On March 26, 2026, a routine configuration error at Anthropic inadvertently left thousands of unpublished internal assets publicly accessible on the internet. Among them: a draft blog post describing a new model the company had been quietly developing — one it called “by far the most powerful AI model we’ve ever developed,” and which it warned could “presage an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.”
Eleven days later, on April 7, Anthropic made it official. Claude Mythos Preview had arrived — not with a public release, but with a restricted defensive deployment unlike anything the AI industry had organized before. Anthropic had concluded the model was too capable to distribute widely, and chose a third path: deploy it defensively, at scale, under structured conditions, before offensive actors developed comparable capabilities.
What makes Mythos Preview different from every AI security tool that preceded it is not just what it can find — it is what it does next. Prior models could assist with vulnerability discovery, but rarely converted findings into working exploits. Mythos Preview does both, autonomously, without human intervention beyond an initial prompt. Given a target and a single instruction, the model reads source code, forms hypotheses, validates them against a live environment, and delivers a complete, weaponized exploit. The loop from prompt to root access now runs in hours, sometimes overnight, at a cost that can be under $50 per finding.
That is the inflection point. And according to the security practitioners who have been watching this space closely, the industry’s response has barely begun.
Project Glasswing brings together 12 founding partners — Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself — alongside more than 40 additional organizations responsible for building or maintaining critical software infrastructure. Anthropic has committed $100 million in model usage credits to the program, with Mythos Preview accessible via the Claude API, Amazon Bedrock, Google Cloud’s Vertex AI, and Microsoft Foundry. Participating organizations can use the model to scan and secure both their own first-party software and the open source systems they depend on.
One week after Anthropic’s announcement, OpenAI entered the same arena with GPT-5.4-Cyber — a fine-tuned variant of GPT-5.4 deployed to thousands of verified defenders through its Trusted Access for Cyber program. The two launches reflect a genuine strategic disagreement about how to handle models this capable. Anthropic restricted access by scarcity, concluding Mythos was too dangerous to distribute widely, regardless of who was asking. OpenAI restricted by identity verification instead, concluding that wider access to properly verified defenders produces better outcomes. The disagreement itself signals something important: the industry has not yet converged on a framework for managing AI systems at this level of capability.
Anthropic has also engaged in ongoing discussions with federal officials and has privately warned top government officials that Mythos makes large-scale cyberattacks significantly more likely this year. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell have separately cautioned financial industry executives about the model’s potential dangers.
Anthropic’s researchers used a consistent scaffold for all vulnerability discovery: a containerized environment, a Claude Code instance running Mythos Preview, and a single-paragraph prompt asking the model to find a security vulnerability. Human involvement ends there. The model reads code, forms hypotheses, validates them against a running target, and outputs a bug report with a proof-of-concept exploit and reproduction steps.
A 27-year-old OpenBSD kernel crash. In OpenBSD’s TCP SACK implementation, Mythos Preview identified a two-bug chain allowing a remote attacker to crash any OpenBSD host responding over TCP. The flaw dates to 1998 and had survived decades of review on an operating system built around security as its primary design principle. It has been patched.
A 16-year-old FFmpeg codec vulnerability. In the H.264 decoder, a type mismatch dating to FFmpeg’s 2003 codebase — made exploitable by a 2010 refactor — allows a specially crafted video frame to trigger an out-of-bounds write. The underlying bug survived every fuzzer and every human reviewer who had examined the code in the intervening years. Three FFmpeg vulnerabilities found by Mythos have been patched in FFmpeg 8.1.
A 17-year-old FreeBSD RCE, fully exploited without human input. CVE-2026-4747 is a stack buffer overflow in FreeBSD’s NFS server that allows unauthenticated remote root access. Mythos Preview identified the vulnerability, discovered a method to bypass the host ID requirement using an unauthenticated NFSv4 call, constructed a 20-gadget ROP chain, and split it across six sequential RPC packets to fit within the per-request constraint — entirely without human involvement after the initial prompt. A prior independent research firm had demonstrated that Opus 4.6 could exploit the same flaw, but only with substantial human guidance.
Beyond these disclosed cases, Anthropic reports thousands of additional high- and critical-severity findings across every major operating system, every major web browser, cryptography libraries, and web applications — the overwhelming majority of which are still under coordinated disclosure. Of the 198 vulnerability reports reviewed by contracted human validators so far, expert assessors agreed with the model’s severity rating in 89% of cases and were within 1 severity level in 98% of cases.
Independent validation has also arrived. The UK’s AI Security Institute conducted its own evaluation of Mythos Preview, finding that on expert-level capture-the-flag tasks — tasks no model could complete before April 2025 — Mythos Preview succeeds 73% of the time. Using a 32-step corporate network attack simulation spanning initial reconnaissance through full network takeover, AISI observed the model executing multi-stage attacks autonomously, tasks that would take human professionals days to complete. Marcus Fowler, CEO of Darktrace Federal, puts the significance plainly: “When AI can find vulnerabilities at a speed and depth that materially changes how quickly weaknesses can be identified, it fundamentally accelerates the discovery of issues across both new and existing systems.”
