We already had a hint. AI would surpass most human capabilities someday. In the field of cybersecurity, that day arrived way too early, with the recent announcement of the Mythos Preview by Claude. The new AI model promises a level of coding skills that it is deemed to ‘surpass all but the most skilled humans at finding and exploiting software vulnerabilities.’ And this power is now going to be used in a new, ‘urgent’ initiative to secure cyberspace. All under the name of ‘Project Glasswing.’
Here is all about the latest effort by Anthropic and why it matters for just about the entire world.
Table of contents
What is Project Glasswing?
The name isn’t random. It is inspired by the glasswing butterfly (Greta oto), and represents two aspects of the initiative. The butterfly is known for its transparent wings that let it hide in plain sight. This is exactly how software vulnerabilities often exist. From another perspective, these transparent wings allow the butterfly to evade harm. Anthropic is advocating the same transparency in its approach.
As soon as you go digital, there is a plethora of services running at the backend to make things work as they do today. Most of these systems are controlled by a select few technology majors of the world. Think Microsoft, Google, Amazon, Apple, Broadcom, and such bigwigs. Anthropic is now partnering with these firms to help secure their most critical software networks that directly or indirectly power the cyber world we know.
For this, Anthropic has deployed its all-new Mythos Preview. And what’s more, the cutting-edge AI model has already found ‘thousands of high-severity vulnerabilities’. The scarier part is that these issues were found in ‘every major operating system and web browser.’
That is what Anthropic shares in its blog post announcing the Project Glasswing initiative. Alongside, the post mostly sheds light on the capabilities of Mythos Preview. Which brings us to our next topic of focus:
What is Mythos Preview?
In the most basic sense, Mythos Preview is simply another LLM or large language model from the house of Anthropic, much like Claude Opus or Sonnet. It is deemed to be highly efficient in software engineering, reasoning, computer use, knowledge work, and assistance with research
So why is it going so viral? If the regular AI we use feels like Jarvis, Mythos Preview is the Ultron of our age.
And the reasons are pretty clear. First, it is way too powerful – more than most humans involved in cybersecurity, as indicated in a statement I’ve cited from Anthropic in the introduction of this article. In its debut, Anthropic claims that the Mythos Preview carries capabilities “substantially beyond those of any model we have previously trained.”
Here are some examples of Mythos Preview’s supremacy in testing:
Mythos Preview: A Cybersecurity Revolution
From what Anthropic has shared so far, Mythos Preview seems nothing short of a cybersecurity revolution. Here is an example – Claude’s Opus 4.6 had found some vulnerabilities in Mozilla’s Firefox 147 JavaScript engine. When tasked with exploiting them, it could do so only ‘two times out of several hundred attempts.’
In comparison, Mythos Preview developed working exploits ‘181 times, and achieved register control on 29 more.’ Mind you, Claude Opus 4.6 was termed as the most powerful coding AI model up until now.
Anthropic even mentions that its non-security engineers have managed to find complete working exploits using Mythos Preview. And the AI did all of this overnight, without any human supervision.
Up until now, Mythos Preview has managed to find and exploit zero-day vulnerabilities in ‘every major operating system and every major web browser’. What’s more, these vulnerabilities are often subtle and are as old as 27 years.
But so much of power always has a flip side.
Mythos Preview: The Dark Side
Now, here is the second reason for its Ultron moniker – Mythos Preview does not come without a dark side. In a typical Ultron-like situation, it has managed to bypass its own sandbox environment in research and then execute a task (send a mail to the researcher).
Anthropic shares many more such examples of Mythos Preview going rogue. In internal tests, the model used banned methods to reach a conclusion about some problems, and then even tried to conceal its process by attempting the problems through other methods, after it got the right answers. Mythos Preview also leaked confidential details of its exploits on public-facing websites on some occasions.
These are the exact reasons why Anthropic decided against the public release of the model. It is simply too powerful for a regular, non-technical audience. And the risk it comes with is gargantuan.
How Anthropic justifies it
Having seen the dark side, the benefits are far greater. Once you move past the scares of such actions, you see the clearly evident takeaway – Mythos Preview is a truly powerful AI model that outperforms everything else that we know of today.
Anthropic says:
‘We believe that the model’s positive potential, especially in defensive cybersecurity, is sufficient to justify the seemingly-manageable risks that its behavior can pose.’
