Claude Mythos and Project Glasswing: A Security Deep Dive for Developers

An AI model just found a 27-year-old OpenBSD bug, a 16-year-old FFmpeg flaw that five million automated tests missed, and a Linux kernel exploit chain that hands over full control of a machine. Anthropic calls the model Claude Mythos. The coalition built around it is Project Glasswing.

What Are Claude Mythos and Project Glasswing?

References to "Mythos" first surfaced last week when Claude Code's source code was accidentally leaked through npm, and now we know what it is. Claude Mythos Preview is a new unreleased frontier model from Anthropic. It's a general-purpose model in the same family as Claude Opus 4.6, built for coding and reasoning, but its ability to find and exploit software vulnerabilities is strong enough that Anthropic decided not to release it publicly. Over the past few weeks, Mythos has autonomously discovered thousands of zero-day vulnerabilities (flaws previously unknown to the software's developers), many of them critical, across every major operating system and every major web browser.

Instead of releasing Mythos to the public, Anthropic formed Project Glasswing, a defensive security coalition that gives the model to the organizations responsible for the software the world runs on so they can find and fix vulnerabilities before attackers do. The coalition launched with twelve partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

Collectively, these twelve companies cover major cloud infrastructure, both dominant mobile and desktop operating systems, core networking hardware, the Linux kernel, financial systems, and AI compute. Over 40 additional organizations that build or maintain critical software infrastructure have also received access.

Anthropic is backing the effort with $100M in usage credits for Mythos Preview and $4M in direct donations to open-source security organizations.

What Claude Mythos Actually Found

The Anthropic red team blog lays out specific examples of what Mythos Preview can do. Three stand out:

The OpenBSD crash. Mythos found a signed integer overflow in OpenBSD's TCP SACK implementation. The bug involved an unchecked SACK block start combined with signed integer wraparound when comparing TCP sequence numbers. An attacker could remotely crash any machine running the operating system by connecting to it. This vulnerability had been present since 1999 in an operating system famous for its security posture. OpenBSD's motto is literally "Only two remote holes in the default install."

The FFmpeg codec flaw. In one of FFmpeg's most widely used codecs (H.264), Mythos identified a heap write vulnerability where a collision between slice numbering and a sentinel value caused out-of-bounds writes. The weakness had existed since 2003 but became exploitable after a 2010 refactor. Fuzzers hit the relevant code path five million times without triggering it, and human reviewers missed it for 16 years. Mythos found it autonomously.

The Linux kernel privilege escalation. Mythos didn't just find a single bug here. It chained together multiple vulnerabilities to go from ordinary user access to full root control. The model combined KASLR bypasses, heap sprays, and use-after-free exploitation into a working privilege escalation chain. This is the kind of multi-step exploit that typically requires weeks of work from specialist security researchers.

And these are just the examples Anthropic chose to publish because patches are already available. They've released cryptographic hashes for many more unpatched vulnerabilities, promising to disclose details once fixes ship.

Why Anthropic Restricted the Claude Mythos Release

Anthropic's reasoning: AI models can now match or surpass all but the most elite human security researchers at finding and exploiting vulnerabilities. If this capability reaches bad actors before defenders patch the existing holes, the fallout could be severe. Global cybercrime already costs roughly $500 billion a year.

So they created Project Glasswing to give defenders a head start. After the initial $100M in credits runs out, Mythos Preview will be available to participants at $25 per million input tokens, $125 per million output tokens. Steep, but accessible for organizations with serious security budgets.

Simon Willison called the restricted release "necessary," arguing the security risks are credible and not just marketing. He pointed to corroborating signals from across the security community. Greg Kroah-Hartman, the Linux kernel's stable branch maintainer, confirmed AI-discovered vulnerability reports are "good, and they're real." Daniel Stenberg, the maintainer of curl, said he's "spending hours per day on this now."

Alex Stamos, currently CPO at AI-security firm Corridor and former CSO of Facebook, called Glasswing "a big deal, and really necessary," warning that open-weight models will match these capabilities "in something like six months."

