Project Glasswing: What Anthropic’s Cybersecurity Gambit Means for Every Company Running AI

A 27-year-old bug in OpenBSD. That’s the detail that sticks. Not the thousands of zero-days Anthropic’s Mythos Preview found — that’s impressive but abstract. The 27-year-old bug is the one that makes you reconsider what ‘secure’ actually means. OpenBSD is the operating system people choose because of its security reputation. If a vulnerability hid there for nearly three decades, the question isn’t about one bug. It’s about what else is sitting in your systems that nobody’s found yet.

That’s the question Project Glasswing is trying to answer — at scale, before attackers get there first.

What Mythos actually is

Claude Mythos Preview is Anthropic’s most capable model to date, and the first one they’ve chosen not to release publicly. Announced on 7 April 2026, it sits in a tier above Opus 4.6 — Anthropic internally calls this tier Copybara. It’s a general-purpose model, not a cybersecurity tool, but its agentic coding and reasoning capabilities give it what Anthropic describes as a ‘step change’ in cyber performance.

How big a step? I’d say unprecedented. The UK’s AI Safety Institute ran independent evaluations. On expert-level capture-the-flag tasks — the kind that simulate real-world exploitation chains — Mythos Preview succeeds 73% of the time. For context: no model could complete these tasks before April 2025. The AISI also built a 32-step simulated corporate network attack called ‘The Last Ones.’ Mythos completed more steps than any other model tested, progressing from initial reconnaissance through to near-complete network takeover.

The number that got the most attention: Mythos found and created proof-of-concept exploits on its first attempt in 83.1% of cases. For a zero-day. Autonomously. That’s not incremental progress.

What Project Glasswing is

Glasswing is Anthropic’s attempt to get ahead of its own model’s capabilities. The logic: if Mythos-class models will exist — and they will, because other labs are building comparable systems — then the world’s most critical software needs to be audited before attackers get access to similar tools.

Twelve partner organisations have access to the Mythos Preview for defensive security work: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, Nvidia, Palo Alto Networks, the Linux Foundation, and the Apache Software Foundation. Roughly 40 additional organisations responsible for critical software infrastructure also have access. Anthropic is providing up to $100M in usage credits to fund the work, plus $4M to open-source security organisations including OpenSSF and Alpha-Omega.

The partners’ job: use Mythos to find and fix vulnerabilities in their systems, then share what they’ve learned with the wider industry. The model stays behind closed doors. The defensive knowledge doesn’t.

So much for the facts. Here’s what I think they mean.

Why this matters beyond cybersecurity

The obvious story is about bugs and patches. That matters, but it’s not the most important implication. Three things are worth thinking through.

First: the talent bottleneck just broke. The cybersecurity industry has been short-staffed for years. There aren’t enough skilled penetration testers to audit every codebase that matters. Mythos doesn’t replace those people — you still need humans to prioritise, remediate, and make judgement calls about risk. But it fundamentally changes the economics of the first step: finding the vulnerabilities. What used to require a specialist team over weeks can now be done by an agent in hours. The CodeWall MBB breaches proved this from the offensive side. Glasswing is the defensive mirror.

Second: the procurement landscape is about to shift. Enterprise buyers already require SOC 2 and ISO 27001 as vendor conditions. If — when — the first high-profile breach of an internal AI tool triggers regulatory action, procurement teams will add continuous AI-specific security testing to their checklists. The companies that have Glasswing-level auditing in place (or comparable) will pass. The ones that are still running annual pentests will scramble. I wrote about this in Wednesday’s issue, and I think the timeline is Q4 2026 at the latest.

The third implication is the one I keep coming back to. Anthropic could have released Mythos publicly and claimed the benchmark crown — it would have dominated every leaderboard. SWE-bench verified at 93.9%, compared with Opus 4.6 at 80.8%. That’s not a marginal improvement. That’s the kind of number that generates headlines and customer acquisition. They chose not to.

Instead, they’re deploying it defensively through a controlled partner programme with contractual obligations to share findings. OpenAI is reportedly building something comparable through its existing ‘Trusted Access for Cyber’ programme, though with less public detail on the sharing requirements. The question for the rest of the industry is whether this defensive-first model becomes the norm for frontier releases, or whether competitive pressure eventually forces someone to ship a Mythos-class model publicly. My guess: both will happen, and the gap between responsible and reckless deployment will become the defining fault line in AI governance over the next 12 months.

What to do about it

If you’re not a Glasswing partner, you’re not getting access to Mythos Preview. But the vulnerabilities it finds aren’t exotic. The practical steps below go beyond what I covered in Wednesday’s issue.

Run the audit prompt — and know what to look for in the output. In this week’s issue, I shared a prompt that maps your AI deployment’s attack surface. Here’s what to pay attention to when you read the results. The model will flag five areas. The ones that matter most are numbers 2 and 5: where your system prompts are stored, and what happens when someone injects instructions through uploaded documents. If the model rates either of those as Critical or High, you have an immediate action item — those are the two vectors CodeWall exploited across all three MBB firms. If it rates your API authentication as Medium or above, that’s your second priority: the McKinsey breach started with 22 unauthenticated endpoints. Don’t treat the output as a checklist. Treat it as a triage list: fix the Critical items this week, schedule the Highs for this month, and document the Mediums so they don’t get forgotten.

Scope an AI-specific penetration test. The audit prompt will surface questions. A proper pentest answers them. When scoping one, make sure the engagement explicitly covers: prompt injection (both direct and indirect via uploaded documents), system prompt extraction and modification, API authentication and authorisation boundaries, and data exfiltration via model outputs. Most traditional pentest firms don’t include these by default — you’ll need to specify them. If your provider doesn’t know what indirect prompt injection is, find a different provider.

One more thing — and this is the one most teams skip. Even after you move your system prompts to version-controlled repositories, you need to know if someone changes them outside the approved process. A simple approach: hash each prompt on deployment and run a daily check that compares the live version against the stored hash. If they don’t match, alert your security team. This is ten lines of code and catches exactly the kind of silent modification that made McKinsey’s Lilli so vulnerable. prompt-armor (open-source, 91.7% F1, 27ms) can handle the input-side detection; the hash check handles the prompt-integrity side.

Already subscribed? Forward this to your security team — they’ll want the pentest scoping checklist above.

This deep dive is a companion to iPrompt Wednesday Issue #132. If you’re not subscribed, you’re missing the weekly analysis that connects AI news to what it means for your organisation.

Subscribe at iprompt.com →

— R. Lauritsen