Claude Mythos & Project Glasswing: AI Takes On Zero-Days
3 min readAnthropic just showed the world what a frontier AI model can do when pointed at the internet’s most deeply buried security flaws — and the answer is quietly alarming. On Monday, the company unveiled Claude Mythos Preview alongside Project Glasswing, a cross-industry coalition aimed at using that power defensively before attackers get there first.
The Vulnerability Hunt
In the weeks leading up to the announcement, Anthropic deployed Claude Mythos Preview on a targeted mission: find zero-day vulnerabilities in the world’s most critical software. The results were striking. Mythos uncovered a 27-year-old flaw in OpenBSD capable of crashing remote systems, a 16-year-old FFmpeg vulnerability that had survived five million automated test runs undetected, and multiple Linux kernel weaknesses enabling privilege escalation. Altogether, the model identified thousands of high-severity flaws across major operating systems and web browsers.
On standardized benchmarks, Mythos Preview scored an 83.1% success rate on vulnerability reproduction tasks — up sharply from its predecessor’s 66.6%. Anthropic is clear-eyed about what this means: AI has reached a level of coding capability where it can outperform all but the most elite human security researchers at finding and exploiting software vulnerabilities.
Project Glasswing: Building a Defensive Coalition
Rather than release Mythos to the general public, Anthropic is channeling its capabilities through Project Glasswing — a coordinated effort to patch vulnerabilities before they can be weaponized. The initiative launched with 12 founding partners: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, with more than 40 additional organizations also receiving access. Anthropic is committing $100 million in model usage credits and $4 million in direct donations to open-source security organizations to support the effort.
The logic is a familiar one in security circles — offense informs defense. By proactively surfacing vulnerabilities across widely deployed open-source software and critical infrastructure, Glasswing aims to close attack windows before AI-powered adversaries reach the same capability level.
Why This Matters
The Mythos announcement lands at a moment when AI’s dual-use potential has never been more tangible. A model capable of autonomously discovering and exploiting a 27-year-old remote code execution vulnerability — with no human in the loop after the initial request — represents a genuine shift in the threat landscape. The question is no longer whether AI will transform cybersecurity, but who wields it first and how responsibly.
Anthropic’s bet is that a coordinated, well-resourced defensive push — backed by the biggest names in enterprise software — can stay ahead of that curve. Whether the coalition model holds together under competitive pressures remains to be seen, but the scope of the commitment is significant. Project Glasswing is also drawing scrutiny from policy circles, with questions emerging about how the initiative intersects with U.S. government cyber operations.
Also: Meta Debuts Muse Spark
Separately, Meta on Tuesday unveiled Muse Spark, the first AI model to emerge from its new Meta Superintelligence Labs, led by Alexandr Wang. Built over nine months and code-named Avocado internally, Muse Spark is a multimodal model accepting voice, text, and image inputs. It will power the Meta AI assistant across Facebook, Instagram, WhatsApp, Messenger, and the Ray-Ban Meta glasses. Notably, unlike Meta’s Llama family, Muse Spark is a closed model — a significant strategic pivot for a company that built its AI reputation on open weights. It ranked fourth on the Artificial Analysis Intelligence Index v4.0, trailing Gemini 3.1 Pro Preview, GPT-5.4, and Claude Opus 4.6.
Two major moves in 48 hours, from two of the most closely watched labs in the industry. Continue reading…