Lead Analysis
Strategy6 min

Anthropic Launches Project Glasswing, Expanding Use of AI to Discover Vulnerabilities at Scale

Chip de processador com inteligência artificial em renderização 3D
Photo by Igor Omilaev on Unsplash

Initiative brings together AWS, Apple, Microsoft, Google, CrowdStrike, and Palo Alto Networks in a coalition that uses the Claude Mythos Preview model to map flaws in critical software.

Executive Summary


  • Coalition formed: Project Glasswing connects around 40 organisations, including AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, JPMorgan Chase, and Palo Alto Networks, according to Anthropic's announcement.
  • Offensive capability: Claude Mythos Preview identified thousands of zero-day vulnerabilities in operating systems and browsers within a few weeks of internal testing, according to Anthropic.
  • Flagship case: The model discovered a 27-year-old vulnerability in OpenBSD, a system renowned for its rigorous security hardening.
  • Anthropic's investment: US$ 100 million in model usage credits allocated to coalition participants, enabling extended security research.

    • Context


    Anthropic announced the launch of Project Glasswing in early May 2026, a programme that provides a select group of companies with access to the Claude Mythos Preview model, described by the company itself as a cutting-edge model not yet commercially launched. The programme's focus is on leveraging Mythos's code reasoning capabilities to identify and remediate critical vulnerabilities in widely used software.


    In internal testing conducted by Anthropic and initial participants, the model found thousands of zero-day vulnerabilities across all major operating systems and browsers, as detailed by The Hacker News based on an official statement from Anthropic.


    The coalition includes AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, Palo Alto Networks, along with approximately 40 other organisations that received access to the programme. Anthropic has committed US$ 100 million in model usage credits to support this effort.


    The Data


    The scale of the discoveries signals a new level of AI capability applied to offensive and defensive security. Among the findings documented by Anthropic is a 27-year-old vulnerability in OpenBSD, an operating system that is a benchmark for secure architecture by default, featuring continuous manual review and millions of automated tests.


    Anthropic did not disclose a complete list of the discovered CVEs, citing a coordinated disclosure process with manufacturers. The remediation timeline was not made public.


    Research from Arctic Wolf, a partner in the programme, describes the initiative as a turning point in the balance between attackers and defenders, given that historically offensive actors have been the first to operationalise generative AI capabilities.


    Sector Impact


    The announcement reorganises the strategic discussion about AI applied to cybersecurity across three fronts. First, it raises the ceiling of defensive capability available to companies with access to frontier models, creating potential asymmetry relative to organisations that rely solely on traditional commodity tools such as SAST and DAST.


    Second, it anticipates the commercial availability of these capabilities. Anthropic positions Mythos as a preview, suggesting that the model, or derived versions, will reach commercial availability within a 12 to 18-month horizon. For Brazilian CTOs, this means that vendor evaluation cycles for AppSec platforms should include, starting in the second half of 2026, native generative AI detection capabilities from frontier models.


    Third, it intensifies the dual-use dilemma. The same capabilities that benefit defenders are available, with lower latency, to attackers with the resources to access equivalent APIs from less restrictive providers. The window between discovery and global patching is likely to compress, necessitating operational maturity in patch management.


    For the Brazilian market, the immediate implication falls on MSSPs, local software manufacturers, and integrators that maintain significant portions of the infrastructure under support. Quarterly patching contracts, still common in Brazil, may become inadequate for the new pace of vulnerability discovery.


    Risks and Opportunities


    The most concrete risk is one of competitive asymmetry. Companies with direct access to Claude Mythos or equivalent models from OpenAI, Google, and Meta are likely to operate with a different level of visibility over their own code and infrastructure. Brazilian consultancies that depend on international vendor chains need to map which clients already have access and which do not.


    The opportunity lies in building AI-assisted security review practices as a unique offering. Companies that establish internal code review pipelines with frontier models, even without access to the Glasswing programme, can offer automated auditing as a premium service.


    There is also an open regulatory and legal risk: the use of generative AI for analysing third-party code without explicit consent from the owner may clash with contractual clauses and the LGPD when the code handles personal data. Legal opinions on the scope of use should precede any large-scale adoption.


    What Leaders Should Watch For


    1. Monitoring the disclosure queue: Patches related to findings from Mythos will arrive in a staggered manner over the coming quarters. Increase the cadence of reviewing patch notes from Microsoft, Apple, Linux upstreams, and major browsers.

    2. AppSec vendor evaluation: Include, in RFP cycles for 2026, an explicit requirement regarding the use of frontier AI models in the detection pipeline. Request reproducible evidence of capability.

    3. Internal policy on AI use for code review: Define, in conjunction with legal and security teams, which codebases can be submitted to external models and under which contractual clauses with vendors.

    Lead Analysis