The Linux Foundation's involvement stands out. Jim Zemlin, their CEO, framed it as an equity problem: open-source maintainers whose software underpins critical infrastructure have historically been left to figure out security on their own. Most don't have access to expensive security teams. A model that finds vulnerabilities at scale could change that. Anthropic committed $2.5M to Alpha-Omega and OpenSSF through the Linux Foundation, plus $1.5M to the Apache Software Foundation. Maintainers can apply for access through the Claude for Open Source program.

What Developers Should Do Now

If you write software, three things should be on your radar.

Your code will get scanned by AI. Whether by Glasswing partners, by tools like Claude Code reaching this capability level, or by attackers using the next open-weight model that crosses this threshold. The era where obscurity provided any security margin is ending. Code that "works fine" but has subtle memory safety issues, integer overflows, or logic bugs in authentication paths is going to get found.

Open-source maintainers should apply for access. If you maintain software that others depend on, the Claude for Open Source program is worth looking into. The $4M in donations and the access to Mythos Preview represent real resources for projects that have historically run on volunteer effort.

Secure-by-design practices matter more than ever. Memory-safe languages like Rust and Go eliminate entire classes of the vulnerabilities Mythos is finding. The FFmpeg bug is a textbook example of the kind of issue that memory-safe languages prevent at compile time. If you're still building security-sensitive software in C or C++, sanitizers and hardening are no longer optional. Language choice is now a security decision with concrete, measurable consequences.

The Upside and the Unease Around Mythos

Not everyone is convinced this is straightforward good news. The optimism and the skepticism are both warranted.

On the positive side, the economics of security research just changed. Anthropic deployed Mythos in isolated containers with source code access and a simple prompt: "Find security vulnerabilities." The model hypothesized where bugs might live, ranked files by likelihood, focused on high-probability targets, and tested its theories. A secondary agent verified each finding. Scanning the entire OpenBSD kernel cost under $20,000 and produced dozens of vulnerabilities. Individual complex exploits cost under $2,000 in Anthropic API pricing. A single zero-day on the open market can sell for hundreds of thousands of dollars.

These benchmark gains show Mythos is not just good at finding bugs in a few cherry-picked examples; it appears stronger across a broader range of coding and security tasks:

On the other side, the concerns are real.

The dual-use problem hasn't gone away. The model exists. Anthropic controls who gets access today, but the underlying capability will proliferate. Other labs are close. Stamos himself estimated a six-month timeline for open-weight models to reach comparable performance. Project Glasswing buys time, but the question is whether defenders can use that time effectively enough.

Power centralization is a real concern. One private company now possesses working zero-day exploits for most of the world's critical software. Platformer noted this creates significant theft incentives for the model weights. If a state actor compromised Anthropic's systems and extracted Mythos, the damage could be catastrophic.

The "too dangerous to release" framing has marketing upside. AI labs have learned that positioning a model as dangerous generates attention and perceived capability. OpenAI did it with GPT-2 in 2019. The difference here is that Anthropic is backing it up with specific, verifiable vulnerability discoveries and a $100M commitment. But the incentive structure is worth noting.

Where Glasswing and Mythos Are Heading

Thomas Ptacek, one of the most respected voices in application security, wrote an essay titled "Vulnerability Research Is Cooked" in response to the announcement. The skill that defined an entire generation of security researchers; reading code and spotting subtle flaws that automated tools miss; is now something an AI can do at scale for $2,000. Software security is becoming a race between AI-assisted defenders and AI-assisted attackers. Anthropic has committed to publishing a public report within 90 days on what they've learned, vulnerabilities fixed, and recommendations for how security practices should evolve.

For ordinary development teams, the takeaway is practical: the bar for what counts as "secure enough" just went up. Code that survived years of human review and automated testing is getting flagged now. Whether you're building a side project or maintaining infrastructure that others depend on, the tools that find your bugs are getting better faster than most teams are improving their defenses. The time to close that gap is before someone else finds the holes for you.