On April 8, 2026, Anthropic announced something that should change how every security practitioner thinks about vulnerability management: a frontier AI model that found thousands of zero-day vulnerabilities, many of them critical, across every major operating system and every major web browser. The model did this largely without human direction.
The initiative, called Project Glasswing, pairs Claude Mythos Preview with a coalition of 12 launch partners, including AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and Palo Alto Networks, plus over 40 additional organizations that build or maintain critical software. Anthropic is committing $100 million in usage credits and $4 million in direct donations to open-source security organizations.
This isn’t a research paper or a benchmark result. It’s a coordinated industry response to a capability that Anthropic considers too dangerous to release publicly, and too important to keep locked away.
What Claude Mythos Preview Actually Did#
The technical details matter here, because they separate this from the usual AI marketing cycle.
Anthropic’s Frontier Red Team ran Mythos Preview against real codebases using a straightforward scaffold: launch an isolated container, point Claude Code with Mythos Preview at the source code, and prompt it to find vulnerabilities. No specialized cybersecurity training went into building the model. The offensive capabilities emerged from general improvements in code understanding, reasoning, and agentic autonomy.
Three findings stand out:
A 27-year-old OpenBSD vulnerability. OpenBSD is widely regarded as one of the most security-hardened operating systems in existence. Mythos Preview found a flaw in its TCP SACK handling that allowed an attacker to remotely crash any machine running the OS just by connecting to it. That bug had survived nearly three decades of manual code review and automated testing.
A 16-year-old FFmpeg vulnerability. FFmpeg is embedded in a staggering number of applications for video encoding and decoding. Automated fuzzing tools had hit the vulnerable line of code five million times without catching the problem. Mythos Preview found it.
Linux kernel privilege escalation. The model autonomously discovered and chained together multiple vulnerabilities in the Linux kernel, exploiting subtle race conditions and KASLR bypasses to escalate from ordinary user access to complete control of the machine.
The Benchmark Gap#
Anthropic’s own internal benchmarks tell the capability story clearly.
On the CyberGym vulnerability reproduction benchmark, Mythos Preview scored 83.1% compared to Claude Opus 4.6 at 66.6%. That sounds incremental until you look at what it means in practice.
When Anthropic previously tested Opus 4.6 against Firefox’s JavaScript engine vulnerabilities, the model developed working exploits only twice out of several hundred attempts. Mythos Preview, running the same experiment, produced working exploits 181 times and achieved register control on 29 more.
Against roughly 7,000 entry points across a thousand open-source repositories from the OSS-Fuzz corpus, Opus 4.6 and Sonnet 4.6 reached basic crash conditions around 150 to 175 times each, but achieved only a single crash at higher severity tiers. Mythos Preview achieved 595 crashes at the lower tiers and delivered full control flow hijack on ten separate, fully patched targets.
This isn’t a model that finds more of the same bugs faster. It finds classes of bugs that previous models couldn’t reach, and it chains them together into working exploits autonomously.
Why This Isn’t Being Released Publicly#
Anthropic made a deliberate decision not to release Mythos Preview as a generally available product. That decision is worth examining because it reflects a tension that every organization using AI tools for security will eventually face.
The model’s offensive and defensive capabilities are inseparable. The same reasoning that lets it trace a subtle race condition through kernel code and construct a privilege escalation exploit is the same reasoning that lets it identify the flaw and recommend a patch. You can’t have one without the other.
Anthropic’s approach is to give defenders a head start. Project Glasswing partners get access now. The broader ecosystem benefits as vulnerabilities are reported and patched. Anthropic plans to develop new safeguards with an upcoming Claude Opus model and eventually launch a Cyber Verification Program for security professionals whose legitimate work is affected by those safeguards.
That six-month window is the core operational reality for defenders. Not a theoretical risk horizon. A planning timeline.
Implications for vulnerability management programs#
If you’re running a vulnerability management program in 2026, the ground just shifted under you. A few specifics:
Patching windows are compressing further. CrowdStrike CTO Elia Zaitsev put it directly: the window between discovery and exploitation has collapsed, from months down to minutes with AI. The traditional cadence of monthly patch cycles, quarterly vulnerability scans, and annual penetration tests was already under pressure. AI-accelerated discovery and exploitation makes that cadence inadequate for critical assets.
The economics of offensive research just changed. Mythos Preview found bugs that survived decades of human review and millions of automated tests. It did so with a simple prompt and no specialized training. When that capability proliferates to open-weight models, the barrier to entry for sophisticated exploit development drops dramatically. Ransomware operators, nation-state actors, and criminal organizations won’t need to employ skilled reverse engineers. They’ll need compute.
Scope and asset inventory matter more than ever. You can’t patch what you don’t know about. The organizations that Glasswing partners are scanning include some of the most well-resourced security teams in the world. If Mythos Preview is finding 27-year-old bugs in OpenBSD and unchained kernel exploits in Linux, every organization should be asking hard questions about what’s sitting in their own unscanned codebases, third-party dependencies, and inherited infrastructure.
The PCI DSS Connection#
For organizations in PCI DSS scope, several v4.0.1 requirements take on new weight in this context.
Requirement 6.3.1 calls for identifying security vulnerabilities using reputable sources and assigning risk rankings. When AI models can surface zero-days faster than NVD or vendor advisories can catalog them, the definition of “reputable sources” needs to expand to include AI-augmented discovery outputs, both from your own tooling and from coordinated disclosure programs like Glasswing.
Requirement 11.3 on penetration testing now exists in a world where the gap between automated scanning and manual penetration testing is narrowing rapidly. Organizations should be evaluating whether their current testing methodologies account for AI-augmented attack techniques, including vulnerability chaining, which is exactly what Mythos Preview demonstrated against the Linux kernel.
Requirement 6.2.4 on software engineering techniques for preventing vulnerabilities gains urgency when AI can find flaws that passed every prior review. Development teams building or maintaining payment applications should be evaluating AI-assisted code review as a supplement to, not a replacement for, existing SDLC controls.
The Bigger Picture#
Anthropic’s Frontier Red Team researcher Nicholas Carlini said he found more bugs in the last couple of weeks than in the rest of his life combined. That’s the statement of someone who has been doing this work professionally for years.
The model found a bug in OpenBSD that had been there since 1999. It found a flaw in FFmpeg that five million fuzzer runs missed. It chained kernel vulnerabilities into full privilege escalation without human guidance.
And this is the preview model. The one Anthropic considers too capable to release. The one they built an industry coalition to manage.
The question for practitioners isn’t whether AI-powered vulnerability discovery will change defensive security. It’s whether your organization will be ready when attackers have this capability too, and the honest assessment from the people closest to this technology is that you have about six months to prepare.
The organizations that treat this as a signal to accelerate patching programs, expand asset visibility, and integrate AI-augmented testing into their security operations will be better positioned. The ones waiting for the next compliance cycle won’t.
Project Glasswing is the industry’s attempt to buy time. What you do with that time is up to you.
Sources and further reading:
