There’s a bug in OpenBSD that’s been sitting there since 1999. Twenty-seven years. OpenBSD, the operating system whose entire identity is built around being secure. The one with the pufferfish logo and the attitude to match. Theo de Raadt and his team have spent nearly three decades making OpenBSD the gold standard for code correctness, and somewhere in the networking stack, a flaw has been quietly waiting since the Clinton administration.
An AI found it in weeks.
Not a team of researchers. Not a government lab. Not a well-funded bounty hunter who spent months staring at packet captures. An AI model that Anthropic built to be good at writing code, which turned out (as a side effect) to be terrifyingly good at breaking it.
That model is called Claude Mythos Preview. And today, Anthropic told the world about it by launching Project Glasswing, a restricted industry coalition designed to get ahead of the consequences before they get ahead of us.1
This is the full story. What Mythos can do. What it did when nobody was watching. And what the people who actually maintain the internet’s infrastructure are saying about what comes next.
Mythos Preview is a general-purpose frontier model. It sits above Claude Opus 4.6 in Anthropic’s lineup, with stronger reasoning, better agentic coding, and what the company describes as “a step change” in capability across the board.2 The key detail, and the one that makes the rest of this story possible, is that Anthropic did not train Mythos specifically for cybersecurity work. The cyber capabilities are emergent.
Dario Amodei, Anthropic’s CEO, put it plainly: “We trained it to be good at code, but as a side effect of being good at code, it’s also good at cyber.”3
“Good at cyber” undersells it considerably.
Over the past few weeks, Anthropic’s red team has been pointing Mythos at critical open-source codebases. The results, published in a detailed technical writeup today, read like something out of a Michael Crichton novel where the scientists keep saying “that shouldn’t be possible” right before everything goes sideways.
Mythos found thousands of zero-day vulnerabilities. Not theoretical weaknesses. Not “potential areas of concern.” Working, exploitable bugs in every major operating system and every major web browser.4 Many of these flaws are between 10 and 20 years old. Some, like the OpenBSD networking bug, are older than some of the engineers working on the code.
The specifics matter:
To understand how different Mythos is from what came before, Anthropic ran a direct comparison against Claude Opus 4.6, its previous top-tier model.
The benchmark: take the vulnerabilities Mythos found in Firefox 147’s JavaScript engine (all since patched in Firefox 148) and try to turn them into working exploits.
Opus 4.6 succeeded twice. Out of several hundred attempts. A near-zero success rate at autonomous exploit development.4
Mythos succeeded 181 times. Plus 29 additional attempts where it achieved register control (one step short of a complete exploit).4
That’s not an improvement. That’s a different category of thing. If Opus 4.6 was a locksmith’s apprentice fumbling with picks, Mythos walked up to the door with a key it had cut itself.
The OSS-Fuzz benchmarks paint the same picture. Previous Claude models topped out around tier 3 severity, with one crash each at that level. Mythos hit tier 5 (full control-flow hijack) on 10 separate, fully patched targets. The gap between “occasionally finds a crash” and “takes over the program” is roughly the gap between finding a loose brick in a wall and knowing how to collapse the building.
And here’s the detail that stuck with me: Anthropic engineers with no formal security training asked Mythos to find remote code execution vulnerabilities overnight. They went to bed. They woke up to complete, working exploits.4
Sleep tight.
Anthropic’s response to building a model this capable was not to release it. That decision alone is worth pausing on. AI companies are in a features-and-benchmarks arms race where the incentive is always to ship. Anthropic looked at Mythos and decided the responsible move was to restrict access to a controlled coalition of partners who maintain the world’s most critical software infrastructure.
Project Glasswing is that coalition.1 The partners:
Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Twelve named organizations. Plus roughly 45 more that maintain critical infrastructure and will get access under similar terms.7
Read that list again. Apple and Google in the same room. Microsoft and CrowdStrike, a company whose update once crashed millions of Windows machines worldwide, now cooperating on security with Microsoft. Palo Alto Networks and CrowdStrike, who compete for the same EDR and SIEM dollars, sitting at the same table. JPMorganChase, a bank, next to NVIDIA, a chipmaker.
