Anthropic recently unveiled Claude Mythos Preview, a general-purpose language model with heightened ability to identity cyber exploits. The model scored 93.9% on SWE-bench Verified and 83.1% on CyberGym. According to Anthropic, the model has already discovered “thousands of high-severity vulnerabilities, including some in every major operating system and web browser.” 

While useful for cybersecurity purposes, cybercriminals would find the technology just as useful for leveraging vulnerabilities. 

That is why Anthropic is refusing to release it publicly. 

Instead, the company developed Project Glasswing, which aims to leverage this model to secure critical infrastructure globally with the support of select partners.

“Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely,” Anthropic’s introduction to the project states. “The fallout — for economies, public safety, and national security — could be severe. Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes.”

The following organizations are partnered with Anthropic in Project Glasswing: 

• Amazon Web Services
• Apple
• Broadcom
• Cisco
• CrowdStrike
• Google
• JPMorganChase
• The Linux Foundation
• Microsoft
• NVIDIA
• Palo Alto Networks

Here, security experts share their thoughts on this new model and project. 

Security Leaders Weigh In

Bradley Smith, SVP, Deputy CISO at BeyondTrust:

Models like Mythos will be used by “good guys” and “bad guys” alike.

The BeyondTrust Security Team has already observed AI-assisted tooling compress the exploitation window for critical vulnerabilities to minutes, not weeks. That was not Mythos. That was current-generation tooling, already in the hands of researchers and threat actors, months before this announcement. AI-assisted vulnerability discovery and AI-generated exploit code are not future risks. They are the current operating environment.

Glasswing will help defenders find and fix vulnerabilities faster than any human team. That matters. But those who are presenting it as giving the good guys a head start mischaracterizes where we actually are. The adversary already has AI working for them. State-sponsored and criminal threat actors are already using AI-augmented tooling to find and exploit vulnerabilities at a speed and scale that legacy defense postures cannot match. The starting gun fired before Mythos existed.

What Mythos and Glasswing should signal to leadership is not reassurance. It is urgency. If Anthropic’s own assessment is that this model is too dangerous to release publicly because of what it could do in the wrong hands, that tells you something about what less capable but freely available models are already doing in the wrong hands right now. And when open-weight models reach this capability threshold, which credible estimates put at months rather than years, the volume and sophistication of AI-driven attacks scales to a level most organizations are structurally unprepared for.

This is not a technology problem with a technology solution. Glasswing helps find the bugs. It does not change the boardroom calculus that leaves organizations exposed and underinvested in the capabilities that actually matter. The question is not whether Glasswing will protect you. It is whether your leadership will have made the investments in security architecture, identity governance, and incident response capability that determine how your organization weathers what is already here and what is about to get worse.

That requires courageous leadership, to recognize that there is no head start. There is only the decision to act or the decision to wait, and waiting has already cost the industry more than most leaders are willing to admit. Mythos will only increase that cost further.

Marcus Fowler, CEO of Darktrace Federal:

What Anthropic is showing with Project GlassWing, and the Mythos model behind it, is how quickly AI is getting to a place where it can identify vulnerabilities at scale. When AI can find vulnerabilities at a speed and depth that materially changes how quickly weaknesses can be identified, it fundamentally accelerates the discovery of issues across both new and existing systems.  

The greatest enabler for attackers today is often code vulnerabilities, so improving our ability to find them is a great thing. The challenge is that identification doesn’t always equal remediation. Many organizations can’t patch everything, whether it’s legacy systems, unmanaged devices, or environments where updates aren’t feasible. So, while the window of vulnerability may get narrower, it doesn’t disappear entirely. 

And as those traditional entry points become harder to exploit, attackers will adapt — as they always do. That’s where insider risk becomes even more significant. If I’m an attacker and I can’t easily break the code, I’m going to look for another path — and the most effective one is often the human. Insider threat doesn’t require exploiting a vulnerability at all. It’s someone already inside the environment, whether that’s a malicious insider, a compromised credential, or someone being incentivized or coerced. They already have access, and they can operate in ways that bypass controls inside the environment. 

In that sense, the problem is potentially reduced, definitely not gone but the risk and points of greatest concern have shifted. As organizations shore up vulnerabilities, they may also create more space for insider-driven activity, because external exploitation becomes more difficult, but not impossible. 

This is where the industry has to shift its mindset. As vulnerabilities are mitigated and hardened ‘left of code,’ the cybersecurity challenge and possible gap is ‘right of code’ — what’s happening inside the environment once systems are live. It is still not just about hardening the castle walls — it’s equally about what’s happening inside the castle. The heavy lift moves from patching and perimeter defenses to understanding activity within the network itself. 

And critically, even if AI tells you your systems are secure, organizations can’t blindly trust that. These models are powerful, but they’re not infallible and vulnerabilities can persist or emerge over time. Security still depends on continuous monitoring and behavioral understanding. 

