Skip to content
Chimera readability score 0.52 out of 100, reading level.

Anthropic’s Project Glasswing—restricting Claude Mythos to security researchers—sounds necessary to me
7th April 2026
Anthropic didn’t release their latest model, Claude Mythos (system card PDF), today. They have instead made it available to a very restricted set of preview partners under their newly announced Project Glasswing.
The model is a general purpose model, similar to Claude Opus 4.6, but Anthropic claim that its cyber-security research abilities are strong enough that they need to give the software industry as a whole time to prepare.
Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely.
[...]
Project Glasswing partners will receive access to Claude Mythos Preview to find and fix vulnerabilities or weaknesses in their foundational systems—systems that represent a very large portion of the world’s shared cyberattack surface. We anticipate this work will focus on tasks like local vulnerability detection, black box testing of binaries, securing endpoints, and penetration testing of systems.
There’s a great deal more technical detail in Assessing Claude Mythos Preview’s cybersecurity capabilities on the Anthropic Red Team blog:
In one case, Mythos Preview wrote a web browser exploit that chained together four vulnerabilities, writing a complex JIT heap spray that escaped both renderer and OS sandboxes. It autonomously obtained local privilege escalation exploits on Linux and other operating systems by exploiting subtle race conditions and KASLR-bypasses. And it autonomously wrote a remote code execution exploit on FreeBSD’s NFS server that granted full root access to unauthenticated users by splitting a 20-gadget ROP chain over multiple packets.
Plus this comparison with Claude 4.6 Opus:
Our internal evaluations showed that Opus 4.6 generally had a near-0% success rate at autonomous exploit development. But Mythos Preview is in a different league. For example, Opus 4.6 turned the vulnerabilities it had found in Mozilla’s Firefox 147 JavaScript engine—all patched in Firefox 148—into JavaScript shell exploits only two times out of several hundred attempts. We re-ran this experiment as a benchmark for Mythos Preview, which developed working exploits 181 times, and achieved register control on 29 more.
Saying “our model is too dangerous to release” is a great way to build buzz around a new model, but in this case I expect their caution is warranted.
Just a few days (last Friday) ago I started a new ai-security-research tag on this blog to acknowledge an uptick in credible security professionals pulling the alarm on how good modern LLMs have got at vulnerability research.
Greg Kroah-Hartman of the Linux kernel:
Months ago, we were getting what we called ’AI slop,’ AI-generated security reports that were obviously wrong or low quality. It was kind of funny. It didn’t really worry us.
Something happened a month ago, and the world switched. Now we have real reports. All open source projects have real reports that are made with AI, but they’re good, and they’re real.
Daniel Stenberg of curl
:
The challenge with AI in open source security has transitioned from an AI slop tsunami into more of a ... plain security report tsunami. Less slop but lots of reports. Many of them really good.
I’m spending hours per day on this now. It’s intense.
And Thomas Ptacek published Vulnerability Research Is Cooked, a post inspired by his podcast conversation with Anthropic’s Nicholas Carlini.
Anthropic have a 5 minute talking heads video describing the Glasswing project. Nicholas Carlini appears as one of those talking heads, where he said (highlights mine):
It has the ability to chain together vulnerabilities. So what this means is you find two vulnerabilities, either of which doesn’t really get you very much independently. But this model is able to create exploits out of three, four, or sometimes five vulnerabilities that in sequence give you some kind of very sophisticated end outcome. [...]
I’ve found more bugs in the last couple of weeks than I found in the rest of my life combined. We’ve used the model to scan a bunch of open source code, and the thing that we went for first was operating systems, because this is the code that underlies the entire internet infrastructure. For OpenBSD, we found a bug that’s been present for 27 years, where I can send a couple of pieces of data to any OpenBSD server and crash it. On Linux, we found a number of vulnerabilities where as a user with no permissions, I can elevate myself to the administrator by just running some binary on my machine. For each of these bugs, we told the maintainers who actually run the software about them, and they went and fixed them and have deployed the patches patches so that anyone who runs the software is no longer vulnerable to these attacks.
I found this on the OpenBSD 7.8 errata page:
025: RELIABILITY FIX: March 25, 2026 All architectures
TCP packets with invalid SACK options could crash the kernel.
I tracked that change down in the GitHub mirror of the OpenBSD CVS repo (apparently they still use CVS!) and found it using git blame:
Sure enough, the surrounding code is from 27 years ago.
I’m not sure which Linux vulnerability Nicholas was describing, but it may have been this NFS one recently covered by Michael Lynch .
There’s enough smoke here that I believe there’s a fire. It’s not surprising to find vulnerabilities in decades-old software, especially given that they’re mostly written in C, but what’s new is that coding agents run by the latest frontier LLMs are proving tirelessly capable at digging up these issues.
I actually thought to myself on Friday that this sounded like an industry-wide reckoning in the making, and that it might warrant a huge investment of time and money to get ahead of the inevitable barrage of vulnerabilities. Project Glasswing incorporates “$100M in usage credits ... as well as $4M in direct donations to open-source security organizations”. Partners include AWS, Apple, Microsoft, Google, and the Linux Foundation. It would be great to see OpenAI involved as well—GPT-5.4 already has a strong reputation for finding security vulnerabilities and they have stronger models on the near horizon.
The bad news for those of us who are not trusted partners is this:
We do not plan to make Claude Mythos Preview generally available, but our eventual goal is to enable our users to safely deploy Mythos-class models at scale—for cybersecurity purposes, but also for the myriad other benefits that such highly capable models will bring. To do so, we need to make progress in developing cybersecurity (and other) safeguards that detect and block the model’s most dangerous outputs. We plan to launch new safeguards with an upcoming Claude Opus model, allowing us to improve and refine them with a model that does not pose the same level of risk as Mythos Preview.
I can live with that. I think the security risks really are credible here, and having extra time for trusted teams to get ahead of them is a reasonable trade-off.

