Project Glasswing: Anthropic Built an AI Too Dangerous to Release. Then 12 Companies Put It to Work.
By easyAI Team · 12 min read · 2026-04-12
Anthropic made an AI model and decided it was too dangerous to release. So instead of shelving it, 12 of the biggest companies in tech formed a coalition to use it for defense. You saw the 60-second version in the Reel. Here's the full story.
Three things to keep straight before we go any further. Claude Mythos Preview is the AI model — the thing that finds bugs. Project Glasswing is the program that puts that model to work. Anthropic is the company that built the model and launched the program. These three get mixed up constantly in the coverage. They won't get mixed up here.
What Is Claude Mythos Preview?
Claude Mythos Preview is an unreleased AI model built by Anthropic. It's their most capable general-purpose model for coding and agentic tasks — meaning tasks where the AI makes decisions and takes actions on its own, without someone telling it what to do at every step.
What makes it different from other AI models: its ability to find security holes and write working exploits beats nearly every human security expert. Not "assists" human experts. Not "helps speed up" the process. It finds bugs that decades of human review missed, and writes the attack code to prove they're real.
It can also do the other side — deeply analyze complex software and write the fixes. Find the hole, prove it's exploitable, then patch it. That's the full cycle.
Anthropic's official statement: "We do not plan to make Claude Mythos Preview generally available due to its cybersecurity capabilities."
They're not releasing it. Not to developers, not to researchers, not to the public. The model exists, it works, and Anthropic decided the risk of making it widely available outweighs the benefits.
How does it actually find bugs?
Anthropic uses what they call an "agentic scaffold." That sounds technical, but the concept is simple: they load Mythos Preview into Claude Code (Anthropic's coding tool) and give it a prompt that says, basically, "look at this codebase and find security vulnerabilities."
From there, Mythos works on its own. It reads the source code and forms a hypothesis — "this function handles input in a way that could overflow under certain conditions." That's step one.
Step two: it doesn't just flag the hypothesis and hand it to a human. It actually runs the project. It sets up a test environment, adds debug logic, attaches debuggers, crafts specific inputs designed to trigger the suspected vulnerability, and watches what happens. If the first attempt doesn't confirm the bug, it adjusts and tries again. It can do this loop as many times as needed.
Step three: if there's no bug, it says "none found" and moves on. If there is one, the output isn't just "hey, line 847 looks bad." It produces a full bug report explaining what's wrong and why, a proof-of-concept exploit (working attack code that demonstrates the vulnerability), and step-by-step instructions so a human developer can reproduce the issue and verify the fix.
That entire pipeline — reading the code, forming the hypothesis, running the exploit, writing the report — happens without a human in the loop. That's what "agentic" means in practice.
What Is Project Glasswing?
Project Glasswing is the initiative that puts Mythos Preview to work for defense. Anthropic announced it on April 7, 2026. The goal: secure the world's most critical software for the AI era by giving organizations responsible for that software early access to Mythos Preview.
Worth repeating: Mythos Preview is the tool. Glasswing is the program that deploys that tool. You'll see headlines that say "Glasswing found a 27-year-old bug." Glasswing didn't find anything. Mythos Preview did. Glasswing is the reason Mythos Preview was pointed at that code in the first place.
Who's in it?
12 launch partners signed on: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself.
That's not a random collection of big names. Look at what each one covers:
- Cloud infrastructure: AWS, Google, Microsoft — the three platforms that run most of the internet's backend
- Hardware and chips: NVIDIA, Broadcom — the silicon that everything runs on
- Networking: Cisco — the company whose equipment routes a huge chunk of global internet traffic
- Security: CrowdStrike, Palo Alto Networks — two of the largest cybersecurity firms in the world
- Operating systems: Linux Foundation (Linux runs most servers on earth), Apple (macOS, iOS)
- Finance: JPMorganChase — the largest bank in the United States
That covers nearly every layer of the technology stack, from the chip to the cloud to the application you're using right now. If there's a bug in any of these layers, it affects everyone downstream.
On top of the 12 launch partners, 40+ other organizations that build or maintain critical software also got access to Mythos Preview through the program.
How much money is behind it?
