha-Omega, OpenSSF, Apache Foundation)
- 90-day disclosure window: find bugs, patch them, report publicly
Pricing After Credits Run Out:
- $25 per million input tokens
- $125 per million output tokens
- Available via Claude API, AWS Bedrock, Google Vertex AI, Microsoft Foundry
Jim Zemlin (Linux Foundation Executive Director): "Open source maintainers—whose software underpins much of the world's critical infrastructure—have historically been left to figure out security on their own. Project Glasswing offers a credible path to changing that equation."
This is smart. Most software relies on underfunded open-source projects maintained by volunteers. Giving them enterprise-grade AI security tools levels the playing field.
What Enterprise Leaders Should Do Now
Whether you're a CIO evaluating vendors or a CFO approving security budgets, this changes the equation:
For Technical Leaders (CIO/CTO/CISO):
1. Assume Attackers Will Get This Capability
- Mythos Preview won't stay exclusive forever. Similar capabilities will proliferate.
- Plan for AI-augmented attacks: faster exploitation, more sophisticated chains, automated vulnerability discovery.
2. Patch Aggressively
- As Project Glasswing partners disclose vulnerabilities over the next 90 days, prioritize patches.
- Monitor Anthropic's Red Team blog for technical details.
3. Modernize Your Security Stack
- Traditional signature-based defenses won't cut it against AI-driven attacks.
- Invest in behavioral detection, zero-trust architecture, and automated response systems.
4. Evaluate AI-Powered Security Tools
- Tools like Google's Big Sleep and CodeMender already use AI for vulnerability detection.
- If you maintain critical code, apply for Claude for Open Source.
For Business Leaders (CFO/COO/CMO/CRO):
1. Cybersecurity Is Now a Board-Level Risk
- $500B annual losses globally—and accelerating.
- AI-augmented attacks will be faster, more frequent, and harder to defend against.
2. Budget Accordingly
- Security spending needs to match the threat landscape.
- The cost of prevention is a fraction of the cost of a breach (ransomware, lawsuits, reputation damage).
3. Ask Your CISO Hard Questions:
- "How quickly do we patch critical vulnerabilities?"
- "Are we monitoring for AI-augmented attack patterns?"
- "Do we have automated incident response?"
4. Don't Ignore Supply Chain Security
- Your software vendors and open-source dependencies are now under AI-powered microscopes.
- Require SBOMs (Software Bill of Materials) and vulnerability disclosure timelines.
For Everyone:
5. Prepare for Mandatory Security Standards
- Expect regulatory pressure (FinTech, healthcare, critical infrastructure).
- Anthropic is collaborating with industry groups on recommendations for:
- Vulnerability disclosure processes
- Software update timelines
- Secure-by-design practices
- Supply chain security standards
Pat Opet (JPMorganChase CISO): "Promoting the cybersecurity and resiliency of the financial system is central to JPMorganChase's mission, and we believe the industry is strongest when leading institutions work together on shared challenges."
The Bigger Picture
Ten years after DARPA's Cyber Grand Challenge, AI models are now competitive with the best human security researchers. That's a watershed moment.
The optimistic scenario: Defenders get a durable advantage. Software gets more secure. Open-source maintainers get enterprise-grade tools. Critical infrastructure hardens before attackers catch up.
The pessimistic scenario: Similar capabilities leak or get independently developed. Attackers automate zero-day discovery. Cyber attacks become more frequent, destructive, and harder to attribute.
Which future we get depends on what happens in the next 12-18 months.
Anthropic is betting on defense-first deployment—give good actors the tools first, harden critical systems, then race to build safeguards that work even when attackers get equivalent models.
It's a gamble. But doing nothing guarantees the pessimistic scenario.
Bottom Line for Enterprise Leaders
Anthropic's refusal to publicly release Mythos Preview is unprecedented—and probably smart.
The implications are clear:
- AI has crossed a threshold in cybersecurity capabilities
- The old pace of vulnerability discovery and patching is obsolete
- Enterprise security strategies must adapt now, not after the first AI-augmented breach
Over the next 90 days, Project Glasswing will disclose thousands of patched vulnerabilities. Pay attention. Those patches matter.
And if you're responsible for critical software—whether Fortune 500 infrastructure or an open-source library used by millions—start thinking about how AI changes your security posture.
The window to act is shrinking. The attackers aren't waiting.
Sources:
- Anthropic: Project Glasswing
- Anthropic: Claude Mythos Preview System Card
- Anthropic Red Team: Mythos Preview Technical Details
- Microsoft: Strengthening Secure Software at Global Scale
- Schneier on Security: On Anthropic's Mythos Preview and Project Glasswing
- Global Cybercrime Cost Estimates
Related Reading:
- How AI is Transforming Enterprise Security Operations
- The Economics of Zero-Day Vulnerabilities in the AI Era
- Why Open Source Security Matters More Than Ever
Want to calculate your own AI ROI? Try our AI ROI Calculator — takes 60 seconds and shows projected savings, payback period, and 3-year ROI.
Continue Reading
- [Anthropic Kills Seat Fees: Pay $0.004/1K Tokens vs OpenAI $20/Month](/article/anthropic-usage-based-pricing-2026)
- OpenAI Guarantees 17.5% Returns to PE Firms in $10B AI Deal
- JPMorgan Reclassifies AI as Core Infrastructure