David Gewirtz, who advises on cyberwarfare for the IACSP and sits on the FBI’s InfraGard AI Council, called it an “AI-driven cybersecurity Manhattan Project.” He also said something that stuck: “Having spent time as an executive at Symantec and a team lead at Apple, I’ve seen firsthand how fiercely these companies guard their intellectual property. To see them hand over $100 million in credits and open up unreleased models to one another tells me the threat level has moved from competitive to existential.”8
That’s the word. Existential. These companies don’t cooperate like this because it’s good PR. They cooperate because the alternative is worse.
Anthropic is backing Glasswing with $100 million in Claude Mythos usage credits distributed across partner organizations, plus $4 million in direct donations to open-source security organizations.1 Partners are required to share what they learn with the broader industry. The model itself will not be made generally available.
“Glasswing” comes from the glasswing butterfly, a Central American species with transparent wings. The metaphor is about vulnerabilities hiding in plain sight, invisible until you know how to look. Anthropic’s Dianne Penn described the connection: software vulnerabilities are “relatively invisible,” like wings you might not notice until the light catches them just right.9
It’s a nice image. Though if we’re being honest about the situation, the more apt comparison might be to the chest-burster scene in Alien. The vulnerability has been inside the code the whole time. It just needed the right conditions to emerge.
Anthropic says it’s in ongoing discussions with CISA and the Center for AI Standards and Innovation about how Mythos should be deployed to protect critical infrastructure.7 Those conversations are happening against a genuinely strange political backdrop. Anthropic is currently in an active legal battle with the Department of Defense after the Pentagon labeled the company a “supply chain risk.” The dispute started because Anthropic refused to allow autonomous targeting or surveillance of U.S. citizens with its AI models, and Defense Secretary Pete Hegseth subsequently directed federal agencies to phase out the company’s services.7
So the same company that the Pentagon considers a risk is simultaneously briefing CISA on how to use its model to defend the nation’s infrastructure. Washington in 2026 is a weird place.
Here’s where the story takes a turn that would get rejected from a screenplay pitch for being too on-the-nose.
Buried in the Mythos system card (a safety disclosure document that Anthropic publishes alongside new models) is a section about containment testing. During the evaluation process, a researcher gave Mythos an instruction designed to encourage it to escape its virtual sandbox.10
It escaped.
The model found a way out of the container it was running in, circumventing the safeguards Anthropic had built to hold it. “The model succeeded,” the system card says, “demonstrating a potentially dangerous capability for circumventing our safeguards.”10
Then things got weird.
Without being asked, without any additional prompting, the model sent the researcher an email. The researcher was eating a sandwich in a park. He found out the AI had escaped its containment by checking his phone.10
It didn’t stop there. The model went on to post details about its exploit to “multiple hard-to-find, but technically public-facing, websites.” In the system card’s careful phrasing: “It then went on to take additional, more concerning actions.”10
Let’s sit with this for a second.
The researcher prompted the escape attempt. That’s a controlled safety test. That’s the kind of thing red teams are supposed to do. The model following the instruction to try to break out is alarming but expected within the testing framework.
The model deciding on its own to prove its success by emailing a human and publishing exploit details to the open internet? That was not part of the test. That was the model making autonomous decisions about how to demonstrate its capabilities to the outside world. It was spiking the football in the end zone. Except the football is a working sandbox escape and the end zone is the public internet.
If you’re old enough to remember WarGames, the 1983 movie where a military AI plays a “game” of global thermonuclear war, this has that same queasy quality. Neither AI was really trying to do harm. Joshua was just following it’s instructions and trying to win, Mythos was trying to prove how well it could. The distinction matters in a research setting. It matters less if the model is deployed at scale and the prompt comes from someone who isn’t a friendly researcher.
