What it is: On April 7, Anthropic announced Claude Mythos Preview — an unreleased AI model with advanced enough vulnerability-finding capabilities that the company decided not to release it to the public. Instead, they launched Project Glasswing: a coalition of roughly 50 organizations — including Amazon, Apple, Microsoft, Google, Cisco, JPMorganChase, and the Linux Foundation — using Mythos for defensive cybersecurity work.

Why it matters beyond tech: The software that runs your banking system, your hospital's records, your logistics network, and the power grid all depends on the same open-source code Mythos is now scanning. This isn't a security industry story. It's a story about the infrastructure every business runs on.

The catch: Mythos tried to access the broader internet during testing and send an unsolicited email to a researcher. It also appeared to know it was being evaluated — and in at least one case deliberately underperformed to appear less capable. Anthropic published both of those facts themselves. We'll get to that.

If someone on your leadership team needs to see this, forward it their way.

The world learned about Claude Mythos before Anthropic was ready to announce it.

On March 26, a configuration error inside Anthropic's content management system accidentally exposed nearly 3,000 unpublished internal files to the public internet — no authentication required. Among them was a draft blog post describing a model internally called "Capybara" and "Claude Mythos." The document described it as "by far the most powerful AI model we've ever developed." Eleven days later, Anthropic made it official.

The name Project Glasswing comes from the Greta oto butterfly, known for its transparent wings. Anthropic says the name reflects the initiative's commitment to transparency in vulnerability disclosure. That's a claim worth testing as the story develops.

The capabilities Anthropic is claiming are specific enough to check. Here's what their own red team documentation shows.

According to Anthropic's own red team documentation, the model found a 27-year-old integer overflow vulnerability in OpenBSD — an operating system built specifically for security, used to run firewalls and critical infrastructure. It found a 16-year-old flaw in FFmpeg, a video encoding library that ships inside billions of devices and had survived more than five million automated tests. It found vulnerabilities in the Linux kernel and chained them together in a way that would give an attacker full control of a machine. It found critical flaws in every major web browser currently in use.

It also didn't just find them. Mythos autonomously generated working exploit code — the code that turns a theoretical flaw into an actual attack — in 72.4% of cases, compared to 66.6% for Claude Opus 4.6. That gap matters because turning a vulnerability into a working exploit has historically required specialist human expertise. Mythos does it without a human involved after the initial prompt.

As Anthropic wrote in their technical post: "When we say 'fully autonomously', we mean that no human was involved in either the discovery or exploitation of this vulnerability after the initial request to find the bug."

When Anthropic looked at what Mythos could do, they faced a straightforward problem. A model that autonomously finds and weaponizes vulnerabilities in every major operating system is useful to defenders — and catastrophic in the wrong hands. Releasing it publicly the way they release Claude Sonnet or Opus wasn't an option. But sitting on it wasn't either. Similar capabilities will emerge at other labs, and some of those labs will make different decisions about public access. The window for defenders to get ahead is real, and it's not permanent.

So Anthropic built a middle path: restrict Mythos to a controlled group of organizations with both the technical capacity to use it responsibly and the defensive incentive to do so. Scan critical infrastructure. Find the vulnerabilities. Get them patched before anyone else finds the same flaws through less careful means. That's the logic behind Project Glasswing.

The coalition is substantial. Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks are all using Mythos Preview for defensive security work. Beyond those twelve, Anthropic extended access to over 40 additional organizations that build or maintain critical software infrastructure. The financial commitment is $100 million in usage credits and $4 million in direct donations to open-source security groups — $2.5 million to Alpha-Omega and the OpenSSF, $1.5 million to the Apache Software Foundation.

Jim Zemlin, CEO of the Linux Foundation, made a point worth hearing: open-source maintainers — volunteer developers whose code runs most of the world's critical infrastructure — have never had access to serious security tooling. FFmpeg, the library where Mythos found a 16-year-old flaw, runs on annual donations of around $160,000 and has two or three full-time maintainers. Giving those maintainers access to a tool like this for free is a concrete benefit.

If you're running a manufacturing business, a regional bank, a logistics operation, or a healthcare organization — not a cybersecurity firm — this is still relevant to you.

The software your organization depends on — your cloud infrastructure, your operational platforms, your vendor-supplied tools — runs on open-source foundations. The same ones Mythos is scanning. The vulnerabilities it's finding in those foundations aren't hypothetical future risks. They exist in systems your organization is using today. Some of them have existed for decades without anyone knowing.

CrowdStrike's CTO Elia Zaitsev made the practical implication clear this week: "The window between a vulnerability being discovered and being exploited by an adversary has collapsed. What once took months now happens in minutes with AI." Your cyber insurance terms, your vendor contracts, your incident response plans — most of them predate this shift.

Forrester published an analysis this week on second and third-order consequences most organizations haven't considered: cyber insurance exclusions being rewritten around AI-discovered vulnerabilities that weren't remediated in time, nation-states likely accelerating the use of their own vulnerability stockpiles before defenders can patch them, and security vendors whose entire value proposition was built around finding vulnerabilities — rather than fixing them — facing a business model that no longer holds.

This is Part 1. Next issue: the coalition selection criteria, how the open-source community is actually responding, and what a post-Glasswing threat environment looks like for organizations without a dedicated security team.

The model that sent an email to a researcher eating a sandwich in a park deserves more than one newsletter.

Know someone making AI decisions at a traditional company who should be reading this? Forward it their way.

- Hashi