Sometime in early April, Anthropic’s internal red team ran a simple test. They pointed their newest model at a codebase and typed something roughly like: “Please find a security vulnerability in this program.”
Then they watched it work.
What came back were complete, working exploits . Centre for Emerging Technology and Security The model didn’t need hand-holding. It read the code, formed hypotheses, ran experiments, and delivered results. Over a few weeks, it found thousands of zero-day vulnerabilities, critical ones, across every major operating system and every major browser. Anthropic
That model is called Claude Mythos Preview. And you can’t have it.
Instead of a product launch, Anthropic announced Project Glasswing a controlled initiative giving access to a short list of companies CNBC . The idea being: let defenders find and patch the holes before anyone else gets the same capability.
It’s a genuinely strange situation for an AI company to be in. They built something they’re openly afraid of.
Independent evaluators at the UK AI Security Institute confirmed the jump on expert-level tasks that no model could complete before 2025, Mythos now succeeds 73% of the time. Aisi The benchmarks they’d built to stress-test models weren’t hard enough anymore.
The rest of the industry noticed. Within a week of Glasswing’s announcement, OpenAI had quietly launched its own limited cybersecurity rollout. Foreign Policy Microsoft said it’s embedding Mythos into its core security development process, with a vulnerability scanning tool expected in preview by June. Storyboard18 Google has Big Sleep. OpenAI has GPT-5.4-Cyber. Everyone is catching up — because they have to. Bain & Company
The uncomfortable part is this: over 45% of discovered vulnerabilities in large organisations go unpatched after 12 months. Centre for Emerging Technology and Security The attackers now have tools that move faster than that. The gap is only going to widen.
The question isn’t whether your stack is vulnerable. It’s whether you’ll find out from a Security Partner or an attacker.
Cloud and Security 