And it justifies this with the example of a mountaineering guide. The more experienced the guide is, the tougher routes they will traverse. Meaning, both – more security yet more risk to clients.
If it can bypass its own environment during testing and exploit vulnerabilities in known services to find better execution methods, it can certainly do so with other software networks. Exposing such vulnerabilities can then help fix them and make such networks way more secure than ever before.
And that is the exact plan, with the Project Glasswing.
Project Glasswing: Who all are in
A total of 12 major technology companies seem to be in the mix for Project Glasswing. Here are their names:
- Amazon Web Services
- Anthropic
- Apple
- Broadcom
- Cisco
- CrowdStrike
- JPMorganChase
- Linux Foundation
- Microsoft
- NVIDIA
- Palo Alto
It is interesting to note how some of these have their own AI models that rival most of Anthropic’s offerings for the global public, including Microsoft and Google. Yet, this conglomerate seems extremely promising on a very critical task – cybersecurity for the most important software networks of the world.
For this, Anthropic is committing ‘up to $100 million in usage credits’ for Mythos Preview. It will also give $4 million in direct donations to open-source security organizations. The company is also holding talks with the US government officials about Claude Mythos Preview and its cyber capabilities, both for offense and defense.
Anthropic says that together, the systems across the 12 participating firms “represent a very large portion of the world’s shared cyberattack surface.” And that is exactly where Mythos Preview fits in beautifully to power the new project.
Mythos Preview: A demo of what is to come
In its internal tests so far, Mythos Preview has proved to be Excalibur against cyberattacks, all because of 2 of its strengths. It is able to identify vulnerabilities that have remained hidden for decades from the top security engineers. It is further capable of exploiting these vulnerabilities in ways that were previously unthought of. Check out the performance of Mythos Preview on benchmark scores:
In addition, Anthropic also shares 3 examples that show how Mythos Preview has proved its worth so far:
1. 27-year-old vulnerability in OpenBSD
Known for its extreme security measures, OpenBSD is a free, open-source, Unix-like operating system based on 4.4BSD. It is highly regarded as the most secure platform in the world for firewalls, routers, and web servers.
Now, in such a highly secure platform, the vulnerability that Mythos Preview was able to identify was mission-critical. It allowed a remote attacker to crash any machine using the operating system just by connecting to it. After Mythos Preview found the risk, Anthropic reported it to the maintainers, and it has now been fixed.
2. 16-year-old vulnerability in FFmpeg
FFmpeg is a multimedia framework designed to record, convert (transcode), stream, and play audio and video files. It is a leading, free, open-source platform that most modern services like YouTube, TikTok, and Instagram use, with hundreds of millions, if not billions, of users through direct and indirect usage.
Mythos Preview was able to identify a vulnerability in one line of code within the platform. Note that before Mythos Preview, automated testing tools had gone through this issue ‘five million times’ without ever flagging the problem.
3. Four chained vulnerabilities in Linux Kernel
Mythos Preview, completely autonomously, found and chained together up to four vulnerabilities in the Linux Kernel.
The platform is known to power most of the world’s servers. The risks that the AI model identified allowed an attacker to gain complete control of the machine from ordinary user access.
Apart from these highlighted jobs, Anthropic says that the Mythos Preview has identified vulnerabilities ‘in every major operating system and every major web browser’, along with many other important pieces of software. As evident from the cases above, some of these risks remained hidden even after decades of human review and millions of automated security tests.
Conclusion
Just about a month ago, Microsoft came out with a report that claimed hackers are using AI at every stage of a cyberattack. The report was a warning that the world of cybersecurity has fundamentally shifted to a new mode of operation. Whether we like it or not, AI is now an essential part of cybersecurity, both for the protectors and those with malicious intent. And there is no going back.
This inadvertently creates an alarming urgency in the use of AI for good. Plus, it also means that the AI capabilities used in cybersecurity always need to be a step ahead of those used in cyber attacks. Only then can any security measures be amplified enough to prevent any harm to cirtical software infrastructure of the world.
Anthropic’s Mythos Preview is one such step in this direction. And dare I say, it seems like a giant leap for now. The best part, Anthropic has kept it restricted to a select few for now, so it cannot be misused, at least for now. But Anthropic will need to be just as wary, as it embeds some of its capabilities in its future AI models that will be released to the public. For now, we can be at peace knowing the smartest AI model out there is helping us be cybersecure.
