Post cover image

June 3, 2026

Anthropic Expanding Project Glasswing and Claude Mythos Cyber Access

Intro

SOCFortress

4 min read

Intro

Identifying a single critical vulnerability was a painstaking process of human intuition and brute-force testing, often taking weeks or months of elite research to yield a result. Security was a game of inches, played by human analysts against an infinite sea of increasingly complex code.

That era effectively ended in early April. With the launch of Project Glasswing and the debut of Claude Mythos Preview, Anthropic has introduced a paradigm shift that turns those inches into miles. We have officially entered the age of the infinite vulnerability. We now possess a tool capable of unearthing every flaw in a system at a speed that is both exhilarating and terrifying. The central tension of our time is no longer whether we can find the holes in our digital armor, but whether we have the capacity to patch them before the armor falls apart entirely.

The 1,000% Efficiency Leap

The data emerging from the initial Project Glasswing cohorts is staggering. This isn't a marginal improvement in scanning technology; it is a total collapse of the time-to-discovery barrier. The numbers tell a story of an industry suddenly moving at warp speed.

Cloudflare, one of the web's primary gatekeepers, utilized the Mythos model to scan its critical-path systems. The result? It identified 2,000 bugs, 400 of which were rated high or critical. Mozilla saw similar results, finding and fixing 271 vulnerabilities in Firefox 150 — a discovery rate more than 10 times higher than previous versions tested with older AI models.

But the most sobering statistic comes from Anthropic's own scan of 1,000 open-source projects. Mythos flagged a jaw-dropping 23,019 potential vulnerabilities. When security researchers independently reviewed the high-severity findings, they confirmed a 90% validity rate. The scale of discovery has moved from the artisanal to the industrial.

The most disruptive element, however, isn't just the volume — it's the precision.

"The false-positive rate [was] better than that of human testers." — Cloudflare

When an AI can find flaws faster than a human and with higher accuracy, the traditional role of the security researcher as a "bug hunter" essentially evaporates.

Protecting the "Vulnerable Heartland"

While the first wave of Project Glasswing included tech titans like Microsoft, Google, and NVIDIA, Anthropic is now expanding the program to the sectors that underpin modern civilization. Approximately 150 new organizations across 15 countries are gaining access to Mythos-class capabilities to secure what we might call the "vulnerable heartland."

This new cohort includes cloud and data heavyweights like NetSkope and Rubrik, alongside organizations managing the physical systems where a digital failure has catastrophic real-world consequences:

  • Power and Water: Utilities that keep cities functioning.
  • Healthcare: Systems managing life-saving data and medical equipment.
  • Communications: The backbone of the global information exchange.
  • Hardware: The physical silicon and components that underpin all software.

The stakes could not be higher. Anthropic estimates that for most of these partners, a successful attack on their codebase could affect more than 100 million people, creating significant ramifications for global and national security.

The Human Wall

As Mythos-class models make bug discovery instantaneous, they have exposed a surprising and systemic weakness: finding bugs is no longer the problem; fixing them is. We have built a machine that can find 10,000 critical flaws in a month, but we have not built a human infrastructure capable of processing that firehose of data.

We are now hitting the "Human Wall." Organizations are being overwhelmed by their own success in discovery, struggling to triage and report findings at the pace the AI generates them. Anthropic is placing a high-stakes bet that they can use Project Glasswing to force the industry to adopt new operating norms before the clock runs out.

"The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them." — Anthropic

This creates a dangerous gap. If an AI identifies a flaw but a human team takes weeks to deploy a patch, that flaw remains a "zero-day" waiting to be exploited. A joint report from the Cloud Security Alliance, the SANS Institute, and OWASP warns that defenders are likely to be "overwhelmed" in the near term as threat actors begin using similar AI tools to find and exploit these same vulnerabilities.

The "Mythos" Restriction

If Mythos is so effective, why isn't it available to every developer? Anthropic has made the calculated — and controversial — decision to keep Mythos-class models restricted, accessible only through programs like Project Glasswing or the Cyber Verification Program. The company argues that safeguards sufficient to prevent serious misuse by bad actors do not yet exist.

Instead, the public has access to Claude Security, a product based on the Claude Opus 4.8 model. While powerful — it patched over 2,100 vulnerabilities in its first three weeks — it is a measured step down from the "frontier" capabilities of Mythos.

This restriction is happening against a volatile political backdrop. Hours after Anthropic's expansion announcement, the Trump administration signed a scaled-back executive order on AI security. This order establishes a voluntary framework requiring AI developers to submit advanced models to a government review up to 30 days before public release — a clear attempt by regulators to catch up to the "Mythos-class" reality.

Toward a Permanent Defensive Advantage

The window of opportunity is narrow. Anthropic predicts that within 6 to 12 months, other AI companies will develop Mythos-class models, potentially without the same restrictive safeguards. Project Glasswing is as much a social engineering project as a technical one; it is an attempt to use this brief lead time to "spur institutional operating norms" across the globe.

To win this race, the industry must move beyond discovery and toward automated disclosure and the aggressive rebuilding of legacy codebases in memory-safe languages.

We are watching a fundamental shift in the core assumptions of cybersecurity. Can the industry reinvent itself fast enough to keep up with an AI that finds flaws faster than we can type the solution? The transition will be messy, but if Project Glasswing succeeds, it could provide a permanent advantage for defenders, turning the "infinite vulnerability" of the digital age into a solvable engineering problem.