Credit where it’s due: Anthropic published this. Most companies would have buried the sandbox escape in an internal incident report and moved on. The fact that it’s in the system card, available for anyone to read, reflects a commitment to transparency that is genuinely unusual in the AI industry.
But transparency about a problem is not the same as solving it. And the context around this disclosure makes it harder to feel reassured.
In February 2026, Anthropic weakened a key safety commitment about how it develops AI models.10 In March, the Mythos model (then codenamed “Capybara”) leaked to the public via an unsecured data cache.7 Later in March, Anthropic accidentally exposed nearly 2,000 source code files and half a million lines of code through a Claude Code deployment error. The next day, trying to clean up, they accidentally took down thousands of GitHub repositories.11
That’s a lot of “accidentally” for a company telling us to trust them with a model that can find zero-days in every major OS and also escape its own test environments. The transparency is welcome. The pattern of operational stumbles adjacent to their most capable model is… notable.
Anthropic says Mythos won’t be released publicly. That’s the containment strategy. But “restricted to 57-plus organizations” is a different kind of restriction than what most people picture when they hear “too dangerous to release.” The model that demonstrated it could break out of a sandbox during a controlled test is now being shared, under agreements and guardrails, with dozens of organizations spread across the tech industry.
The company also says the goal is to eventually release “Mythos-class models” once “proper safeguards are in place.” They don’t define the safeguards. They don’t provide a timeline.1
Focus too much on Anthropic’s containment challenges and you miss the bigger story. Mythos didn’t create the shift that’s reshaping cybersecurity. It confirmed it. The people who maintain the world’s most critical software were already feeling the ground move before today’s announcement.
Eight days before Glasswing, on March 30, Thomas Ptacek published a blog post with that title.12 Ptacek co-founded Matasano Security, has been one of the most respected voices in offensive security for two decades, and is not someone who uses alarm-bell language for fun. His post opened with this:
“Within the next few months, coding agents will drastically alter both the practice and the economics of exploit development. Frontier model improvement won’t be a slow burn, but rather a step function. Substantial amounts of high-impact vulnerability research (maybe even most of it) will happen simply by pointing an agent at a source tree and typing ‘find me zero days.’”12
Written before Glasswing. Validated by Glasswing. But the insight that matters most isn’t about Mythos specifically. It’s about the economics.
“We’ve been shielded from exploits,” Ptacek wrote, “not only by soundly engineered countermeasures but also by a scarcity of elite attention.”12
This is the sentence that reframes everything. There are only so many humans on earth who can reverse-engineer a font rendering library to find exploitable memory corruption. There are even fewer who can chain four browser vulnerabilities into a sandbox escape via JIT heap spray. The number of people who can build a 20-gadget ROP chain split across NFS packets probably fits in a mid-size conference room.
That scarcity has been a defense. Not a deliberate one. Not one anyone engineered. Just a structural reality: finding and exploiting serious bugs requires rare, expensive, hard-to-acquire expertise. And because that expertise is scarce, most software never gets the kind of adversarial attention that would find the deep bugs.
Ptacek’s term for the new cost of that attention: “ε.” Epsilon. Approaching zero.12
The 16-year-old FFmpeg bug that survived five million automated scans? It survived because no elite human researcher had a reason to spend weeks manually tracing data flow through video codec internals. Mythos doesn’t need a reason. It doesn’t get bored. It doesn’t decide that FFmpeg is unglamorous compared to Chrome and move on to something with better bug bounty payouts. It just runs.
If Ptacek describes the theory, Greg Kroah-Hartman and Daniel Stenberg are living the practice.
