Cisometric Cybersecurity Firm

It is not every day that an AI company builds its most capable model yet and then deliberately chooses not to sell it to the public.

That is precisely what Anthropic did on April 7, 2026, when it announced Project Glasswing. The initiative is a coalition of some of the biggest names in tech, rallying around a single, unsettling idea, that AI has become dangerously good at hacking, and the window to act defensively is narrowing fast (Anthropic, 2026).

What Is Project Glasswing?

Project Glasswing is an industry-wide cybersecurity initiative led by Anthropic, the creators of Claude. It brings together an unusual mix of partners, such as Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, along with more than 40 other organizations that build or maintain the world's critical software infrastructure.

The name is drawn from the glasswing butterfly, whose transparent wings allow it to both hide in plain sight and evade harm. It is a fitting metaphor for how hidden software vulnerabilities can sit undetected for decades before anyone finally spots them.

The goal is to use Anthropic's most advanced AI model to find and patch dangerous software flaws before attackers find them first.

To back the effort, Anthropic has committed up to $100 million in model usage credits, along with another $4 million in donations to open-source security organizations such as the Apache Software Foundation, Alpha-Omega, and OpenSSF (Futurum, 2026).

It is a significant commitment, and the scale reflects how much the coalition believes is at stake.

Meet Claude Mythos, the AI Behind the Project

At the center of Project Glasswing is Claude Mythos Preview, a new, unreleased frontier model that Anthropic describes as a genuine step-change in coding and cybersecurity capability.

They claimed that Mythos has reached a level where it can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.

An AI model is now competitive with the world's best security researchers. Notably, Anthropic did not even train it specifically for cybersecurity.

"We haven't trained it specifically to be good at cyber. We trained it to be good at code, but as a side effect of being good at code, it's also good at cyber," Anthropic CEO Dario Amodei said in the Project Glasswing launch video.

It is a casual description of what may prove to be one of the most significant shifts in cybersecurity this decade.

What Mythos Has Already Found

In just a few weeks of internal testing, Mythos Preview has autonomously discovered thousands of zero-day vulnerabilities, meaning flaws that software developers did not know existed, across every major operating system and every major web browser.

A few notable examples:

A 27-year-old vulnerability in OpenBSD, an operating system with a reputation as one of the most security-hardened in the world. The flaw allowed attackers to remotely crash any machine running it simply by connecting to it.
A 16-year-old vulnerability in FFmpeg, the behind-the-scenes software that most applications use to handle video. The bug sat in a line of code that automated testing tools had hit five million times without ever catching it.
A chained exploit in the Linux kernel, which runs the majority of the world's servers. Mythos found and linked several vulnerabilities together, enabling an attacker to escalate from ordinary user access to full machine control.
.

On the CyberGym cybersecurity benchmark, Mythos Preview scored 83.1%, compared to 66.6% for Claude Opus 4.6, Anthropic's next-best model. In AI benchmark terms, a 16-point leap is enormous.

Mythos can also generate a functional, weaponized exploit for under $50 in compute costs in some instances. Exploit development that previously required weeks of effort from elite security researchers, often at hundreds of dollars per hour, has been compressed into the cost of a dinner out.

Why This Is a Turning Point

Cisco's Chief Security & Trust Officer Anthony Grieco summed that "AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back.”

For years, most serious vulnerabilities stayed hidden because finding them required rare skill and a lot of time (The Conversation, 2026). Only a small number of experts had that skill. There were only so many hours in a day.

Mythos removes both limits at once. An AI model can scan huge amounts of code quickly and find bugs that humans miss. Work that used to take elite researchers weeks can now be done in minutes.

Project Glasswing exists because Anthropic believes this capability will soon exist elsewhere. Other AI labs are training similar models. By Anthropic's own estimate, comparable capabilities could be 6 to 24 months away (Wired, 2026). The defensive window is narrow.

The Double-Edged Sword

Mythos is useful for defenders. Project Glasswing partners are already using it to find and fix flaws in software that runs banking, energy, logistics, and healthcare systems.

But the same tool that helps defenders would also help attackers. That is why Anthropic is not releasing Mythos publicly. Access is limited to vetted partners, with monitoring in place.

It is still unclear whether this approach will actually slow down proliferation. Controlled access might genuinely give defenders a useful head start, or it might mostly lock in Anthropic's market position before competitors catch up. Both can be true at the same time.

The "1% Problem”

One statistic from Anthropic's Red Team is worth paying attention to. Of the thousands of vulnerabilities Mythos has found, less than 1% have been fully patched by maintainers.

This is not a problem with the AI. It is a problem with the system.

An AI can find bugs in minutes. Humans patch them in weeks or months. As AI tools get better at finding flaws, the gap between discovery and remediation will grow. Known but unpatched zero-days will pile up. When attackers eventually get their own AI-powered tools, those unpatched flaws become an easy target list.

Finding vulnerabilities faster only helps if they get fixed faster too.

What This Means for Businesses

A few practical points apply to any organization that relies on software:

1. The cost of attacking has dropped sharply

When an exploit costs $50 to produce, attackers have no reason to skip smaller or less obvious targets. Being deemed too small to be worth hacking is no longer a protection.

2. The time between discovery and attack has collapsed

CrowdStrike CTO Elia Zaitsev noted that what used to take months now happens in minutes. Patching schedules need to match that pace.

3. Traditional application security is no longer enough

Code is being written and audited by AI at machine speed. Security tools that run on human timelines cannot keep up.

4. Visibility without fast response is not enough

Knowing about a vulnerability is useless if it is not fixed quickly. Continuous monitoring and rapid response are now minimum requirements.

IEEE ComSoc's analysis made the same point. Defending critical infrastructure will take years, while AI capabilities are advancing in months. The old pace of cybersecurity work does not match the new reality.

What Individuals and Businesses Should Do

For individuals, the basics still apply:

Update devices regularly
Use a password manager
Turn on multi-factor authentication
Install patches when they appear

Also read: Stop Making These Common Password Mistakes ; Protect Your Accounts with 2FA – It's Easier Than You Think!

For businesses, defending against AI-powered threats needs two things, proactive testing and continuous monitoring.

Vulnerability Assessment and Penetration Testing (VAPT) helps organizations find and fix exploitable weaknesses before attackers do. It simulates real attack methods to expose flaws that automated scans miss.

SOC (Security Operations Center) monitoring provides round-the-clock visibility into systems. When an attack does happen, a well-run SOC detects it quickly and responds before serious damage is done.

When a capable AI can find a 27-year-old bug in seconds, waiting until the next patch cycle is not a strategy.

Cisometric provides VAPT and 24/7 SOC monitoring services designed to match the speed of modern threats. Get in touch with our experts to find out how Cisometric can help organizations stay prepared in the AI era.