John Gallagher, Vice President of Viakoo Labs at Viakoo: 

Mythos Preview is a true inflection point in the battle between cyberattackers and cyber defenders in how it not only finds vulnerabilities but also directs their exploitation independent of operating system. There are a handful of operating systems used in IT and data processing, and over 150,000 in OT/IoT/CPS systems; the diversity of operating systems has been a significant barrier to exploitation. While most cyber defense begins in the data center, this stands out as an existential threat that must be first addressed at the edge by focus on OT, IoT, and CPS systems. Mythos is OS agnostic, but vulnerability remediation is not; there is no “Windows Update” for a water pump or an IoT gateway.

Mythos will bring (very soon) a tsunami of newly discovered zero day and other vulnerabilities to both IT systems as well as OT, IoT, ICS, and CPS. For IT we have mature and broadly deployed solutions for managing the upcoming tsunami of patches and credential changes that will need to be urgently applied. For the other (the vast majority) of devices and systems, all but the most ahead-of-the-curve organizations lack solutions for OT/IoT/ICS/CPS patching and credential management at scale. This is where the true devastating impact of Mythos will land — not in the data center but on the factory floors, in the water treatment plants, and across the fleets of cameras and access control devices that organizations rely on. Urgent action is needed to ensure these devices can be patched quickly, automatically, and at scale. 

Mythos can be expected to accelerate (at warp speed) many of the most impactful trends in cybersecurity. 

The shift of ransomware from data to OT systems (pay us or we’ll collapse the energy grid). 

• Management of non-human identities comes more important as Claude Mythos acts as an agent which must have governance and guardrails.  Mythos doesn't just find code bugs; it identifies architectural flaws in how machine-to-machine (M2M) communication occurs. If Mythos can act as an agent to hijack a device’s identity, the fix isn’t just a code patch — it’s a total re-governance of that device’s credentials.
• The need for digital twins and more high fidelity data on how devices, systems, and networks interact with each other in order to enforce the necessary certificates and credentials to block exploitation. 
• Having responsible use of autonomous methods of remediation in order to match the speed of AI-driven threats. 

While the speed at which Project Glasswing is coming together is impressive (and needed), the focus of Anthropic to engage only with large companies is misguided. In areas like OT and IoT security the “majors” like Cisco and Palo Alto Networks lack the focus and technology to enable automated or autonomous patching of OT/IoT systems. Generating an AI-powered “playbook” is a hollow victory if you lack the means to execute it.

To truly harden the world’s most vulnerable systems, Project Glasswing must move past the boardroom giants and collaborate with best-in-class innovators capable of taking action at the edge.

Morey Haber, Chief Security Advisor at BeyondTrust:

While the Mythos project may be a represent a leap ahead for cybersecurity vendors and the “good guys”, there are four very important aspects of the technology everyone should consider:

1. The technology potentially can find a myriad of vulnerabilities in existing solutions that have been undiscovered for years (zero days). Once they are known, organizations must be prepared to prioritize remediation efforts before they leak, become zero day exploits, or discovered by adversaries using similar technology. Considering the potential quantity that can be discovered, a race will be on to remediate them as fast as possible potentially stressing existing development teams.
2. Many organizations have contractual obligations to notify clients of any vulnerabilities discovered based on severity even before disclosure. Typically, a CVSS score of 9.0 will trip this clause in a contract. With this in mind, the Mythos preview may spawn a slew of private disclosures based on contractual obligations and impact the ability to remediate vulnerabilities based on any contractual SLA’s. This is a potential repercussion from the first aspect to consider. The information may not legally stay within a vendor’s knowledge.
3. Once this technology is available to the masses, many vulnerabilities may never see the light of a published CVE. Modern SaaS solutions rarely publish CVE’s for cloud-based vulnerabilities that are fixed behind the scenes for all tenets. However, on premise technology that is under change control of an organization will have to rely on vulnerability management solutions and published CVE’s to identify missing patches. In my opinion, once the solution is used by technology deployed on-premise, organizations may experience a flood of findings that will need prioritization and remediation the old fashioned way. In addition, any EOL technology might have a plethora of vulnerabilities that simply cannot be fixed and that represent new attack vectors that will need mitigation.
4. Anthropic will gain the most from this preview edition. The solution will become smarter, trained on a wide variety of code, and it will be able to identify edge cases that can lead to new security risks and attack vectors. The preview will help train the technology using a wide variety of commercial solutions that would not previously ever have had source code exposed in this manner.

While I applaud the positioning of this new solution, the downstream ramifications need planning now, for everyone, as this solution will hit the mainstream sometime in the future.

