Anthropic’s Project Glasswing is a watershed moment for AI security. The organizations that treat it as someone else’s news will be the ones most exposed when the capability proliferates.
Anthropic, the company behind Claude, just did something no frontier AI lab has done before: they paused the release of their most powerful model because of what it could do to cybersecurity.
Claude Mythos Preview, a general-purpose AI trained for coding and reasoning, started finding zero-day vulnerabilities autonomously. Not in contrived test environments, but in production code running on every major operating system, browser, and open source library that enterprises depend on.
A flaw in OpenBSD, the most security-hardened OS on the planet, sat undiscovered for 27 years. Mythos found it. Separately, a 16-year-old vulnerability in an FFmpeg codec had survived five million automated test runs on that code path without detection. Mythos found that too.
It chained kernel vulnerabilities on Linux from user to root, fully autonomous, no human in the loop. And Anthropic’s team confirmed that none of these capabilities were explicitly trained. They emerged as a side effect of general improvements in code and reasoning.
The economics of vulnerability discovery just shifted
For four decades, cybersecurity operated on an unspoken assumption: finding exploitable vulnerabilities is expensive. You needed rare human expertise, months of reverse engineering, and deep domain knowledge. That scarcity was itself a security layer. The most dangerous flaws survived not because they were hidden, but because the cost of discovering them was prohibitively high.
Mythos Preview changed those economics between one model generation and the next. Anthropic’s previous frontier model, Opus 4.6, had a near-zero success rate at autonomous exploit development. On a benchmark using Firefox’s JavaScript engine, Opus 4.6 turned discovered vulnerabilities into working exploits twice out of several hundred attempts. Mythos Preview succeeded 181 times on the same benchmark, with an additional 29 instances of achieving register control.
A jump from 2 to 181, between consecutive model generations, is not incremental improvement. It is a phase change.
What makes this significant is that Anthropic did not set out to build an offensive security tool. The same training that makes the model better at writing patches also makes it better at writing exploits. That should concern every security leader, because it means every AI lab improving their general-purpose models is potentially on the same trajectory.
The proliferation risk is not limited to Mythos Preview leaking. It is about the next five models from five different labs arriving at the same capability independently, because the path runs through general intelligence, not specialized offensive training.
The economics of exploitation collapsed alongside discovery. Mythos Preview fully autonomously found and exploited a 17-year-old remote code execution vulnerability in FreeBSD (CVE–2026-4747), constructing a 20-gadget ROP chain split across multiple packets that granted root access to unauthenticated users. That used to represent weeks of work from an elite human researcher. Mythos Preview did it in hours.
Linux kernel privilege escalation chains, where the model independently identified and chained together three to four separate vulnerabilities, cost under $2,000 each at API pricing. Finding vulnerabilities is now cheap. Weaponizing them is too.
That combination of collapsing discovery costs and collapsing exploitation costs is what prompted Anthropic to pause. They recognized that in the wrong hands, this capability could cause severe damage to critical infrastructure. So rather than shipping the model and disclosing later, they built a defensive coalition first.
What Anthropic actually did, and why it matters
Project Glasswing is Anthropic’s response: a coordinated effort to give defenders a head start before this capability proliferates. Twelve organizations joined the coalition: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The presence of JPMorganChase signals that the financial services sector is treating this as immediate and material.
Anthropic committed $100M in model credits for defensive security research, donated $4M to open source security organizations ($2.5M to Alpha-Omega and OpenSSF through the Linux Foundation, $1.5M to the Apache Software Foundation), and gave 40+ organizations early access to scan critical infrastructure.
The coalition is a meaningful step. It buys time. The announcement itself is a starting gun. But two realities deserve clear-eyed acknowledgment.
First, Anthropic wrote that “it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely.” Every state actor and sophisticated threat group now knows this capability is real, demonstrated, and achievable. In our assessment, the proliferation timeline is months, not years.
Second, coalitions don’t patch your environment. The vulnerabilities Mythos found are in the open source libraries your business runs on. They’re in the operating systems your endpoints use. No 12-company consortium fixes that for you. The defensive work still happens inside your organization, with your team, against your attack surface.
The math got worse
Security has always faced a structural asymmetry: attackers need to find one vulnerability, defenders need to find all of them. That asymmetry existed when both sides operated at human speed. When both sides can scan at machine speed, the imbalance gets dramatically worse.
An attacker with access to a model like Mythos Preview can scan a target codebase and find an exploitable flaw in hours. A defender needs to scan every codebase, every dependency, every update, continuously, and respond to every finding. The window between “defenders have this capability” and “everyone has it” is the only thing that determines outcomes.