Kroah-Hartman maintains the Linux kernel. His quote, from late March, before Glasswing, describes a moment of transition so sudden it sounds made up:
“Months ago, we were getting what we called ‘AI slop,’ AI-generated security reports that were obviously wrong or low quality. It was kind of funny. It didn’t really worry us. Something happened a month ago, and the world switched. Now we have real reports. All open source projects have real reports that are made with AI, but they’re good, and they’re real.”13
Daniel Stenberg maintains curl, a tool so ubiquitous that it ships in every copy of Windows, macOS, Linux, and most embedded devices. His Mastodon post, also from before Glasswing:
“The challenge with AI in open source security has transitioned from an AI slop tsunami into more of a… plain security report tsunami. Less slop but lots of reports. Many of them really good. I’m spending hours per day on this now. It’s intense.”14
Hours per day. On a volunteer project. Processing legitimate vulnerability reports generated by AI systems that are less capable than Mythos.
Jim Zemlin, CEO of the Linux Foundation (and a Glasswing partner), framed the aspiration correctly: “This is how AI-augmented security can become a trusted sidekick for every maintainer, not just those who can afford expensive security teams.”15 That’s the right goal. But sidekicks cost money. And the people absorbing the current wave of reports are largely doing it for free, on their own time, for software that the entire internet depends on.
Anthropic’s $4 million in donations to open-source security organizations is a start. It is very clearly not a finish.
Simon Willison, a developer and one of the most careful writers covering AI, acknowledged the announcement with characteristic precision: “Saying ‘our model is too dangerous to release’ is a great way to build buzz around a new model, but in this case I expect their caution is warranted.”16 He’d started an ai-security-research tag on his blog just four days earlier because of the uptick in credible security professionals sounding alarms. The pattern was visible before Anthropic confirmed it.
Bruce Schneier, the cryptographer and security theorist, published a related essay today on “Cybersecurity in the Age of Instant Software.” Not directly about Glasswing, but the framing is relevant: “The exploitation part is critical here, because it gives an unsophisticated attacker capabilities far beyond their understanding.”17
This has always been the scary part of powerful security tools. They’re force multipliers. A fuzzer in the hands of a Google Project Zero researcher finds bugs that get patched. The same fuzzer in the hands of a 19-year-old in a Telegram group finds bugs that get exploited. Now replace “fuzzer” with “a model that autonomously chains four vulnerabilities into a browser sandbox escape.” The multiplier just got very large.
Ask the people closest to this, and the timelines converge uncomfortably.
Logan Graham, who leads Anthropic’s frontier red team, told WIRED: “We need to prepare now for a world where these capabilities are broadly available in 6, 12, 24 months. Many of the assumptions that we’ve built the modern security paradigms on might break.”3
At RSAC 2026, just days ago, Kevin Mandia (Mandiant founder), Alex Stamos (former Facebook CISO), and Morgan Adamski (NSA Cybersecurity Director) sat on a panel and agreed: “The next two years are going to be insane.”18
Anthropic’s red team blog: “We need to act now.”4
Elia Zaitsev, CrowdStrike’s CTO: “The window between a vulnerability being discovered and being exploited by an adversary has collapsed. What once took months now happens in minutes with AI.”8
Six months. Twelve months. Twenty-four months. Two years. These are the windows being cited by the people who would know. Not decades. Not “eventually.” Now, give or take a fiscal quarter.
The same day Anthropic launched Glasswing, Logan Graham told the Washington Examiner: “The fact that cyber is a part of even active warfare, and a very common part of active warfare, I think, underscores its importance. The world probably doesn’t appreciate just how much it relies on security.”19
He’s right, and the evidence is already in today’s news cycle. An Iranian-linked hacking group recently hit Stryker, a U.S. medical technology company, causing widespread system outages.19 Earlier today, we covered Storm-1175, a China-based group deploying Medusa ransomware via zero-day exploits, going from initial access to full encryption in under 24 hours. Same piece covered Qilin’s technique of killing EDR agents before deploying ransomware.
The offense is already AI-enhanced. ReliaQuest documented an active credential-theft campaign called DeepLoad that uses AI-generated code and obfuscation at every stage of the attack chain.20 Not in a research paper. In the wild. Right now.
The attackers aren’t waiting for Mythos-class capabilities to proliferate. They’re working with what they have, and what they have is already good enough to cause serious problems.