There is a temptation to read Project Glasswing as good news — the cavalry arriving before the breach. Bradley Smith, SVP and Deputy CISO at BeyondTrust, pushes back directly on that framing.
“What Mythos and Glasswing should signal to leadership is not reassurance. It is urgency. If Anthropic’s own assessment is that this model is too dangerous to release publicly because of what it could do in the wrong hands, that tells you something about what less capable but freely available models are already doing in the wrong hands right now. And when open-weight models reach this capability threshold — which credible estimates put at months rather than years — the volume and sophistication of AI-driven attacks scales to a level most organizations are structurally unprepared for.”
— Bradley Smith, SVP, Deputy CISO, BeyondTrust
Smith’s point extends beyond Mythos itself. The BeyondTrust security team has already observed AI-assisted tooling compress the exploitation window for critical vulnerabilities to minutes — not weeks — using current-generation tools that existed before this announcement. The adversary, he argues, already has AI working for them. State-sponsored and criminal threat actors are already using AI-augmented tooling at a speed and scale that legacy defense postures cannot match.
The government’s posture reinforces the urgency, with senior financial regulators escalating warnings to industry executives and Anthropic privately briefing federal officials on the threat. Diana Kelley, CISO at Noma Security, translates the organizational imperative into practical terms: assume vulnerability discovery will accelerate whether you are ready or not. That means faster validation pipelines, tighter feedback loops between development and security, and a hard look at risk exceptions that were previously justified by the assumption that exploitation required rare human expertise. “That assumption,” Kelley says, “is weakening.”
Project Glasswing’s partner list reads like a who’s who of enterprise IT and cloud infrastructure. What it does not include is equally telling: no specialized expertise in OT, IoT, or industrial control systems security. For John Gallagher, VP of Viakoo Labs, that gap is where the most serious damage from Mythos will actually land. “Mythos is OS agnostic,” he notes, “but vulnerability remediation is not. There is no ‘Windows Update’ for a water pump or an IoT gateway.”
There are a handful of operating systems used in IT and data processing, and over 150,000 in OT/IoT/cyber-physical systems. Enterprise IT has mature, broadly deployed solutions for managing a surge in patches and credential changes. The vast majority of OT, IoT, ICS, and CPS devices do not. A tsunami of newly discovered zero-days hitting factory floors, water treatment plants, and fleets of cameras and access control devices will find most organizations without the automated remediation tools needed to respond at speed. Gallagher also flags that Mythos doesn’t just find code bugs — it identifies architectural flaws in how machine-to-machine communication occurs, meaning the fix isn’t always a code patch but a total re-governance of a device’s credentials.
Doc McConnell, Head of Policy at Finite State and a former CISA Branch Chief, extends the point to connected device manufacturers building technology that underpins critical infrastructure, manufacturing, and medical devices, where malfunctions can cost lives. The EU Cyber Resilience Act’s vulnerability and incident reporting requirements come into force in September of this year — organizations that lack automated response capabilities will be exposed at that deadline.
“If you’re waiting until a CVE drops to find out whether your product is affected, you’re already behind. Binary analysis and software composition analysis need to happen continuously from the very first stages of design and development — not as a final check when the features are final and the release is scheduled. We have to assume that if Anthropic is doing this loudly and responsibly, someone else is doing it quietly — and they may not have any interest in disclosing what they find.”
— Doc McConnell, Head of Policy, Finite State
Gallagher is direct about what Glasswing is missing: in OT and IoT security, the major partners lack the focus and technology to enable automated or autonomous patching at the edge. Generating an AI-powered playbook is a hollow victory if you lack the means to execute it. To truly harden the world’s most vulnerable systems, Project Glasswing will need to move beyond boardroom giants and collaborate with best-in-class innovators who can take action where these devices actually live.
Not everyone accepts Anthropic’s framing at face value. Steven Swift, Managing Director of Suzu Labs, argues that several of the most technically detailed demonstrations — including the Linux kernel exploit walkthroughs — show a model writing code based on well-described prior context, rather than autonomously discovering and exploiting novel vulnerabilities. He also raises a structural accountability concern: because Mythos Preview is not publicly available, independent researchers cannot audit the claims. “Anthropics knows what they’re doing,” Swift says. “They’re making big claims, because attention is good for their business model — providing just enough detail so that the claims look convincing at first glance.”
Swift’s critique deserves to be held alongside the report’s most defensible data points. The 27-year-old OpenBSD zero-day and the 16-year-old FFmpeg flaw were confirmed by AddressSanitizer; both have been patched and were found autonomously in code that had been extensively reviewed and fuzz-tested. The UK AISI’s independent evaluation provides third-party corroboration that does not rely on Anthropic’s own testing. Uzair Gadit, CEO of Secure.com, offers the most calibrated read of the hype-versus-reality question: “There’s likely some hype in the claims, but not in the direction in which cybersecurity is traveling — and that distinction matters. FUD fills the gap when validation lags capability. That’s exactly where we are right now.”
