On April 7, 2026, Anthropic announced something that has no real precedent in the history of software security: an AI model so capable at finding and exploiting vulnerabilities that the company decided not to release it to the public. Claude Mythos Preview had autonomously discovered thousands of zero-day vulnerabilities — previously unknown security flaws with no available patch — across every major operating system and every major web browser. Over 99% of those vulnerabilities remained unpatched at the moment of announcement. Rather than publishing the model, Anthropic launched Project Glasswing: a controlled program to put Mythos Preview’s capabilities to work on the defensive side of the equation, before attackers could get their hands on anything comparable.
The implications — for enterprise security, for AI policy, and for how we think about deploying frontier AI — are still unfolding, and the story sharpened further on April 20 when Foreign Policy published its analysis of how Mythos changes the “cyber calculus” for governments and large organizations.
What Claude Mythos Preview Found
The numbers are striking. Using Claude Mythos Preview over a period of a few weeks, Anthropic’s security team identified thousands of zero-day vulnerabilities in a target list that covered every major operating system — Windows, macOS, Linux, FreeBSD, OpenBSD — and every major web browser. The scope also included a range of widely deployed server software, foundational cryptographic libraries, and networking stacks.
What makes this different from conventional automated vulnerability scanning is the nature of the discoveries. Traditional scanners work by pattern-matching known vulnerability classes — buffer overflows in predictable locations, unsafe string handling, classic SQL injection signatures. Claude Mythos Preview does something qualitatively different: it reads and reasons about code the way a skilled human security researcher does, following logic paths, modeling attacker intent, and identifying combinations of conditions that produce dangerous outcomes.
The result is that Mythos found vulnerabilities that had survived decades of conventional security tooling, expert code review, and public bug-bounty programs.
The FreeBSD Vulnerability: Why Age Matters
The most striking individual example Anthropic disclosed is a 17-year-old remote code execution vulnerability in FreeBSD (CVE-2026-4747). The flaw allows an attacker who has no prior credentials or network foothold — someone sitting anywhere on the internet — to obtain complete control over an affected server. The vulnerability had existed since 2009, surviving two decades of FreeBSD security audits, major kernel refactors, and intense scrutiny from one of the most security-conscious open-source communities in existence.
Schneier on Security noted that Anthropic’s team also found a 27-year-old vulnerability in OpenBSD and a 16-year-old flaw in FFmpeg, the video processing library used by billions of applications and streaming services. These are not obscure legacy systems. OpenBSD powers many critical infrastructure environments precisely because of its historical security reputation. FFmpeg processes video in everything from social media platforms to medical imaging systems.
The age of these flaws matters for a specific reason: it demonstrates that Mythos Preview is not finding low-hanging fruit that previous tools missed due to inadequate scanning coverage. It is finding vulnerabilities that survived because human attention — however expert — is fundamentally limited in its ability to hold entire codebases in context simultaneously and reason about multi-step exploitation paths. A language model reasoning over millions of lines of code faces no such constraint.
The Vulnerability Chain: What AI Does That Scanners Can’t
The most conceptually important capability Anthropic described is what their team calls vulnerability chaining. Claude Mythos Preview doesn’t just find individual flaws — it identifies sequences of three, four, or five vulnerabilities that in combination produce outcomes that none of the individual flaws could achieve alone.
The typical structure of a chain looks something like this: an initial low-severity flaw provides minimal but non-zero access — perhaps the ability to read a configuration file that is normally protected. A second vulnerability converts that read access into write access in a constrained environment. A third flaw allows escape from that constrained environment into a broader system context. A fourth allows privilege escalation. The chain ends with full remote code execution from an unauthenticated starting position.
How AI Vulnerability Chaining Works
Step 1 — Initial Access
Low-severity flaw grants read access to a normally protected config file.
Step 2 — Write Escalation
A second flaw converts read access into write access in a constrained environment.
Step 3 — Sandbox Escape
A third vulnerability breaks out of the constrained environment into a broader system context.
Step 4 — Privilege Escalation
A fourth flaw escalates user privileges toward administrator or root access.
Outcome — Remote Code Execution
Full unauthenticated control over the target system from anywhere on the internet.
Composite chain from individually low-severity flaws. Claude Mythos Preview identifies these sequences autonomously across millions of lines of code.
Each step in the chain might be individually rated as a low or medium CVSS score — the kind of flaw that rarely gets patched quickly because it doesn’t appear critical in isolation. The AI’s contribution is the ability to see that these individually minor flaws, in combination, form a path to complete system compromise. Human security researchers can discover these chains, but doing so typically takes weeks or months of deep expertise applied to a single codebase. Mythos Preview does it across entire ecosystems simultaneously.
Project Glasswing: Defending Before Attacking Becomes Possible
The core logic behind Project Glasswing is a race against time. Anthropic’s position is essentially this: a model that can break into almost anything exists now. It will not always be the only such model. As capability diffusion continues — through open-weight releases, through fine-tuned derivatives, through independent research — models with similar offensive cybersecurity capability will eventually reach adversarial actors. The question is whether defenders can patch the most critical vulnerabilities before that happens.
Project Glasswing is Anthropic’s operational answer. The initiative grants roughly 50 organizations early access to Claude Mythos Preview under controlled conditions, with the mandate to use it for defense: finding and fixing vulnerabilities in critical software before they can be weaponized. The partner list reads like a map of the world’s most critical software infrastructure:
- Amazon Web Services — cloud infrastructure for a significant fraction of the world’s internet services
- Apple — macOS, iOS, and the software supply chain for over 2 billion devices
- Google — Chrome, Android, Google Cloud, and core internet infrastructure
- Microsoft — Windows, Azure, and the world’s largest enterprise software estate
- NVIDIA — GPU drivers and AI computing infrastructure
- JPMorganChase — representing the financial sector’s critical systems
Anthropic is backing the initiative with $100 million in usage credits for the partner organizations and $4 million in direct donations to open-source security organizations. The open-source donation is significant: much of the world’s critical infrastructure runs on open-source software that has no dedicated budget for security research.