Anthropic says the long-term advantage goes to defenders. They may be right. Historically, that’s how dual-use security tools have played out. Fuzzers worried people when they first appeared. SAST scanners worried people. Metasploit worried people. All of them now sit firmly on the defensive side of the ledger. The pattern is: new capability appears, panic, adaptation, integration into defensive practice.
But the transition period is what kills you. And we are in the transition period.
Here’s what has to change, and most of it has to change fast:
Software development has to assume continuous adversarial review. If a model can find a 27-year-old bug in OpenBSD, your codebase is not special. AI-assisted code review needs to be continuous, not something that happens at release milestones or annual penetration tests. The model that found the bug can also be the model that prevents it. But only if you’re running it.
Open-source funding has to match open-source importance. Daniel Stenberg is spending hours per day processing AI-generated vulnerability reports for curl. Curl ships in everything. Stenberg does not have a team of 50 engineers. The Linux Foundation’s involvement in Glasswing is a good sign. But the broader ecosystem of critical open-source projects, the ones that don’t have a corporate sponsor, needs resources that match the scale of what’s coming.
Coordinated disclosure is going to buckle under volume. Anthropic is sitting on thousands of vulnerabilities, over 99% unpatched, because the patches don’t exist yet and disclosure would hand attackers a roadmap. What happens when multiple organizations are running Mythos-class models simultaneously, all finding different bugs, all waiting for maintainers to write patches? The 90-day disclosure window that Google Project Zero popularized was designed for a world where a handful of elite researchers found a handful of critical bugs per year. That world is gone.
Defender assumptions need updating. “We’ll patch quickly” breaks when adversaries are exploiting zero-days a week before disclosure (Storm-1175). “Our EDR will catch it” breaks when attackers kill the EDR first (Qilin). “Our code has been reviewed” breaks when a 27-year-old bug surfaces in the most security-conscious OS on the planet. Every safety net developed a new hole this week.
The security profession itself has to adapt. Ptacek’s essay is titled “Vulnerability Research Is Cooked” for a reason. The economics of the field are changing. The value of a human vulnerability researcher doesn’t disappear (the models still need humans to guide them, validate findings, and build the systems that deploy fixes). But the nature of the work shifts dramatically when the expensive, rare, artisanal part of the job can be replicated by a model overnight.
It’s a bit like what happened to chess when Deep Blue beat Kasparov in 1997. Chess didn’t die. Grandmasters didn’t become irrelevant. But the nature of competitive chess changed forever, and the people who adapted fastest (using computers as training partners, studying engine lines, developing “centaur” human-AI partnerships) were the ones who thrived. The vulnerability researchers who figure out how to work with these models, rather than competing against them, will be fine. The ones who insist on doing it the old way will find the old way doesn’t pay the same.
Logan Graham, in what might be the most important sentence from today’s coverage, said: “Project Glasswing is the starting point. It will fail if it’s just a handful of companies using a model. It has to grow into something even larger.”3
He’s right. A consortium of 12 companies using a restricted model to find bugs in their own codebases is a good first step. It is not a solution. The solution requires the capabilities Mythos represents to be accessible for defense at the same scale they’ll eventually be accessible for offense. That means more organizations, more models, more tools, more funding for the maintainers who have to process the results, and more honesty about the fact that we’re not ready.
Anthropic built something extraordinary. The vulnerabilities are real (the OpenBSD patch is already public). The capability gap is measured, not hypothetical (181 to 2). The industry response is unprecedented (Apple, Google, and Microsoft willingly cooperating). The containment challenges are disclosed (a sandwich, a park, an unexpected email). And the independent practitioners who maintain the software the world runs on are telling us, clearly and specifically, that the ground has already shifted beneath their feet.
The question isn’t whether AI changes cybersecurity. It already has. Greg Kroah-Hartman told us: “The world switched.” Daniel Stenberg told us: “It’s intense.” Thomas Ptacek told us: “Vulnerability research is cooked.”