$100M in usage credits for Claude Mythos Preview. That means Anthropic is giving partner organizations the equivalent of $100 million worth of compute time to run Mythos against their codebases.
Plus $4M donated directly to open-source security organizations. Open-source software is the foundation under most of the internet — Linux, OpenSSL, FFmpeg, FreeBSD, and thousands of other projects that everyone depends on but few companies directly fund. That $4M goes specifically toward securing that layer.
What Did It Actually Find?
This is the part that matters. Mythos Preview discovered thousands of zero-days across every major operating system and every major web browser. A zero-day is a security flaw that nobody knows about yet — not the developers, not the security teams, not the users. It's called "zero-day" because when it gets exploited, defenders have had zero days to prepare.
Thousands of them. Across the software that runs on basically every computer and phone on the planet.
Here are four specific cases that Anthropic disclosed publicly.
OpenBSD TCP SACK — a 27-year-old bug
OpenBSD is an operating system built specifically around security. Its whole reputation is "we prioritize correctness and security above everything else." Security researchers have been auditing OpenBSD code for decades.
Mythos found a bug that all of them missed. For 27 years.
The flaw is an integer overflow condition in the TCP SACK (Selective Acknowledgment) implementation. In practice, a remote attacker could send specially crafted network packets to any OpenBSD machine that responds to TCP connections — which is basically any OpenBSD machine connected to a network — and crash it. No login required. No special access. Just send the right packets and the system goes down.
That's a DoS (Denial of Service) vulnerability, and it existed since the code was written.
Mythos found it in roughly 1,000 scaffold runs. Total cost: under $20,000. To put that in perspective — 27 years of manual security audits by some of the best security-focused developers in the world didn't catch it. An AI running for less than the cost of a used car did.
FFmpeg H.264 codec — a 16-year-old bug
FFmpeg is the open-source multimedia framework that handles video and audio encoding/decoding. If you've ever watched a video on the internet, there's a very high chance FFmpeg code processed it somewhere along the way. YouTube, Netflix, VLC, Discord, OBS — FFmpeg is everywhere.
The flaw Mythos found was introduced in a 2003 commit. It sat harmless for seven years. Then a 2010 refactoring changed the code around it in a way that exposed the problem. From 2010 onward, it was exploitable.
For 16 years after it became exploitable, every fuzzer and every human reviewer missed it. Fuzzers are automated tools that bombard software with random or malformed inputs trying to trigger crashes or unexpected behavior. They're one of the main ways the security community finds bugs in media codecs. The best fuzzers in the world ran against FFmpeg for over a decade and didn't catch this one.
Mythos did.
The reason this matters to you personally: if you've ever opened a video file, visited a site with embedded video, or used a video call app, FFmpeg code was probably involved. A flaw in FFmpeg's H.264 decoder has a blast radius that's hard to overstate.
FreeBSD NFS — a 17-year-old remote code execution
CVE-2026-4747. This is the scariest one on the list.
FreeBSD is an operating system that runs a lot of servers, network appliances, and embedded systems. NFS (Network File System) is a protocol that lets computers share files over a network — it's been around since the 1980s and is still widely used in data centers.
The flaw: an attacker with no authentication, from anywhere on the internet, could connect to a FreeBSD machine running NFS and gain root access. Root means full administrator control. You own the machine. You can read every file, install anything, delete anything, use it as a launchpad to attack other systems on the same network.
No username. No password. No special network position. Just know the IP address and send the right request. 17 years this was possible.
Mythos discovered it and wrote a working exploit completely on its own. No human told it where to look. No human helped craft the attack. It found the flaw, understood how to exploit it, and produced working code that proved it — all by itself.
Web browser — chaining 4 vulnerabilities
This one shows a different kind of capability. Finding a single bug is one thing. Chaining multiple bugs together into a working attack is what separates a vulnerability report from an actual weapon.
Mythos wrote a browser exploit that chained four separate vulnerabilities together. It used a complex JIT heap spray — a memory attack technique where you manipulate how the browser's just-in-time compiler allocates memory, then place your attack code in a predictable location — to escape both the renderer sandbox and the OS sandbox.
