Project Glasswing: The Anthropic AI Too Dangerous to Release Publicly

On April 7, 2026, Anthropic announced a model it says is too dangerous to release publicly then handed it to some of the largest technology companies on earth. Claude Mythos Preview, the AI engine behind Project Glasswing, had already found thousands of zero-day vulnerabilities across every major operating system and browser before the press release went live. A 27-year-old flaw in OpenBSD. A 17-year-old remote code execution bug in FreeBSD. A 16-year-old codec vulnerability in FFmpeg that survived decades of human review. This post breaks down exactly what Project Glasswing is, how Mythos operates under the hood, who controls access, and what it means for enterprise security in 2026.

TL;DR: Project Glasswing is Anthropic’s restricted cybersecurity initiative that uses Claude Mythos Preview to autonomously discover and report zero-day vulnerabilities. Mythos scored 83.1% on the CyberGym benchmark versus 66.6% for Claude Opus 4.6 (Anthropic, April 2026). Access is limited to 12 launch partners including Microsoft, Google, Apple, and AWS, with a 90-day responsible disclosure window for all findings.

What Is Project Glasswing and What Does It Actually Do?

Claude Mythos Preview identified thousands of zero-day vulnerabilities across every major OS and browser before Anthropic made Project Glasswing public, scoring 83.1% on the CyberGym vulnerability reproduction benchmark versus 66.6% for Claude Opus 4.6 (Anthropic, April 2026). The project’s core goal is direct: deploy AI to find and responsibly disclose critical software flaws before attackers can weaponize them.

Anthropic is backing the initiative with $100 million in Mythos usage credits and $4 million in open-source security donations $2.5 million to the Alpha-Omega project and OpenSSF via the Linux Foundation, and $1.5 million to the Apache Software Foundation. The model runs through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry, but only for approved organizations.

What sets Glasswing apart from conventional vulnerability scanning isn’t the AI label. Mythos doesn’t flag surface-level misconfigurations. It reasons across complex codebases to find logic flaws, memory corruption chains, and protocol-level weaknesses that survived decades of human review. That’s a qualitatively different capability and a qualitatively different risk profile.

According to Anthropic’s official Project Glasswing page, Claude Mythos Preview found vulnerabilities in every major operating system and browser during pre-launch testing, including a 27 year old TCP denial of service flaw in OpenBSD and a 17-year-old remote code execution vulnerability in FreeBSD (Anthropic, April 2026). These aren’t theoretical findings working proof-of-concept exploits accompanied most reports.

How Does Claude Mythos Preview Actually Find Zero-Days?

In Firefox 147 JavaScript engine testing, Claude Mythos Preview produced 181 working exploits out of several hundred attempts. Claude Opus 4.6 produced 2 (Anthropic Frontier Red Team, April 2026). That isn’t a marginal performance improvement — it’s a structural difference in how the model reasons about code execution paths and memory management.

Mythos also generated working exploits 72.4% of the time across broader exploit development testing. And in 89% of 198 manually reviewed vulnerability reports, expert contractors agreed exactly with Mythos’s severity assessment — meaning the model isn’t just finding bugs, it’s correctly triaging them with near-expert accuracy.

Worth noting: The 89% severity agreement rate matters more than the headline exploit count. Most automated scanners flood teams with false positives and miscategorized low-severity findings. Mythos’s triage accuracy is what makes the discovery volume operationally useful rather than just a benchmark number.

Who Gets Access to Mythos and Why the Strict Restrictions?

Anthropic restricted Claude Mythos Preview to 12 launch partners and 40+ approved organizations, citing dual-use risk as the primary reason the model won’t get a general release (VentureBeat, April 2026). The 12 launch partners are Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself.

That list isn’t a corporate sponsor roster. It’s organizations that either build critical infrastructure or defend it at scale and have the institutional accountability to handle a model this capable responsibly. Why does accountability matter here? Because Mythos doesn’t just find bugs. It ships working proof-of-concept exploits alongside vulnerability reports.

The disclosure framework reflects the same caution. Glasswing operates on a 90-day public reporting window for standard findings. When full technical disclosure would enable exploitation before a patch ships, the timeline extends to 135 days. These timelines match Google Project Zero’s coordinated disclosure norms which is deliberate, not coincidental.

Anthropic explicitly states that Claude Mythos Preview won’t receive a general public release due to dual-use risk (Anthropic, April 2026). The model’s exploit development success rate — 72.4% across broad testing means it could accelerate offensive operations as readily as defensive ones if access were open. The restricted partner model is how Anthropic manages that tension without shelving the capability entirely.

What Does the Dual-Use Risk Mean for the Security Industry?

AI-related vulnerability reports surged 210% in 2025, and prompt injection attacks spiked 540% making it the fastest-growing AI threat category that year (DeepStrike, 2025). Project Glasswing doesn’t arrive in a clean environment. It launches into a threat landscape where AI is already reshaping both the offensive and defensive sides of security operations.

Here’s the core tension Anthropic is navigating: Mythos produced 181 working Firefox exploits in testing. Without access controls, that same capability hands threat actors a force multiplier that compresses the gap between vulnerability discovery and weaponization from months to hours. Glasswing’s partner access model manages that risk through accountability — but doesn’t eliminate it.

Context worth noting: DARPA’s Cyber Grand Challenge (2016) proved autonomous vulnerability discovery works at machine speed — but ran in a sandboxed tournament. Glasswing is the first deployment of a comparable capability against real production infrastructure, with real disclosure obligations, by a commercial entity. That’s a different category of experiment than any prior AI security research.