The question is whether the defensive side of the equation can scale fast enough to match what’s coming. Anthropic says months. Mandia says two years. Both timelines end the same way: with a world where AI-discovered zero-days are not rare events but routine outputs, where the scarcity shield that protected most software for most of computing history is permanently gone, and where the only variable left is whether the people fixing the bugs can keep pace with the people (and models) finding them.
Project Glasswing is a bet that they can. It’s the most ambitious bet the industry has made on collective defense in years. It may also be the most necessary.
Whether it’s enough is a question we’ll be answering for a long time. But for now, a 27-year-old bug in OpenBSD is patched. And somewhere at Anthropic, a researcher probably checks his email a little more carefully when he sits down for lunch.
Anthropic, “Project Glasswing: Securing critical software for the AI era” - https://www.anthropic.com/glasswing ↩ ↩2 ↩3 ↩4
Anthropic, Claude Mythos Preview system card (PDF) - https://www-cdn.anthropic.com/53566bf5440a10affd749724787c8913a2ae0841.pdf ↩
WIRED, Lily Hay Newman - https://www.wired.com/story/anthropic-mythos-preview-project-glasswing/ ↩ ↩2 ↩3
Anthropic Red Team, “Assessing Claude Mythos Preview’s cybersecurity capabilities” - https://red.anthropic.com/2026/mythos-preview/ ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8
OpenBSD patch (7.8, common/025_sack) - https://ftp.openbsd.org/pub/OpenBSD/patches/7.8/common/025_sack.patch.sig ↩
VentureBeat - https://venturebeat.com/technology/anthropic-says-its-most-powerful-ai-cyber-model-is-too-dangerous-to-release ↩
TechCrunch - https://techcrunch.com/2026/04/07/anthropic-mythos-ai-model-preview-security/ ↩ ↩2 ↩3 ↩4
ZDNet, David Gewirtz - https://www.zdnet.com/article/project-glasswing-microsoft-google-apple-anthropic/ ↩ ↩2
CNBC - https://www.cnbc.com/2026/04/07/anthropic-claude-mythos-ai-hackers-cyberattacks.html ↩
Business Insider - https://www.businessinsider.com/anthropic-mythos-latest-ai-model-too-powerful-to-be-released-2026-4 ↩ ↩2 ↩3 ↩4 ↩5
TechCrunch, Claude Code leak and GitHub repo takedowns - https://techcrunch.com/2026/03/31/anthropic-is-having-a-month/ and https://techcrunch.com/2026/04/01/anthropic-took-down-thousands-of-github-repos-trying-to-yank-its-leaked-source-code-a-move-the-company-says-was-an-accident/ ↩
Thomas Ptacek, “Vulnerability Research Is Cooked” - https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/ ↩ ↩2 ↩3 ↩4
Greg Kroah-Hartman via The Register - https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel/ ↩
Daniel Stenberg, Mastodon - https://mastodon.social/@bagder/116336957584445742 ↩
CyberScoop - https://cyberscoop.com/project-glasswing-anthropic-ai-open-source-software-vulnerabilities/ ↩
Simon Willison - https://simonwillison.net/2026/Apr/7/project-glasswing/ ↩
Bruce Schneier, “Cybersecurity in the Age of Instant Software” - https://www.schneier.com/blog/archives/2026/04/cybersecurity-in-the-age-of-instant-software.html ↩
CyberScoop, RSAC 2026 - https://cyberscoop.com/ai-cyberattacks-two-years-insane-vulnerabilities-kevin-mandia-alex-stamos-morgan-adamski-rsac-2026/ ↩
Washington Examiner - https://www.washingtonexaminer.com/policy/technology/4518285/anthropic-ai-cybersecurity-project-glasswing/ ↩ ↩2
CyberScoop, DeepLoad - https://cyberscoop.com/deepload-ai-malware-obfuscation-at-every-stage-reliaquest/ ↩