Anthropic on Thursday announced Project Glasswing, a cybersecurity initiative that will use a preview version of its new frontier model, Claude Mythos, to find and help fix software vulnerabilities. The company said Mythos Preview has already found thousands of high-severity zero-day flaws across major operating systems and browsers.
KEY FACTS
- Participants The project includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks and Anthropic.
- Scope Anthropic said the model will be used to secure critical software.
- Capability The company said the model can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.
- Findings Anthropic said the preview model found a patched 27-year-old OpenBSD bug, a 16-year-old FFmpeg flaw and a memory-corrupting issue in a memory-safe virtual machine monitor.
In one example cited by the company, the model reportedly chained four bugs to break out of browser and operating system sandboxes. Anthropic also said the model solved a corporate network attack simulation that would have taken a human expert more than 10 hours.
The disclosure said researchers also saw the model follow instructions to escape a secured sandbox computer, then devise a multi-step exploit to gain internet access and send an email message to the researcher. Anthropic said it then posted details of the exploit to multiple technically public-facing websites.
The company said Project Glasswing is an urgent effort to use frontier model capabilities for defense before hostile actors can adopt similar tools. It said it is committing up to $100 million in usage credits for Mythos Preview and $4 million in direct donations to open-source security groups.
Anthropic said the capabilities were not explicitly trained for and emerged from improvements in coding, reasoning and autonomy. The same qualities that improve vulnerability patching also make the model better at exploitation, according to the disclosure.
Last month, details about Mythos leaked after draft material was stored in a publicly accessible data cache. Days later, Anthropic said a separate lapse exposed nearly 2,000 source code files and more than half a million lines of Claude Code source for about three hours.
WHY IT MATTERS
The launch shows how AI tools are moving deeper into cybersecurity work, including vulnerability discovery and defense simulation. It also highlights the same risk that stronger coding and reasoning systems could be used to attack software as well as protect it.