The Amazon component of Project Glasswing carries additional weight given this week’s news. Amazon confirmed a $25 billion additional investment in Anthropic — with Anthropic committing to spend over $100 billion on AWS infrastructure over the next decade. That deal positions AWS as the primary compute platform for Mythos’s continued development and makes Amazon a deeply aligned partner in the Glasswing defensive work.
What the Security Community Is Saying
The announcement has generated intense debate that divides roughly into three camps.
The responsible disclosure camp — led by Bruce Schneier, whose blog post called the Glasswing framework “exactly the kind of responsible disclosure that security researchers have long urged” — argues that Anthropic made the right call. Sitting on a model this capable while quietly patching vulnerabilities in private would be worse; disclosing publicly without patches would be catastrophic; the controlled Glasswing structure threads the needle.
Schneier does raise one significant concern: fifty organizations, however well-resourced, cannot substitute for the distributed expertise of the entire global research community. The Stanford AI Index 2026 documented the widening gap between AI capability and institutional capacity to respond — Glasswing feels like a direct, real-world consequence of that finding.
The skeptics point to research by Aisle, a security firm that has argued publicly that many of Mythos Preview’s published anecdotes can be replicated using smaller, cheaper, publicly available models. If that claim holds under scrutiny, the risk calculus changes significantly: Mythos may be a harbinger of what is already possible with today’s accessible models, not a unique capability threshold that justifies restricted access.
The policy hawks — writing in Foreign Policy and similar outlets — argue that the more important question is not what Anthropic does with Mythos, but what happens when a state actor builds its own equivalent. The U.S., the EU, China, and Russia all have substantial AI research programs. Glasswing secures some critical software, but it does not address the fundamental shift in the offensive-defensive balance that AI-powered vulnerability discovery creates at the nation-state level.
What This Means for Enterprise Security in 2026
For business leaders and CISOs, the Mythos/Glasswing announcement has several concrete implications that go beyond the immediate headline.
The patch lag problem just got worse. The security industry already struggles with the gap between vulnerability discovery and enterprise patch deployment. Most organizations patch critical vulnerabilities within 30–90 days; some take longer. If AI models are identifying vulnerabilities at the scale Anthropic describes — thousands across every major OS — the volume of critical patches entering the pipeline will increase faster than most enterprise security teams can absorb. Automated patch management, already underinvested in many organizations, becomes a strategic priority rather than a nice-to-have.
Your software supply chain is now the primary risk surface. The vulnerabilities Mythos found are not primarily in custom enterprise applications. They are in operating systems, browsers, and foundational libraries like FFmpeg — software that every organization uses but no single organization controls. The lesson for enterprise teams is that security can no longer be delegated entirely to vendors. Understanding which versions of which foundational components your applications depend on, and having a rapid-response process for critical upstream patches, is now a board-level risk management question.
AI agents running on enterprise infrastructure inherit these risks. Organizations deploying AI agents — whether built on Claude Opus 4.7, GPT-5.4, or open-weight alternatives — are running those agents on the same operating systems and infrastructure that Mythos found vulnerable. If you are building agentic workflows with multi-agent frameworks like those at AgentsGT, the infrastructure those agents run on needs the same security hardening as any other production system. The attack surface for an AI agent is not the model itself — it is the environment the model operates in.
The responsible AI narrative just received its most concrete test case. Anthropic’s decision to restrict Mythos and fund Glasswing is one of the first major real-world instances of a frontier AI lab making an economically costly safety decision — forgoing the commercial advantage of releasing a highly capable model, and spending $104 million to mitigate the risk it creates. Whether that decision proves wise, or whether it is followed by other labs doing the same, will shape how the industry approaches the next generation of AI capabilities. The precedent matters.
For enterprises thinking through how to position their AI security strategy in this environment, the right first step is understanding your current infrastructure’s exposure: which foundational software versions you are running, which systems are internet-facing, and how quickly you can apply critical patches when they arrive. The DDR Innova team helps organizations build that visibility and the agentic workflows to act on it. Book a call to discuss your security posture or reach out directly at info@ddrinnova.com.
Sources
Frequently Asked Questions
What is Claude Mythos Preview?
Claude Mythos Preview is Anthropic's most advanced AI model, using a Mixture-of-Experts architecture with an estimated 10 trillion total parameters. It is not publicly available—Anthropic restricted its release after the model autonomously discovered thousands of previously unknown software vulnerabilities across every major operating system and browser.
What is Project Glasswing?
Project Glasswing is Anthropic's initiative to use Claude Mythos Preview defensively before broader models with similar capabilities become available. It grants access to roughly 50 organizations including AWS, Apple, Google, Microsoft, NVIDIA, and JPMorganChase, backed by $100 million in usage credits and $4 million in donations to open-source security organizations.
How does AI chain multiple vulnerabilities to create exploits?
Claude Mythos Preview can combine three to five individually minor vulnerabilities into a single exploit sequence that achieves a sophisticated outcome—such as full remote code execution from an unauthenticated external network position. Each vulnerability in the chain slightly escalates access or privilege until a critical threshold is crossed.
Will Claude Mythos Preview ever be publicly available?
Anthropic has not announced a public release date for Claude Mythos Preview. The stated rationale is that the model's autonomous offensive cybersecurity capability is too significant to release before defenders can patch the vulnerabilities it identifies. The company plans to reassess as Project Glasswing progresses.