Yesterday, Anthropic did something no major AI lab has done before: it announced a frontier model — Claude Mythos Preview — and simultaneously declared it would not be making it publicly available. The reason? The model is so proficient at finding and exploiting software vulnerabilities that releasing it could, in the company’s own assessment, pose a serious threat to global cybersecurity.

Instead, Anthropic launched Project Glasswing — a coalition of 12 launch partners, plus roughly 40 additional organisations, who will use Mythos Preview exclusively for defensive security work. The stated goal is to find and fix vulnerabilities in the world’s most critical software before attackers can exploit them.

Join The Control Layer for weekly perspectives on AI, cybersecurity, and building technology that serves human purpose.

It is, by any measure, a significant moment. But it also raises questions that Anthropic’s announcement — carefully framed in the language of collective defence — leaves largely unanswered.

What Mythos Preview can actually do

The capabilities are striking. In just a few weeks of testing, Mythos Preview has autonomously identified thousands of zero-day vulnerabilities— flaws previously unknown to the software’s own developers — across every major operating system and every major web browser.

Three examples illustrate the scale of what we are talking about:

27-year-old vulnerability in OpenBSD, widely regarded as one of the most security-hardened operating systems in the world and used to run firewalls and critical infrastructure. The flaw allowed an attacker to remotely crash any machine running the OS simply by connecting to it. Twenty-seven years. Millions of lines of human review. Missed.

16-year-old vulnerability in FFmpeg, the video encoding library embedded in countless pieces of software globally. Automated testing tools had hit the relevant line of code five million times without catching the problem. Mythos Preview found it.

And perhaps most consequentially, the model autonomously discovered and chained together several vulnerabilities in the Linux kernel — the software running most of the world’s servers — to escalate from ordinary user access to complete machine control.

On the CyberGym benchmark for vulnerability reproduction, Mythos Preview scored 83.1%, compared to 66.6% for Anthropic’s previous best model, Claude Opus 4.6. On SWE-bench Verified, it reached 93.9%. These are not incremental improvements. They represent a step change in what AI systems can do to — and for — software security.

Anthropic’s own framing is unusually candid: frontier AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. And given the rate of AI progress, it will not be long before such capabilities proliferate.

The defensive case — and it is a strong one

The logic behind Project Glasswing is sound and, in many respects, overdue.

The global cost of cybercrime is notoriously difficult to pin down, but credible estimates place it between $500 billion and $1.5 trillion annually, depending on methodology. The attack surface is vast and growing: banking systems, healthcare records, logistics networks, energy grids, and the open-source software that underpins virtually all of them.

Until now, finding serious vulnerabilities has required a level of expertise held by a tiny number of people. AI models like Mythos Preview could fundamentally shift the economics of defence. If you can scan a codebase of millions of lines and surface flaws that survived decades of human review, you can fix them before they are exploited. That is genuinely transformative.

The open-source dimension is particularly important. The Linux Foundation’s Jim Zemlin put it well: open-source maintainers — whose software underpins much of the world’s critical infrastructure — have historically been left to figure out security on their own. Anthropic’s commitment of $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation, is a concrete step toward changing that. If maintainers of critical open-source projects can access Mythos-class scanning, the downstream security benefits could be enormous.

The broader coalition makes strategic sense, too. AWS, Microsoft, Google, Apple, Cisco, CrowdStrike, Palo Alto Networks, Broadcom, NVIDIA, JPMorganChase — these organisations collectively touch a vast proportion of the world’s software and infrastructure. If they can systematically scan and patch their foundational systems, the aggregate reduction in attack surface would be significant.

Anthropic has also committed $100 million in usage credits for Mythos Preview across the initiative. After the research preview, the model will be available to participants at $25/$125 per million input/output tokens via the Claude API, Amazon Bedrock, Google Cloud’s Vertex AI, and Microsoft Foundry. This is not a symbolic gesture. It is a serious resource commitment.

The dual-use problem no one can engineer away

Here is the tension at the heart of Project Glasswing, and it is one Anthropic is remarkably transparent about: the same model that finds vulnerabilities can exploit them.

Mythos Preview did not simply identify the OpenBSD flaw or the Linux kernel vulnerabilities. It developed working exploits — in many cases entirely autonomously, without human steering. It wrote a browser exploit chaining together four separate vulnerabilities. It found KASLR bypasses and race conditions in the Linux kernel and escalated privileges to root.

This is why Anthropic is not releasing the model publicly. It is also why the company has been in ongoing discussions with US government officials about Mythos Preview’s offensive and defensive cyber capabilities.

But acknowledging the dual-use problem is not the same as solving it. Anthropic’s stated plan is to develop safeguards that “detect and block the model’s most dangerous outputs” and launch them with an upcoming Claude Opus model. Security professionals affected by those safeguards will be able to apply for an upcoming Cyber Verification Programme.

The question is whether safeguards can ever be robust enough. The history of AI safety measures suggests a pattern: capabilities advance faster than controls. And the specific challenge with cybersecurity capabilities is that the line between legitimate defensive research and offensive exploitation is often a matter of intent, not technique.

CrowdStrike’s CTO Elia Zaitsev captured the urgency well: “The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI.” That compression does not just apply to known vulnerabilities. It applies to the proliferation of AI models capable of finding new ones.

DARPA recognised this trajectory a decade ago with the original Cyber Grand Challenge in 2016. The AI Cyber Challenge in 2025 saw competing systems identify 86% of synthetic vulnerabilities, up from 37% at semifinals. Mythos Preview represents another leap beyond even that. The direction is clear; the speed is what has changed.

