Project Glasswing Explained: How Anthropic Is Using AI to Secure the Internet
Project Glasswing is Anthropic's $100 million initiative to deploy Claude Mythos for defensive cybersecurity before the technology reaches adversaries. Here's how it works, who's involved, what it means for open-source software, and what developers and security teams should do right now.
Table of Contents
- The core premise
- Who is involved
- The 12 charter partners
- Financial commitments
- What Mythos is actually doing in Glasswing
- Phase 1: Automated scanning
- Phase 2: Human validation
- Phase 3: Coordinated disclosure
- Cryptographic accountability
- The vulnerability wave — what Wiz and CrowdStrike are saying
- Short-term (now)
- Medium-term (12–18 months)
- Long-term
- What developers and security teams should do now
- Immediate actions
- For open-source maintainers
- What Glasswing doesn't solve
- The broader question
The core premise
On April 7, 2026, Anthropic announced two things simultaneously: a new AI model called Claude Mythos Preview, and an initiative called Project Glasswing to deploy it exclusively for defensive cybersecurity work.
The logic behind this pairing is straightforward. Mythos can autonomously find and exploit vulnerabilities in production software at a scale no human team can match. The question isn't whether this capability will eventually exist — it's who uses it first and for what purpose.
Project Glasswing's answer: use it now, defensively, before adversaries have access to comparable tools.
The name itself is a reference to the glasswing butterfly — transparent wings, nothing hidden.
Who is involved
The 12 charter partners
Anthropic selected a group of organizations that collectively touch most of the world's critical software infrastructure:
| Organization | Why they're included |
|---|---|
| Amazon Web Services | Cloud infrastructure, OS, and runtime components |
| Apple | macOS, iOS, Safari, system libraries |
| Broadcom | Networking hardware firmware, VMware hypervisor |
| Cisco | Network infrastructure, security appliances |
| CrowdStrike | Endpoint security — a breach here affects millions of enterprise machines |
| Chrome, Android, Linux kernel contributions, cloud infrastructure | |
| JPMorganChase | Financial infrastructure |
| Linux Foundation | Linux kernel and critical OSS governance |
| Microsoft | Windows, Azure, Edge, .NET, VS Code |
| NVIDIA | GPU drivers — critical path for AI workloads |
| Palo Alto Networks | Network security and SIEM |
| Anthropic | Claude models themselves |
Beyond these 12, 40+ additional organizations maintaining widely-deployed open-source software have been granted access.
Financial commitments
Anthropic has allocated:
- $100 million in Mythos usage credits for Project Glasswing
- $2.5 million to Alpha-Omega and the Open Source Security Foundation (OpenSSF)
- $1.5 million to the Apache Software Foundation
AWS, Apple, Google, and Microsoft contributed to the funding pool beyond Anthropic's own commitment.
What Mythos is actually doing in Glasswing
The research process works in phases:
Phase 1: Automated scanning
Mythos runs against the target codebase inside a containerized environment. Different agents analyze different source files in parallel, pre-ranked by estimated vulnerability likelihood. The model hypothesizes bugs, writes test cases, uses sanitizers and debuggers to confirm them, and logs findings.
Phase 2: Human validation
Professional security contractors review every finding before it goes to vendors. Of 198 manually reviewed reports, 89% matched Mythos's severity assessment exactly — the model is reliable enough that validation is fast, not comprehensive.
Phase 3: Coordinated disclosure
Anthropic coordinates with software vendors using standard CVD (Coordinated Vulnerability Disclosure) practice. Vendors get 90 days to patch before public disclosure, with a 45-day extension available. Over 99% of discovered vulnerabilities remain unpatched and undisclosed as of the announcement.
Cryptographic accountability
Anthropic published SHA-3 hashes of all vulnerability and exploit documents at announcement time. This mechanism allows independent verification that Anthropic possessed these findings on April 7, 2026 — without revealing the vulnerabilities to unpatched systems prematurely.
