Yesterday, Anthropic announced Project Glasswing — a cybersecurity coalition built around Claude Mythos Preview, a frontier AI model so proficient at finding and exploiting software vulnerabilities that it cannot safely be released to the public.
In just weeks of testing, Mythos Preview has autonomously identified thousands of zero-day vulnerabilities in every major operating system and every major web browser — including a 27-year-old flaw in OpenBSD, a 16-year-old bug in FFmpeg that automated testing missed five million times, and a chained Linux kernel exploit that escalates to full machine control.
The 12 launch partners — AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, Palo Alto Networks, Broadcom, NVIDIA, JPMorganChase, the Linux Foundation, and Anthropic — will use the model exclusively for defensive security work. Anthropic is committing $100 million in usage credits and $4 million to open-source security organisations.
In this solo episode, I break down what Mythos Preview can actually do, why the defensive case is strong, and why the dual-use problem — the same model that finds vulnerabilities can exploit them — cannot be engineered away.
Then I ask the question almost no one else covering this story is asking: why are all 12 launch partners US-headquartered? What does it mean when the most powerful defensive cybersecurity tool ever created is exclusively in the hands of American companies, subject to US government engagement, with no mention of the UK’s NCSC, the EU’s ENISA, or any non-US government body?
What I cover:
Claude Mythos Preview’s capabilities — and why this is a step change, not an incremental improvement
The defensive case: $100M in credits, open-source funding, and a coalition that touches most of the world’s software infrastructure
The dual-use tension: Mythos develops working exploits autonomously, without human steering
The sovereignty question: all 12 partners are US-headquartered, and the implications for UK and European defenders are significant
Five things to watch over the coming months — from the 90-day report to the UK’s Cyber Security and Resilience Bill
This episode is for:
CISOs and security leaders assessing what AI-augmented threats mean for their organisations
CTOs and engineers building on infrastructure maintained by Glasswing partners
Policymakers writing cybersecurity legislation in a world that just changed
Anyone who believes the geography of AI capability is a strategic question, not a technical footnote
Read the full analysis:
Listen and subscribe:
The Control Layer is hosted by Amer Altaf, founder and CEO of Arkava, and publishes weekly.
Sponsored by Arkava — Trusted Intelligence, Tangible Impact.
