Anthropic, Apple, Google, Microsoft, NVIDIA, and a dozen other tech and finance giants just announced something called Project Glasswing. It’s a defensive cybersecurity initiative built around a new, unreleased AI model called Claude Mythos Preview. And if the claims hold up, this is one of the more serious attempts I’ve seen to get ahead of the AI-powered attack wave that’s clearly coming.
The blunt truth that kicked this off: Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and every major web browser. Not a few. Every. That’s a statement that would have sounded like science fiction two years ago. Now it’s a press release.
Anthropic isn’t being shy about what this means. They say Mythos Preview can surpass all but the most skilled humans at finding and exploiting software flaws. Given the rate of progress in AI coding capabilities, they’re worried—and I think rightly—that these skills will proliferate beyond responsible actors. The fallout for economies, public safety, and national security could be severe. So they’re trying to use the same capability defensively, before it becomes a widespread offensive tool.
Here’s how it works. The launch partners—Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks—will use Mythos Preview in their own security work. Anthropic is also extending access to over 40 other organizations that build or maintain critical software infrastructure, including open-source projects. They’re committing up to $100 million in usage credits for Mythos Preview across these efforts, plus $4 million in direct donations to open-source security organizations. That’s real money, not just a press release promise.
The vulnerabilities Mythos Preview has found are not trivial. Some have survived decades of human review and millions of automated security tests. That’s the kind of stat that should make any CISO sit up straight. The exploits it develops are increasingly sophisticated. Ten years after DARPA’s first Cyber Grand Challenge, frontier AI models are now competitive with the best humans at this work.
Now, I’ve been around long enough to be skeptical of grand cybersecurity alliances. They often produce more press releases than patches. But this one feels different for a few reasons. First, the model is already working—they’ve got the vulnerabilities to show for it. Second, the list of partners is genuinely impressive and includes the companies that actually run the internet’s infrastructure. Third, the open-source angle is smart. The Linux Foundation being at the table means this isn’t just about proprietary code. It’s about the libraries and frameworks that everyone depends on.
The broader context here is that software has always had bugs. Banking systems, medical records, power grids, logistics networks—all of it is riddled with flaws that have gone unnoticed for years because finding and exploiting them required rare expertise. AI changes that calculus dramatically. The cost, effort, and skill required to find and exploit vulnerabilities have all dropped. Cyberattacks could become much more frequent and destructive. State-sponsored actors from China, Iran, North Korea, and Russia are already active. This is not a hypothetical future threat; it’s happening now.
What I appreciate about this announcement is that it doesn’t pretend AI is a silver bullet. Project Glasswing is a starting point. No one organization can solve these problems alone. Frontier AI developers, software companies, security researchers, open-source maintainers, and governments all have roles to play. The work might take years, but frontier AI capabilities are likely to advance substantially over just the next few months. So they’re acting now.
The same capabilities that make AI models dangerous in the wrong hands make them invaluable for finding and fixing flaws. Project Glasswing is an attempt to give defenders a durable advantage. Whether it works depends on execution, but at least the direction is right. And that’s more than most cybersecurity initiatives can say.
Comments (0)
Login Log in to comment.
Be the first to comment!