Anthropic acknowledged as much. They wrote that they “see no reason to think that Mythos Preview is where language models’ cybersecurity capabilities will plateau” and that the “transitional period may be tumultuous.” Enterprise security teams now operate in that environment. The question is whether your organization’s AI governance posture is built for it.
Governance frameworks exist. Operationalization is just beginning.
The industry has published actionable frameworks for this moment. OWASP’s LLM Top 10 maps the attack surface for LLM applications: prompt injection, data poisoning, supply chain risks. For organizations deploying agent architectures, the OWASP Top 10 for Agentic Applications, released December 2025, covers the distinct risks that autonomous AI systems introduce: Agent Goal Hijack, Tool Misuse, Cascading Failures, and Rogue Agents. NIST’s AI Risk Management Framework provides governance structure. MITRE ATLAS maps AI adversary tactics the same way ATT&CK maps traditional threats.
Separately, the Artificial Intelligence Underwriting Company’s AIUC-1 standard is emerging as a benchmark for AI agent security, safety, and reliability.
These frameworks are published and actionable. The problem is not a lack of guidance. The problem is that most enterprises are still in the early stages of operationalizing them.
For most organizations, AI governance remains a planning exercise. Policies exist in documents. Risk assessments happen quarterly. Visibility into what AI tools employees actually use is partial at best. The gap between “we have a policy” and “we enforce it at runtime, across every AI interaction, with full audit trails” is where the real exposure sits.
AI security is no longer optional
Mythos Preview didn’t confine itself to one attack surface. It moved across operating systems, browsers, open source libraries, developer toolchains, and cryptography implementations simultaneously. It found authentication bypasses in web applications and certificate forgery paths in TLS libraries. It chained kernel vulnerabilities with KASLR bypasses and heap sprays to escalate from unprivileged user to root.
The attack surface was everything, all at once. Glasswing validates that assessment. When a model can exploit vulnerabilities across every software surface your business runs on, the governance gap becomes an operational risk that boards, regulators, and insurers will increasingly demand answers for.
The EU AI Act, DORA, and emerging U.S. state-level AI legislation already require demonstrable governance. Gartner’s October 2025 research identifies AI discovery, visibility, and usage control as the number one immediate buyer need for organizations building AI security programs (Gartner, “Win the AI Security Battle with an AI Security Platform,” October 2025).
The question is no longer whether organizations need runtime governance for AI interactions. It is whether they can build it before the window closes.
The real risk is inaction disguised as caution
The most likely outcome of Project Glasswing for most enterprise security teams is this: they will read the coverage, acknowledge the severity, and wait. They will watch the coalition’s 90-day report. They will add “AI governance” to next quarter’s planning cycle. They will treat the coalition as someone else’s problem.
That default response is the actual danger.
The vulnerabilities Mythos found exist in your environment today. The frameworks to address the risk are published. Here is what security teams can do this week:
1. Inventory AI tool usage beyond the browser. Most organizations can see AI usage in browser-based tools, but Gartner’s research indicates that AI discovery across native applications, IDEs, coding assistants, and agent architectures is the foundational capability security teams need first. You cannot govern what you cannot see.
2. Map your environment against OWASP’s frameworks. Run both the LLM Top 10 and the Agentic Applications Top 10 against your current AI deployments. Identify which risk categories you have controls for and which you don’t. The gap analysis is the starting point for your governance investment.
3. Establish governance and security for all AI interactions across employees, models, applications and agents. Logging AI interactions after the fact is Level 1 maturity. Gartner found organizations with AI governance platforms were 3.4 times more likely to achieve high AI effectiveness. The shift from detective to preventive controls, where policy enforcement happens before data leaves your environment, is what separates organizations that can scale AI from those stuck in perpetual piloting.
4. Extend governance to agent architectures. Agents chain dozens of autonomous steps, calling tools, accessing data, and taking actions without human oversight. Each step is an opportunity for data to leave through a path nobody reviewed. Most organizations cannot answer three basic questions about their agents: Which tools can this agent call? What data can it access? Who approved that scope? If you can’t answer those, your risk committee won’t approve agent deployments regardless of the productivity case.
The capability to find and exploit vulnerabilities at machine scale has been demonstrated. The proliferation timeline is short. The only variable is whether your organization operationalizes the existing frameworks before the window closes.
Read the full Anthropic Glasswing announcement and the Mythos Preview technical report. Then run the four steps above with your security team.
Want to learn how WitnessAI can help ? Schedule a demo with an AI security expert today.