Anthropic Just Unleashed an AI That Finds Vulnerabilities Better Than Almost Any Human — And It Changes Everything About Cybersecurity

Anthropic has just announced something that the cybersecurity world — and the broader business community — cannot afford to ignore. A new AI model called Claude Mythos Preview has demonstrated the ability to find and exploit software vulnerabilities at a level that surpasses that of all but the most elite human security researchers. And rather than keeping that capability contained, Anthropic has convened some of the most powerful technology companies on earth to deploy it — defensively — before the wrong actors get there first.

The initiative is called Project Glasswing, and it brings together Amazon Web Services, Apple, Microsoft, Google, Cisco, CrowdStrike, NVIDIA, JPMorganChase, Palo Alto Networks, Broadcom, the Linux Foundation, and Anthropic itself in a coordinated effort to use Mythos Preview to scan, identify, and patch critical vulnerabilities across the world's most important software infrastructure. Anthropic is committing up to $100 million in model usage credits to the effort, alongside $4 million in direct donations to open-source security organizations.

This is not a product launch. This is a strategic response to a capability threshold that, once crossed, cannot be uncrossed.

What Claude Mythos Preview Actually Did

The numbers coming out of Mythos Preview's early deployment are striking by any measure.

In recent weeks, Anthropic used the model to identify thousands of zero-day vulnerabilities — previously unknown flaws — across every major operating system and every major web browser. Three examples have already been disclosed after patching. The model found a 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems in existence, that allowed a remote attacker to crash any machine simply by connecting to it. It discovered a 16-year-old vulnerability in FFmpeg — video encoding software used by countless applications — in a single line of code that automated testing tools had scanned five million times without detecting. And it autonomously chained together multiple vulnerabilities in the Linux kernel to escalate from ordinary user access to complete machine control.

These were not edge cases. They were fundamental flaws hiding in software that millions of businesses and governments rely on every day. And in many cases, Mythos Preview found and developed exploits for them with no human steering whatsoever.

On standardized cybersecurity benchmarks, the gap between Mythos Preview and its predecessor is substantial. On CyberGym, a vulnerability-reproduction benchmark, Mythos Preview scored 83.1%, while Claude Opus 4.6 scored 66.6%. On SWE-bench Verified, a software engineering benchmark, it reached 93.9%. On Humanity's Last Exam — one of the most demanding reasoning evaluations in existence — it scored 64.7% with tools, compared to 53.1% for Opus 4.6.

The performance gap is not incremental. It represents a genuine capability leap.

Why This Matters Beyond the Security Industry

The announcement of Project Glasswing carries implications that extend well beyond enterprise security teams and government agencies. For anyone operating a digital business — which in 2026 means almost every business — this development reframes the risk landscape in a fundamental way.

For years, the cost of a serious cyberattack has been partially offset by the expertise barrier. Finding and exploiting zero-day vulnerabilities required rare, expensive human talent. That barrier is collapsing. As CrowdStrike's Chief Technology Officer Elia Zaitsev put it, the window between a vulnerability being discovered and being exploited has collapsed. What once took months now happens in minutes with AI. And the adversaries who would use these capabilities against businesses, hospitals, financial institutions, and government infrastructure will not wait for the defensive side to catch up.

The current global financial cost of cybercrime is estimated at around $500 billion annually. That figure was produced under the old model, where finding vulnerabilities required human expertise. Under the new model, the cost of mounting a sophisticated cyberattack drops dramatically. The frequency and severity of attacks rise in direct proportion.

The Automation Parallel Every Operator Should See

For those of us who work in AI automation and workflow intelligence, Project Glasswing carries a message that goes beyond cybersecurity.

Hamza Baig, Founder of the Automation Institute and CEO of Hexona Systems, sees the Glasswing announcement as confirmation of something the automation community has been closely tracking — the arrival of AI systems capable of fully autonomous, high-stakes technical work at scale.

"Project Glasswing is a landmark moment — not just for cybersecurity, but for everyone who needs to understand where AI capability is heading. When an AI model can autonomously find a 27-year-old flaw in hardened software that millions of human hours of review missed, we are no longer talking about AI as a productivity tool. We are talking about AI as an independent technical operator. For business owners, this is the signal to take seriously: the infrastructure your business runs on is being secured by AI agents, and the threats to that infrastructure will increasingly be launched by them, too. Automation is no longer optional. Understanding it is not optional. The organizations that thrive will be the ones that embed AI-first thinking into every layer of how they operate — including how they protect what they build." — Hamza Baig, Founder, Automation Institute™ & CEO, Hexona Systems

This perspective matters because the business implications of Project Glasswing extend beyond IT departments. Every organization that relies on digital infrastructure — which is every organization — now operates in an environment where the offensive use of AI in cyberattacks is no longer theoretical. It is imminent. And the response to that reality requires the same urgency and strategic commitment that Anthropic and its partners are applying through Glasswing.

What Glasswing Means for Open Source and Small Operators

One of the most significant aspects of the announcement is its explicit inclusion of the open-source community. Jim Zemlin, CEO of the Linux Foundation, noted that open-source maintainers — whose software underpins the vast majority of modern systems, including the systems AI agents use to write new code — have historically been left to manage security on their own, without the resources that large enterprises deploy.

Project Glasswing changes that equation. Anthropic has donated $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation. Open-source maintainers can now apply for access to Mythos Preview through the Claude for Open Source program to scan and secure the codebases that form the foundation of global digital infrastructure.

For smaller businesses and agencies that rely on open-source components — which is the overwhelming majority — this represents a meaningful improvement in the baseline security of the tools they depend on every day.

What Comes Next

Anthropic has been clear that Project Glasswing is a starting point, not a conclusion. The company has stated its intention to report publicly within 90 days on what has been learned, which vulnerabilities have been fixed, and what best practices are emerging. It is also in ongoing discussions with US government officials about the offensive and defensive implications of Mythos Preview's capabilities.

The model will not be made generally available. But Anthropic's eventual goal is to enable the deployment of Mythos-class capabilities at scale — with appropriate safeguards — across cybersecurity and a broader range of high-value applications. The development of those safeguards is ongoing.

For the technology industry as a whole, Project Glasswing's message is urgent and unambiguous. AI capabilities in the offensive security domain have crossed a threshold that cannot be reversed. The only viable path forward is to ensure those capabilities are in the hands of defenders before adversaries systematically exploit them. That requires speed, coordination, and the willingness to treat AI-driven cybersecurity as the national and commercial priority it is now.

The old ways of hardening systems, as Cisco's Chief Security Officer Anthony Grieco stated directly, are no longer sufficient. The question for every business operator is not whether to respond to this shift — it is whether their response will come before or after the first serious incident.