The vulnerability wave — what Wiz and CrowdStrike are saying
Security firms that participated in or analyzed the Glasswing launch have outlined three phases of impact:
Short-term (now)
- Increased CVE volume as Glasswing findings are disclosed
- Attackers will use AI-assisted patch diffing — analyzing patches to rapidly reverse-engineer the underlying vulnerability and build exploits
- Window between patch release and exploitation: shrinking from days to hours
"The window between a vulnerability being discovered and being exploited has collapsed — what once took months now happens in minutes with AI." — Elia Zaitsev, CTO, CrowdStrike
Medium-term (12–18 months)
Wiz analysts describe this as the "Y2K moment" for cybersecurity: the point when capabilities similar to Mythos reach open-source models, making autonomous vulnerability discovery and exploitation accessible to any attacker with a laptop.
At that point, organizations that haven't hardened their systems will face an entirely different threat landscape.
Long-term
The fundamental assumption of modern security — that attackers need significant time and skill to develop exploits — no longer holds. Defense-in-depth strategies built around containment delays need to be redesigned for a world where exploitation can happen within minutes of vulnerability disclosure.
What developers and security teams should do now
Immediate actions
1. Shorten patch cycles aggressively
CVE-fixing dependency bumps should be treated as urgent patches, not routine maintenance. Enable auto-update where possible. Establish a procedure to apply critical patches within hours, not days.
2. Enable AI-assisted code review
Models like Claude Opus 4.6 (publicly available today) are already highly competent at finding vulnerabilities. Integrate them into your CI/CD pipeline as a security scanner. You don't need Mythos to get significant benefit from AI-assisted AppSec.
# Example: scan a PR diff with Claude via API
curl https://api.anthropic.com/v1/messages -H "x-api-key: $ANTHROPIC_API_KEY" -H "anthropic-version: 2023-06-01" -d '{
"model": "claude-opus-4-6",
"max_tokens": 2048,
"messages": [{
"role": "user",
"content": "Review this diff for security vulnerabilities:
'"$(git diff HEAD~1)"'"
}]
}'3. Reduce your attack surface
- Remove or isolate internet-facing services that don't need to be exposed
- Implement egress filtering — limit what compromised services can reach
- Review NFS, RPC, and legacy network service configurations (the FreeBSD finding is a reminder that 30-year-old network services still run everywhere)
4. Assume RCE is possible, design for resilience
Modern defense-in-depth means assuming a component can be compromised and limiting blast radius. Separate secrets from application code. Use least-privilege service accounts. Implement runtime anomaly detection.
5. Update your vulnerability disclosure policy
If your organization has a VDP, review whether its timelines account for accelerated exploitation. The 90-day disclosure window that was standard is now potentially too long for some critical vulnerabilities.
For open-source maintainers
Anthropic has a dedicated program granting Mythos access to open-source maintainers whose projects are part of critical software infrastructure. If you maintain a widely-deployed OSS project, check Anthropic's Project Glasswing page for the application process.
The $4 million in direct donations to OpenSSF and Apache is also intended to fund human security review capacity that can handle the incoming volume of AI-discovered bug reports.
What Glasswing doesn't solve
It's worth being clear about the limits:
- It patches known software — it does nothing for undiscovered bugs in software that hasn't been scanned
- It relies on vendors patching quickly — if vendors don't act on disclosures, the 90-day window means vulnerabilities become public regardless
- It's a temporary advantage — Anthropic's own documentation acknowledges that similar capabilities will reach adversaries; Glasswing buys time, not permanent immunity
- It covers only participants — the thousands of smaller software projects not in the Glasswing program remain unscanned
The broader question
Project Glasswing is a bet that the window between "AI can find vulnerabilities" and "AI can be deployed defensively at scale" is one that can be won by defenders if they move first.
History is mixed on this kind of race. The introduction of network scanning tools like nmap initially alarmed security teams before becoming standard defensive tooling. The introduction of exploit frameworks like Metasploit made both attackers and defenders more capable, but defenders — with more resources — arguably benefited more.
The difference this time is scale and speed. Mythos can run against millions of lines of code simultaneously, for $50 per exploit. Whether centralized defensive deployment through Glasswing is the right governance model, or whether broader access under appropriate restrictions would produce better outcomes, is a debate that will unfold over the next 12–18 months.
For now, the practical advice is simple: move faster on patching, integrate AI into your security workflow, and design systems that can survive a compromise.
