Field Note: Claude Mythos, Glasswing, Worth Paying Attention To
You might have seen some of the recent noise around Claude Mythos (Preview) and something called Project Glasswing.
At a glance, it sounds familiar. A company says: “We’ve built something so powerful… we can’t release it yet.” We’ve seen versions of that before. It also carries a little bit of a Year 2000 problem (Y2K) vibe:
- Big systemic claims
- Broad impact
- Fast-moving narrative
- Financial hook
And if you’ve been around technology long enough, there’s a natural reaction as sometimes scarcity is part of the story. Saying “we can’t release this yet” can create as much attention as releasing it. Add in regulatory pressure and increasing government scrutiny on AI, and it’s reasonable to ask: Are we right to be slightly sceptical?
For me, Yes. Always. But in this case, that alone doesn’t seem to explain what’s happening.
What’s actually being claimed
Anthropic isn’t just saying their new Mythos model is powerful. They’re making a much more specific claim:
- The model can identify vulnerabilities across real-world systems
- It can chain them into working exploits
- And it can propose fixes
Importantly, this capability wasn’t the primary goal. The model was designed to be better at reasoning and coding. The side effect is that it's emerged as what could be the world's best cyber attack (and defence) tool. Potentially at an order of magnitude.
Quote from Anthropic: In one case, we turned the PoC into a cross-origin bypass that would allow an attacker from one domain (e.g., the attacker’s evil domain) to read data from another domain (e.g., the victim’s bank). In another case, we chained this exploit with a sandbox escape and a local privilege escalation exploit to create a webpage that, when visited by any unsuspecting victim, gives the attacker the ability to write directly to the operating system kernel.
The number that stands out
Anthropic has indicated that the model has already identified thousands of zero-day vulnerabilities. This is across:
- Operating systems
- Browsers
- Widely used software
Quote from Anthropic: During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect. Many of them are ten or twenty years old, with the oldest we have found so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security.
Those are significant statements. Not just because of the number, but because of the surface area, this is core infrastructure most people depend on every day.
Why this matters (if even partially true)
If that level of vulnerability exists and is discoverable at speed, the implications are not small. It’s not just: a few bugs that need patching.
It could mean:
- Large-scale patch cycles across platforms
- Changes to how certain features work
- Or even removal of behaviours that are fundamentally insecure
In other words, some systems may not just need fixing, they may need changing. And if exploited before being fixed, this would have real impact on everyday systems people rely on.
Why Glasswing exists
Given that, Anthropic has taken a different path. Instead of releasing the model, they’ve created Project Glasswing. At a practical level, Glasswing is:
- A restricted-access collaboration
- Involving major technology and infrastructure companies
- Using the model to:
- Find vulnerabilities
- Notify affected organisations
- Allow time for patching
So the model is being used defensively, ahead of any broader release.
An unusual (but not unprecedented) move
This kind of behaviour isn’t completely new. There have been moments where:
- Vulnerabilities are found privately
- Vendors are notified
- Patches are coordinated before disclosure
That’s standard responsible disclosure. What’s different here is the scale and source:
- The vulnerabilities are being found by a general-purpose AI model
- The volume appears to be orders of magnitude higher
- And the coordination is happening across multiple large organisations at once
So while the pattern exists, the way it’s being applied here is unusual.
The underlying dynamic
There’s a simple reason this approach exists, the model can find weaknesses faster than organisations can respond to them. Once a capability like that is widely available it won’t just be used by defenders.
So the sequence becomes: find > notify > patch > then consider exposure. Rather than release > discover > react.
A small but important observation
If you look at the organisations involved:
- Anthropic
- Major technology partners (AWS, Microsoft, Apple,
- Infrastructure providers (NVIDIA, Palo Alto Networks, CISCO...)
They are predominantly US-based. There’s no strong conclusion to draw from that on its own. But it’s worth noting this kind of capability and its early use is geographically concentrated
In a world where cybersecurity already has geopolitical dimensions, that’s something to keep an eye on.
So how should you read this?
I'm not jumping to either fully accepting or dismissing the claims. I taking what I think is a more useful stance, to hold a bit of scepticism, but pay (close) attention anyway. This is because:
- The claims are specific
- The actions being taken are real and coordinated
- And the potential impact, if true, is meaningful
I mean it's not everyday that the CEOs of the USA major banks get summoned to Washington so the Treasury Secretary and the Fed Chair can brief them on potential cybersecurity risks posed (and proactively alerted) by a major AI company.
A simple takeaway
Even if this doesn’t fully play out as described, this is one of those moments worth understanding. It suggests a shift toward:
- Discovering problems earlier
- Fixing them before exposure
- And, in some cases, holding back capability until systems catch up