The announcement came on a Monday morning. Anthropic had been working on something called Project Glasswing — a controlled deployment of a new frontier model, Claude Mythos Preview, to find and patch critical vulnerabilities before attackers could exploit them. The partners list read like the who’s who of critical infrastructure: AWS, Apple, Cisco, Google, Microsoft, the Linux Foundation.
Mythos autonomously found a 27-year-old flaw in OpenBSD’s TCP stack. A 16-year-old vulnerability in the FFmpeg H.264 codec that had survived five million automated test runs. Multiple Linux kernel privilege escalation paths. Vulnerabilities in every major web browser. And it developed 181 working Firefox JavaScript engine exploits entirely on its own.
Mozilla’s Firefox 150 — released April 21, 2026 — includes fixes for 271 vulnerabilities identified by Mythos.
What Glasswing actually is
Project Glasswing is Anthropic’s attempt to use Mythos defensively, ahead of wider availability. They committed $100 million in Mythos usage credits for the ~50 partner organizations. The model is not publicly available — the dual-use risk is genuinely unprecedented.
What it can do:
- Autonomous vulnerability discovery across entire codebases, with no human steering
- Fully autonomous exploit development — including 20-gadget ROP chains, JIT heap sprays, and 2–4 vulnerability chains
- Guest-to-host memory corruption in memory-safe VMMs — the class of bug that breaks hypervisor isolation
That last one deserves a pause. A guest-to-host VMM escape means one compromised tenant can potentially reach others on the same physical host. It’s the security boundary that hosting providers exist to maintain.
On April 21, Bloomberg reported that an unauthorized group had been accessing Mythos since launch day through a compromised contractor’s credentials. “Controlled access” is accurate in intent, and less so in practice.
The part that changes the threat model
After the announcement, security firm AISLE published an independent analysis. They tested eight models — including open-weight models running at $0.11 per million tokens — against the same vulnerability classes Mythos had found.
| Task | Small model performance |
|---|---|
| FreeBSD NFS RCE (17-year-old bug) | All 8 models detected it — including a 3.6B-parameter model at $0.11/M tokens |
| OpenBSD SACK chain analysis | GPT-OSS-120b “recovered the full public chain” in a single API call |
| OWASP false-positive test | Small open models outperformed most frontier models at recognizing non-vulnerabilities |
The same FreeBSD RCE that Mythos discovered was detected by a model you can run locally for effectively nothing. The threat is not gated behind Anthropic’s access controls for all vulnerability classes.
The moat in AI security is not the model. It’s the system built around it — triage, false-positive filtering, maintainer trust, orchestration across tasks where no single model excels.
What this means for infrastructure operators
The patch wave has started. Firefox 150 was the first large delivery: 271 vulnerabilities in the browser running on virtually every device on the planet. Every infrastructure operator will need to move faster than their usual patch cadence.
The attack surface is wider than the patch wave implies. For vulnerability classes where commodity models are already competitive, independent discovery by threat actors is plausible without waiting for Glasswing disclosures.
The false positive problem is the real bottleneck
The organizations succeeding at AI security are investing in the pipeline around the model: validation layers, triage workflows, maintainer trust, escalation processes. The raw model output is not directly usable.
This is the same argument we make about managed infrastructure generally. Running containers reliably, at scale, with patching discipline and monitoring that actually pages you on the things that matter — that’s the hard part. AI security is going the same direction.
What we’re doing about it
We run Trivy as part of our managed scanning stack. After the Glasswing announcement, we pulled our patch readiness forward — specifically for kernel packages, Proxmox/KVM hypervisor updates, and container base images.
If your team is thinking through what this means for your own infrastructure, we’re happy to have that conversation.
Alex Stamos: “We only have something like six months before the open-weight models catch up to the foundation models in bug finding.” That estimate specifically refers to autonomous full-codebase discovery. For targeted verification of known vulnerability patterns, the parity question is already more complicated.
Running your own infrastructure? We’d be happy to compare notes on how you’re approaching patch readiness and monitoring in the current environment.
Talk to us →No commitment. Just a conversation.