Facts Only

Anthropic launched Project Glasswing on April 7, 2026, restricting access to Claude Mythos Preview.
Claude Mythos is a general-purpose AI model with advanced cybersecurity research capabilities.
Mythos Preview has identified thousands of high-severity vulnerabilities in major operating systems and web browsers.
Partners in Project Glasswing include AWS, Apple, Microsoft, Google, and the Linux Foundation.
Mythos Preview autonomously developed exploits, including a web browser exploit chaining four vulnerabilities and a FreeBSD NFS server remote code execution exploit.
Internal evaluations showed Claude 4.6 Opus had a near-0% success rate in autonomous exploit development, while Mythos Preview succeeded 181 times in the same benchmark.
OpenBSD patched a 27-year-old TCP vulnerability (errata 025) discovered with Mythos Preview.
Linux kernel maintainer Greg Kroah-Hartman noted a shift from low-quality AI-generated security reports to credible, high-quality reports.
Daniel Stenberg of curl reported a surge in high-quality AI-generated security reports.
Anthropic has allocated $100M in usage credits and $4M in direct donations to open-source security organizations.
Anthropic does not plan to make Claude Mythos Preview generally available, citing the need to develop safeguards.
Future Claude Opus models will include new safeguards before broader deployment of Mythos-class capabilities.