Jason Schmitt, Chief Executive Officer at Black Duck:

First, let’s recall “defense in depth” as a security first principle that requires multiple levels of redundant security controls for effective protection. Ignoring all other cybersecurity domains for a moment, in the application domain there have always existed layered stacks of technology controls and layered/sequenced assurance approaches. Compilers and linters fix syntactical security and quality bugs on the fly. Simple, fast, cheap, effective. Perfect code coverage.

Our domain — code scanning tools used during the SDLC — identify increasingly complex, multi-component semantic and data flow security bugs. Fuzzing fits here too. Finds more complex issues, less accurate, but can be done at large scale, repeatedly, e.g. on every build or commit. Finally, several other approaches that we can generalize as “offensive security” are responsible for finding anything that escapes the upstream SDLC countermeasures, predominantly business logic flaws and chained vulnerabilities. This includes penetration testing and bug bounty programs. Highly manual, expensive, doesn’t scale, but capable of finding extremely dangerous, otherwise undetectable security issues.

Mythos appears to be capable of entirely automating human-based pentesting and bug bounty instantiations of it in #3 above. I wouldn’t want to own a pentesting business now. The most troubling capability to me is the claim that it is highly effective at reverse engineering binaries, and identifying new exploits. That is breaking new ground in automated-exploitation of arbitrary pieces of software, which DARPA has been funding research around for years.

Second, Keying in on discontinuity between detection and exploitation, this is an important point. It is not difficult to find something that matters; it’s extremely difficult to find everything that matters. The claim of finding a vulnerability in a codebase that has been scanned millions of times is not unusual at all. Different approaches find different types of flaws. This is why defense in depth exists. False positives get the most attention in discrediting tools, but false negatives — undetected serious vulnerabilities — are the most dangerous. I don’t think anyone can claim that Mythos or any model can identify every exploitable vulnerability, certainly not economically. That’s why these new claims don’t change the coexistence narrative of multiple approaches still being necessary.

Third, how things get fixed matters. Further to the point of exploitation and false positives vs false negatives. If something is not exploitable, then it’s not worth fixing, or should be prioritized behind everything that is exploitable. It’s not hard to find lots of vulnerabilities — the most valuable platform is one that ensures that everything exploitable gets fixed. If Mythos finds one sexy bug, but misses 10 others, then it’s no panacea. Perhaps if you remove time and cost as constraints, it’s possible for an LLM to reason over a 10 million line of code app and provably identify everything exploitable that matters.

Fourth, supply chain security attacks in recent weeks are CI/CD, infrastructure, cloud misconfiguration, coding and externalized dependency issues that are largely environmental, situational and temporal. An expanded form of SCA is required to address the rapidly evolving supply chain attacks.

The reason we focus so much on context as an important value, is that it is essential to solving the challenge of prioritizing and remediating everything that matters. Without context, you have to fix every bug.

The complete platform is one that a) finds every exploitable vulnerability that matters, b) effectively remediates them as easily as possible, and c) can deterministically prove it.

Diana Kelley, Chief Information Security Officer at Noma Security: 

The initiative was formed around a single, urgent recognition: Anthropic had developed a model whose cybersecurity capabilities were strong enough that releasing it broadly without safeguards could cause serious harm. Rather than hold the model back entirely, Anthropic chose a third path: deploy it defensively, at scale, under structured conditions, before offensive actors develop equivalent capabilities.

Three practical priorities follow from this.

1. First, assume vulnerability discovery will accelerate whether you want it to or not. Attackers will eventually access capabilities comparable to what is described here. That means investing in faster validation pipelines, tighter feedback loops between development and security, and clearer prioritization frameworks. Speed of response matters more when the window between discovery and exploitation is shrinking.
2. Second, your pipeline flexibility matters more than it did before. Organizations that will benefit earliest from models like Mythos Preview are the ones that can integrate new tools into existing workflows quickly, without re-engineering their entire stack. If routing specific tasks, like deep code analysis and vulnerability discovery, to the most capable model available requires months of infrastructure work, you will consistently be slower than you need to be.
3. Third, take a hard look at your legacy vulnerability backlog. The exceptions you’ve accepted as low-risk based on exploitation difficulty need to be reconsidered. Some of those exceptions were justified by the assumption that finding and exploiting the vulnerability required rare human expertise. That assumption is weakening. Thousands of exceptions may not be viable any longer.

Ram Varadarajan, CEO at Acalvio:

 Mythos Preview marks a shift from theory to reality: AI can now find and link software flaws together to break through digital security entirely on its own. This mechanized approach moves much faster than the human teams currently defending our systems.

While initiatives like Project Glasswing try to organize defenses, they’re struggling to keep up: less than 1% of the flaws Mythos found have actually been fixed. Because other hackers can use similar AI to find these same holes, simply patching them one by one isn’t enough. We’ve reached a point where traditional, human-led security can no longer keep pace with automated attacks, forcing a total rethink of how we protect our data.

This confirms once again our bot-on-bot future in cybersecurity.