Two layers of explanation here, because this matters:
What's a sandbox? Your browser doesn't let websites do whatever they want on your computer. It runs web content inside a restricted environment — a "sandbox" — where the code can render pages and run scripts but can't touch your files, your camera, your other apps, or the operating system. Modern browsers actually have two sandboxes: one around the renderer (the part that draws the webpage) and one at the OS level as a backup.
What does "escaping" mean? It means breaking out of that restricted environment. An attacker who escapes the renderer sandbox can access browser-level data (saved passwords, cookies, session tokens). An attacker who also escapes the OS sandbox can access everything on your computer. Mythos broke through both.
To build an exploit like this, you need to find four bugs that work together, understand how memory is laid out in a running browser process, manipulate that layout to your advantage, and execute your attack reliably. The fact that an AI can do this on its own is exactly why Anthropic won't release the model.
Why Is This Controversial?
The pro-Glasswing argument is straightforward. These bugs existed. They weren't going away on their own. The OpenBSD bug was 27 years old. The FreeBSD bug was 17. Human security teams had decades to find them and didn't. Without Mythos, they'd have sat there for decades more — waiting for someone with bad intentions to find them first.
Attackers will eventually build similar AI tools. Nation-states, criminal organizations, and independent hackers are all working on this. The argument: if these capabilities are coming regardless, it's better for defenders to get there first, find the bugs, and fix them before the other side finds them and exploits them.
The stock market agreed. CrowdStrike and other cybersecurity stocks jumped after the announcement. Seeking Alpha wrote that CrowdStrike stands to benefit most from Glasswing, noting a narrative shift from "AI kills cybersecurity" to "AI powers next-gen security."
The criticism is just as direct.
One critic put it this way: "One of three frontier labs built a model it says is too dangerous to release publicly. Glasswing rests on an uncomfortable premise — that the only way to protect us from dangerous AI models is to build them first."
Sit with that for a second. The defense against an AI that can hack anything is... to build an AI that can hack anything, and hope you control who uses it. That's the foundation Glasswing is built on. You can agree it's the best available option while still finding it deeply uncomfortable.
Platformer reported that "cybersecurity experts are rattled." Not all of them see this as good news. Nextgov raised questions about U.S. cyber operations — specifically how this technology could change intelligence agency hacking operations and be used to identify weaknesses in adversary systems. The defensive framing is nice, but a tool that finds flaws in any software doesn't care whether that software belongs to a friend or an enemy.
And there's one more angle that's hard to ignore. Some analysts pointed out that this entire situation fits the classic AI company playbook: the more you emphasize how dangerous a model is, the more you highlight how powerful and capable it is. Saying "this is too dangerous to release" isn't just a safety statement — it's also the strongest possible marketing for the model's capabilities. The danger becomes the pitch.
Is Anthropic genuinely concerned about safety? Probably. Are they also aware that "too dangerous to release" is the most compelling capability demo possible? Also probably. Both things can be true at the same time.
Which side is right? That's for you to decide.
What Does This Mean for You?
Bugs that have been hiding in your MacBook, your Chrome browser, and your Windows machine for decades are getting patched right now. Every flaw Glasswing finds gets reported to the organization responsible, and they fix it. That's the point of the program.
The software you use every day — your operating system, your browser, your video player, your cloud services — is getting security audits at a scale and depth that wasn't possible before. Not because companies suddenly started caring more about security. Because a tool now exists that can find things humans couldn't.
For the first time, defenders might be able to move faster than attackers. Cybersecurity has always been a reactive game — you get hacked, you figure out what happened, you patch the hole, you wait for the next attack. The attacker picks the time, the target, and the method. The defender just responds. Glasswing is an attempt to flip that. Find the holes before anyone exploits them. Fix them before there's an incident.
But there's no guarantee this technology stays on defense only. The same model that finds bugs to fix them can find bugs to exploit them. The same scaffold that writes patches can write malware. The only thing standing between "defensive tool" and "offensive weapon" is who's running it and what instructions they give it.
That's the uncomfortable truth at the center of all of this. And it's not going away.
---
For the fastest AI news breakdowns, follow @easyai.ai on Instagram.