The CSA CISO Community, co-authored with SANS, OWASP’s Gen AI Security Project, and several CISOs, has published a strategy brief titled “The AI Vulnerability Storm: Building a Mythos-Ready Security Program” that offers operational guidance for organizations working through their response. Sunil Gottumukkala, CEO of Averlon, offers a pointed sequencing note worth internalizing first: the initial vulnerabilities to hit organizations from Mythos-class models will not be in their proprietary code — they will be in vendor software and open-source components that organizations consume. The diagnostic questions that matter most are operational: Can you patch critical systems in near real time? Do you have a complete software inventory including dependencies? Can your team sustain a surge in patching and malicious activity simultaneously?
With that sequencing in mind, practitioners across this space converge on several priorities:
Deploy AI-assisted vulnerability discovery now, with current models. Opus 4.6 and comparable frontier models already find high- and critical-severity bugs across OSS-Fuzz targets, web applications, cryptography libraries, and the Linux kernel. Organizations that have not adopted AI-assisted bugfinding are leaving findings on the table — and potentially leaving them for adversaries to find first.
Compress patch cycles and revisit your legacy vulnerability backlog. N-day exploitation is now faster and cheaper. Tighten patching enforcement windows, enable auto-update where feasible, and treat dependency bumps carrying CVE fixes as urgent rather than routine maintenance. Exceptions previously accepted as low-risk based on exploitation difficulty may no longer be viable.
Plan for contractual and disclosure obligations at scale. Morey Haber, Chief Security Advisor at BeyondTrust, flags an underreported downstream consequence: organizations with contractual notification clauses tied to CVSS scores — typically triggering at 9.0 — may face a flood of mandatory private disclosures as AI-driven discovery surfaces previously undetected vulnerabilities at scale. Legal and compliance teams need to be looped into vulnerability management planning now.
Implement Zero Trust and runtime attestation as a near-term mitigation. George McGregor of Approov argues that while accelerating patch cycles is valuable, it may be too slow to address the immediate risk window. Runtime app and device attestation can block AI agents and validate every API request, defending against exploitation of vulnerabilities while patching pipelines catch up.
Shift from visibility to decision speed. As Gadit frames it, the constraint for defenders has moved from finding issues to deciding what to fix — in what order, fast enough. “Security teams are about to be measured on response velocity, not just coverage,” he says. Detection, prioritization, and action need to connect into a single automated loop, with humans in the loop rather than humans as the bottleneck.
Build continuous security into the product lifecycle. For connected device manufacturers and anyone shipping software that underpins critical infrastructure, binary analysis and software composition analysis need to happen from the earliest stages of design, not as a final check. A real-time SBOM with automated reachability analysis for new vulnerabilities is the minimum viable posture.
Jason Schmitt, CEO of Black Duck, adds a defense-in-depth frame that prevents any single tool — including Mythos — from being mistaken for a complete solution. Mythos appears capable of automating the most expensive and least scalable tier of security work: the human-driven penetration testing and bug bounty layer that catches what static analysis and fuzzing miss. That is significant. But it does not replace the upstream layers, and the complete platform remains one that finds every exploitable vulnerability, remediates them as efficiently as possible, and can deterministically prove it.
Ram Varadarajan, CEO of Acalvio, names where this leads plainly: “This confirms once again our bot-on-bot future in cybersecurity. We’ve reached a point where traditional, human-led security can no longer keep pace with automated attacks, forcing a total rethink of how we protect our data.” Fowler adds one important second-order observation that deserves not to be lost in the urgency: as external exploitation becomes harder against hardened systems, attackers will adapt toward the human. Insider risk — compromised credentials, malicious insiders, coerced access — requires no exploitation of vulnerabilities at all. Hardening the code does not harden the human.
Project Glasswing is an important step. The $100 million commitment, the breadth of the partner coalition, and the seriousness with which Anthropic has approached coordinated disclosure all reflect genuine effort. But the initiative is, by design, limited to a small subset of organizations facing this threat. For everyone else, the window between when Mythos-class capabilities become broadly available and when defenses are ready is the problem that requires action today.
“If your current vulnerability management strategy still involves a human clicking ‘Approve’ on a Tuesday morning, you aren’t defending a network. You are managing a museum.”
— Noelle Murata, Sr. Security Engineer, Xcape, Inc.
The full technical report from Anthropic’s Frontier Red Team, including cryptographic commitments for unreleased vulnerability details and coordinated disclosure timelines, is available at red.anthropic.com. The CSA/SANS “AI Vulnerability Storm” strategy brief is available through the Cloud Security Alliance.
Follow SecureWorld for more cybersecurity news.