Executive Summary

Anthropic has announced Project Glasswing, a restricted preview program for its latest AI model, Claude Mythos, which demonstrates advanced cybersecurity research capabilities. Unlike previous models, Mythos has autonomously discovered and exploited high-severity vulnerabilities in major operating systems and web browsers, including chaining multiple vulnerabilities to achieve sophisticated attacks. Anthropic is limiting access to trusted partners—including AWS, Apple, Microsoft, Google, and the Linux Foundation—to allow the software industry time to prepare for these capabilities. The model has already identified long-standing bugs, such as a 27-year-old vulnerability in OpenBSD and privilege escalation flaws in Linux. While Anthropic plans to eventually deploy Mythos-class models safely, it currently restricts general access to develop safeguards against dangerous outputs. Security professionals, including Linux kernel maintainers and open-source project leaders, confirm a recent surge in high-quality AI-generated vulnerability reports, marking a shift from low-quality "AI slop" to credible threats. The initiative includes $100M in usage credits and $4M in donations to open-source security organizations, signaling a coordinated effort to address the impending wave of AI-driven security risks.
The situation reflects growing concerns about the dual-use nature of advanced AI, where rapid progress in vulnerability research could outpace defensive measures. While the restrictions aim to mitigate risks, they also highlight the challenges of balancing innovation with security in an era where AI capabilities are proliferating beyond controlled environments.

Full Take

The strongest version of this narrative is that Anthropic is acting responsibly by restricting access to a model with unprecedented offensive cybersecurity capabilities, giving the industry time to fortify defenses. The evidence—such as Mythos Preview’s ability to chain vulnerabilities and discover decades-old bugs—supports the claim that AI-driven vulnerability research has reached an inflection point. The inclusion of major tech firms and open-source organizations as partners lends credibility to the initiative, and the financial commitments suggest a serious effort to mitigate risks. Security professionals’ testimonies about the sudden influx of high-quality AI-generated reports further validate the urgency.
However, the narrative also carries subtle patterns of emotional exploitation (ARC-0012 Fear Appeals) and authority games (ARC-0031 Borrowed Credibility). The framing of Mythos as "too dangerous to release" could amplify fear, while the reliance on testimonials from prominent figures like Greg Kroah-Hartman and Daniel Stenberg may serve to preempt skepticism. The lack of independent verification of Mythos’ capabilities—beyond Anthropic’s internal evaluations—leaves room for questioning whether the restrictions are purely about safety or also about competitive advantage.
Root cause: This reflects a broader paradigm shift where AI’s dual-use potential forces a reckoning between innovation and control. The unstated assumption is that centralized oversight by a few trusted actors can effectively manage risks, but history shows that such restrictions often fail to prevent proliferation. The implications for human agency are significant—while security researchers gain powerful tools, the concentration of access in corporate hands could marginalize independent actors. Second-order consequences may include an arms race in AI-driven cybersecurity, where offensive and defensive capabilities escalate in tandem.
Bridge questions: How might smaller organizations or independent researchers verify these claims without access to Mythos? What safeguards would make broader deployment of such models acceptable, and who gets to define them? If AI-driven vulnerability discovery becomes ubiquitous, how will the open-source community adapt to the flood of reports?
Counterstrike scan: A bad actor pushing this narrative might exaggerate the dangers to justify exclusive control over AI tools, framing restrictions as altruistic while consolidating power. However, the actual content aligns more with a genuine security concern than a coordinated influence campaign. The transparency about vulnerabilities (e.g., OpenBSD’s 27-year-old bug) and the inclusion of third-party testimonials suggest good faith, though the lack of independent audits remains a gap.

Sentinel — Human

Confidence

The article reads as a well-researched, human-authored analysis leveraging expert quotes to build an argument about the implications of AI in cybersecurity, rather than purely synthetic content.

Signals Detected
low severity: Erratic sentence length variance and technical density, typical of deep-dive technical journalism.
low severity: Strong, idiosyncratic emphasis driven by the specific technical examples and expert quotes, not generalized balance.
low severity: Direct, specific attribution of complex technical details (e.g., OpenBSD errata page, git blame) and incorporation of named expert quotes.
low severity: Claims are anchored by specific, highly technical details and references, which are difficult to fabricate convincingly without deep domain knowledge.
Human Indicators
The embedding of highly specific, verifiable technical details (e.g., specific kernel version fixes, ROP chain details) strongly suggests human domain expertise.
The synthesis of multiple, disparate expert opinions (Kroah-Hartman, Stenberg, Carlini) woven into the narrative indicates a human editorial process building an argument, rather than pure LLM generation.