Anthropic Unveils Project Glasswing, Hands Claude Mythos Preview to Apple, AWS, JPMorgan to Find Zero-Days

Anthropic has formally launched Project Glasswing, an industry alliance that grants twelve hand-picked organizations restricted access to Claude Mythos Preview, an unreleased frontier model whose cyber capabilities the company says exceed those of nearly all human experts. The launch partners read like a roll call of the modern internet's load-bearing infrastructure: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself.

Mythos Preview is not a security-specialized derivative — it is a general-purpose successor that, in internal red-team tests, identified thousands of zero-day vulnerabilities across every major operating system and web browser. The most striking find was a 27-year-old flaw in OpenBSD, one of the most aggressively hardened operating systems in production, that allowed remote machines to be crashed on connection. The model also unearthed a 16-year-old defect in FFmpeg that automated fuzzers had crawled past more than five million times, and autonomously chained multiple Linux kernel bugs to escalate from a standard user to full root.

The benchmarks back the claims. On Cybersecurity Vulnerability Reproduction (CyberGym), Mythos Preview scored 83.1% against Opus 4.6's 66.6%. On SWE-bench Verified it hit 93.9% versus 80.8%, and on the harder SWE-bench Pro it reached 77.8% versus 53.4%. Anthropic's red team reproduced the OpenBSD flaw in fewer than a thousand autonomous runs at a total compute cost under $20,000 — a number that translates the abstract phrase "AI-scale vulnerability discovery" into a budget line item any nation-state can afford.

That dual-use math is why Mythos Preview will not be released to the public. Anthropic is instead allocating $100 million in model usage credits to Glasswing participants, donating $2.5 million to the Alpha-Omega and OpenSSF foundations and $1.5 million to the Apache Software Foundation, and routing more than forty additional critical-infrastructure operators into the program. Post-preview, the model will price at $25 per million input tokens and $125 per million output — premium tier, premium gating.

The strategic framing matters as much as the technology. Anthropic is positioning Mythos as a model that should be deployed asymmetrically in defenders' favor before its offensive analogue is widely available — a recognition that the window between discovery and exploitation, as one founding partner put it, "now happens in minutes with AI." Glasswing partners have committed to public CVE reporting within 90 days of remediation, and Anthropic has floated the eventual creation of independent third-party governance for AI-scale cyber initiatives. A Cyber Verification Program will give vetted security professionals carve-outs from the safeguards Anthropic plans to layer onto future Opus models when Mythos descendants reach broader release.