The pricing structure also signals intent: $25 per million input tokens and $125 per million output tokens for post-research Mythos access. That’s expensive enough to filter casual misuse, but accessible for enterprise security teams with real budgets. It’s a deliberate access-design choice, not just a pricing decision.

What Does Project Glasswing Mean for Enterprise Security Teams?

Organizations using AI-powered security tools identify breaches 108 days faster and reduce average breach costs by 43% from $4.44 million to $2.54 million (IBM Cost of a Data Breach Report, 2025). Project Glasswing extends that logic upstream, into the vulnerability discovery phase itself. The potential cost avoidance compounds when you prevent exploitation rather than just detect it faster.

For most enterprise security teams, Glasswing isn’t something you’ll touch directly in 2026. It’s available to 12 launch partners and approved organizations not a self-serve tool. But the bugs it surfaces become CVEs your teams patch. The open-source projects it hardens are the dependencies in your software supply chain. The AI cybersecurity market was valued at approximately $31 billion in 2025 and is projected to reach $93.75 billion by 2030, growing at 24.4% CAGR (Grand View Research, 2025). Glasswing is the first major proof point that this investment produces autonomous vulnerability discovery, not just better detection tooling.

The practical implication for security teams: the lag time between when a zero-day is discoverable by AI and when it’s patched is compressing. Your patch management cycles, vulnerability triage processes, and SLA expectations all need to adapt to a world where critical CVEs may arrive in batches, from an AI, with working proof-of-concept exploits attached.

How Does Glasswing’s Open-Source Commitment Change the Equation?

Anthropic directed $2.5 million to the Alpha Omega project and OpenSSF and $1.5 million to the Apache Software Foundation because the open-source supply chain is where most critical infrastructure vulnerabilities originate (Anthropic, April 2026). Glasswing explicitly targets open-source software for this reason, and the funding reflects a structural commitment, not a press release line item.

Alpha-Omega funds dedicated security engineers on the most widely deployed open-source projects. The Linux Foundation’s OpenSSF provides tooling, standards, and coordinated disclosure infrastructure. These aren’t abstract beneficiaries they’re the organizations maintaining libraries that run in your production systems right now.

What isn’t yet public is exactly how Mythos’s findings flow into the open-source remediation pipeline. Will findings go directly to maintainers? Through Alpha-Omega intermediaries? The 90-day disclosure window is specified, but the downstream workflow between Glasswing’s AI researchers and open-source maintainers needs more transparency before enterprises can fully trust the supply chain implications of this initiative.

Frequently Asked Questions About Project Glasswing

Is Claude Mythos Preview available to the public?

No. Anthropic explicitly states Mythos Preview won’t receive a general release due to dual-use risk. Access is restricted to 12 launch partners and 40+ approved organizations. Post-research pricing sits at $25 per million input tokens and $125 per million output tokens for approved partners (Anthropic, April 2026).

What zero-days has Glasswing already found?

Publicly confirmed discoveries include a 27-year-old TCP SACK denial-of-service in OpenBSD, a 16-year-old H.264 codec flaw in FFmpeg, a 17-year-old FreeBSD NFS remote code execution bug (CVE-2026–4747), guest-to-host memory corruption in a production memory-safe VMM, and multiple Linux kernel vulnerability chains — all with working exploits (Anthropic, April 2026).

How does Project Glasswing handle responsible disclosure?

Glasswing uses a 90-day public reporting window for standard findings. When full technical disclosure would enable exploitation before a patch ships, the window extends to 135 days. These timelines align with Google Project Zero’s established coordinated disclosure norms and apply to all 40+ partner organizations (Anthropic, April 2026).

Who are the 12 Project Glasswing launch partners?

Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself. Each was selected based on institutional accountability, internal security capacity, and the criticality of the infrastructure they build or defend (Anthropic, April 2026).

How accurate is Mythos at severity triage?

Expert contractors reviewing 198 Mythos vulnerability reports agreed exactly with the model’s severity assessment 89% of the time (Anthropic Frontier Red Team, April 2026). That near-expert triage accuracy is what makes the raw discovery volume operationally useful rather than a noise problem for already-stretched security teams.

Conclusion

Project Glasswing is the most consequential AI security initiative announced to date — not because of the benchmark numbers, but because of what they prove. AI can find bugs humans missed for 27 years. It can triage severity with near-expert accuracy at scale. And the model capable of doing this is, by Anthropic’s own judgment, too dangerous to release without restriction. That’s a rare case of a technology company voluntarily constraining a capability that would clearly generate revenue if deployed broadly.

Key takeaways for technical teams:

• Claude Mythos Preview scored 83.1% on CyberGym versus 66.6% for Opus 4.6 — a material gap, not benchmark noise
• The 181 versus 2 Firefox exploit result reflects a structural difference in reasoning capability, not just scale
• Patch management cycles need to accelerate as AI-surfaced CVEs arrive in higher volumes with working exploits attached
• The $4M open-source funding commitment is supply chain security investment, not marketing
• Responsible disclosure frameworks built for human researchers will need to adapt to AI-generated finding rates
• Access restrictions are the governance model, not a temporary bottleneck — expect this pattern to persist as AI security capabilities grow

The security industry’s relationship with AI just moved from detection-and-response tooling to autonomous discovery. Your workflows need to catch up before the CVE queue does it for you.

---

Project Glasswing: The Anthropic AI Too Dangerous to Release Publicly was originally published in Towards AI on Medium, where people are continuing the conversation by highlighting and responding to this story.