Twelve partners. All American. That is not a detail — it is the story.

Now consider the composition of Project Glasswing.

The 12 launch partners are: Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

Every single one is US-headquartered.

The 40+ additional organisations given access are described as those that “build or maintain critical software infrastructure.” The announcement does not name them. Anthropic frames the initiative in the language of global defence — “securing the world’s most critical software” — and references “democratic states” and “the United States and its allies.”

But the practical reality is that the most powerful defensive cybersecurity tool ever created is, at launch, exclusively in the hands of American companies and subject to US government engagement. Anthropic has been in “ongoing discussions with US government officials” about Mythos Preview. There is no mention of equivalent engagement with the UK’s National Cyber Security Centre, the EU Agency for Cybersecurity (ENISA), or any non-US government body.

This matters for several reasons.

First, critical national infrastructure does not respect corporate headquarters. The UK’s National Health Service, its energy grid, its financial services sector, and its defence supply chain all run on software maintained by the organisations in Project Glasswing. When Mythos Preview finds a vulnerability in the Linux kernel or in a Cisco product, that vulnerability affects British systems as much as American ones. The question is whether UK defenders will have the same access to fix it, at the same speed.

Second, Anthropic’s pricing model after the research preview — $25/$125 per million tokens — means that even when access is theoretically available, cost and availability will be determined by a US company operating under US jurisdiction. For organisations in regulated UK sectors — defence, financial services, healthcare — the question of where their vulnerability data is processed, and under whose legal jurisdiction, is not academic.

Third, and most fundamentally, this is a pattern. The most consequential AI capabilities — whether in language, reasoning, or now cybersecurity — are being developed by US companies, deployed first to US partners, and shaped by US government engagement. The UK’s position as a close ally does not automatically translate into equivalent access, timing, or influence over how these tools are governed.

None of this is a criticism of Anthropic’s decision to restrict Mythos Preview. On the contrary — the decision not to release it publicly is responsible, perhaps even courageous, given the commercial pressure to ship. But responsible AI development and equitable access to AI-powered defence are two different things. Project Glasswing addresses the first. It does not yet address the second.

What to watch

Project Glasswing is the beginning of something, not the end. Several things are worth tracking over the coming months:

The 90-day public report. Anthropic has committed to reporting publicly within 90 days on what the initiative has learned, including vulnerabilities fixed and improvements made. The quality and transparency of that report will tell us a great deal about whether this is a genuine public good or a carefully managed preview programme.

Non-US participation. Whether and how Anthropic extends Glasswing access to non-US governments, CERTs, and critical infrastructure operators. The announcement mentions an aspiration for “an independent, third-party body” to host continued work. Who sits on that body, and where it is domiciled, will matter.

The safeguards question. Anthropic’s plan to launch new safeguards with an upcoming Claude Opus model is the critical dependency for any broader availability of Mythos-class capabilities. If those safeguards prove robust, it opens the door to wider defensive use. If they do not, the argument for permanent restriction strengthens — and so does the asymmetry between those who have access and those who do not.

Open-source uptake. The $4 million in direct donations and the Claude for Open Source programme are the most democratising elements of the announcement. Whether maintainers of critical open-source projects actually adopt Mythos-class scanning — and whether the tools are accessible enough for under-resourced teams — will determine whether this narrows or widens the security gap.

Government response. The UK government’s forthcoming Cyber Security and Resilience Bill, and the EU’s implementation of the NIS2 Directive, will both need to reckon with a world in which AI systems can find and exploit vulnerabilities faster than human defenders can patch them. Whether policymakers are prepared for that shift is an open question.

The bottom line

Project Glasswing is the most significant cybersecurity announcement of 2026 so far, and arguably the clearest demonstration yet that frontier AI has crossed a threshold in offensive and defensive cyber capability.

Anthropic deserves credit for the transparency of its approach and the scale of its commitment. The decision to restrict Mythos Preview, to build a coalition rather than race to market, and to fund open-source security work — these are all the right instincts.

But the announcement also crystallises a deeper tension in the AI era: the tools we most urgently need for collective defence are being built, controlled, and governed by a remarkably small number of actors in a single jurisdiction. For the UK, for Europe, and for every other democracy that depends on the same software infrastructure, the question is not whether Project Glasswing is a good idea. It is. The question is whether we are content to be downstream beneficiaries of American AI capability — or whether we intend to be active participants in shaping how that capability is deployed.

That is not a question Anthropic can answer. It is one for us.

Amer Altaf is Founder & CEO of Arkava, a sovereign AI agentic automation business in the United Kingdom and Europe, and Managing Editor of The Control Layer.

Sources and further reading:

- [Project Glasswing — Anthropic]

- [Claude Mythos Preview — Anthropic Frontier Red Team]

- Anthropic limits Mythos AI rollout over fears hackers could use model for cyberattacks — CNBC

- [Anthropic is giving some firms early access to Claude Mythos to bolster cybersecurity defenses — Fortune]

- [Anthropic says its most powerful AI cyber model is too dangerous to release publicly — VentureBeat]

- [Tech giants launch AI-powered Project Glasswing — CyberScoop]

- [CrowdStrike founding member of Anthropic Mythos initiative]

- [Project Glasswing: Tech giants unite to fix AI-found software risks — Interesting Engineering]

- [DARPA AI Cyber Challenge results — DARPA]

- [Estimating global yearly cybercrime damage costs — Governance.ai]