Project Glasswing and Claude Mythos Preview: What is it and how will it impact us?
On April 7, 2026, Anthropic announced Project Glasswing, a coordinated initiative backed by AWS, Apple, Google, Microsoft, CrowdStrike, Palo Alto Networks, and over 40 additional organizations. At the center of it sits Claude Mythos Preview, Anthropic's newest and most capable AI model. According to Anthropic, Mythos identified thousands of zero day vulnerabilities across every major operating system and every major web browser. One of them was a 27 year old bug in OpenBSD, an operating system built with security as its founding principle, that allowed anyone to remotely crash a machine just by connecting to it.
That is not a small finding. That is decades of missed exposure in one of the most security conscious codebases in existence. And it got our attention.
Our team at SecureIT has spent the past week going through Anthropic's disclosures, discussing them internally, and forming a professional opinion on what this actually means. This post is that opinion: direct, grounded, and free of hype.
What Mythos Actually Is
Mythos was not built to be a security tool. Anthropic set out to create a stronger coding model, the next step beyond their existing Haiku, Sonnet, and Opus lineup. What they got was a model that turned out to be exceptionally good at cybersecurity as a side effect of being exceptionally good at understanding code. They pointed it at open source projects and it started finding vulnerabilities that nobody had caught before.
Anthropic reports that Mythos found a 16 year old vulnerability in FFmpeg, in a line of code that automated testing tools had executed five million times without flagging the issue. In another case, it autonomously chained together several Linux kernel vulnerabilities to escalate from ordinary user access to full machine control. It also wrote a browser exploit that chained four separate vulnerabilities together, escaping both the renderer sandbox and the OS sandbox.
These are impressive results. But they are not magic. What Mythos does is exactly what a skilled security researcher does: it reads code, recognizes patterns, identifies weaknesses, and constructs exploits. The difference is that Mythos does not need to eat, sleep, take breaks, or split its attention. It can focus on thousands of codebases simultaneously, at a pace no human team could match. Its knowledge comes from the collective work of the security research community, from their publications, their disclosures, their techniques. It learned from human expertise and now applies that expertise at machine speed.
That 27 year old OpenBSD bug is the perfect example. It was not hidden by some force beyond human understanding. It survived because nobody with the right skills, enough dedicated time, and adequate funding had been aimed at that specific code for long enough. A well resourced security team, given the time and focus, would have found it. Mythos just found it faster.
The Pattern We Have Seen Before
Every powerful tool humanity has created has eventually been used for both good and harm. Alfred Nobel invented dynamite to make mining safer, it became a weapon of war. Radio connected people across vast distances before it became a propaganda tool. The internet gave humanity access to the sum of human knowledge, it also gave us mass surveillance, algorithmic manipulation, and coordinated disinformation campaigns.
Glasswing and Mythos will follow the same pattern. The question is not whether malicious actors will gain access to similar capabilities. It is when. And based on historical precedent, the answer is: soon. Before Mythos, conducting sophisticated cyber attacks required actual cybersecurity professionals, people with deep technical knowledge and years of experience. That created a natural barrier to entry. If a tool like Mythos ends up in the wrong hands, or if malicious actors build their own version now that they know what is possible, that barrier drops dramatically. Suddenly, a well funded attacker without deep security expertise could potentially conduct attacks that previously required a team of specialists.
Anthropic chose not to release Mythos publicly, limiting access to defensive partners instead. We think that was a reasonable decision. It does not eliminate the risk, but it reduces the surface area of potential misuse, and that matters. At some point, broader access may become necessary and inevitable, but controlling the initial distribution buys time for the defensive side to prepare.
What This Means for Your Security
Here is where we bring this back to your organization. If you have been investing in genuine, ongoing security practices, including regular code audits, penetration testing, and vulnerability management, then you are already in a stronger position regardless of what new tools emerge. The companies that should be concerned are the ones that treat security as a checkbox or a one time project.
Our team at SecureIT sees this dynamic play out constantly. We recently conducted a white box penetration test on a client's application that had been scanned by automated tools for a long time. Those tools never flagged anything significant. Through manual testing, we found cache poisoning coupled with a self XSS vulnerability and a race condition that, when chained together, gave us access to an admin page that was previously considered unreachable. That is the same pattern behind the Mythos findings: automated tools ran over the code repeatedly without catching what a focused, skilled researcher could identify.
Security is not a snapshot. It is a continuous discipline. Organizations that treat it as ongoing, with regular code reviews, continuous penetration testing, and a security team that stays current with what is happening in the industry, will be the most resilient regardless of what tools emerge on either side of the equation.
Where SecureIT Stands
We use AI tools in our own work as a force multiplier. We advise our clients on secure AI adoption and we regularly notify them about newly discovered AI related vulnerabilities. This post is an extension of that same commitment: keeping the people we work with informed about what is happening and what it means for them.
Mythos is not something to panic about. It is a signal that the pace is accelerating and that the work we have always done, deep code review, thorough penetration testing, continuous security assessment, matters more now than it ever has.
The Takeaway
Project Glasswing is a significant development, but it is not a departure from what security has always been. It is expert knowledge applied with focus and speed. The best defense remains the same: skilled professionals reviewing your code, testing your systems, and doing it continuously. The organizations that already operate this way have nothing to fear.
Every organization has different exposure. A low cost security assessment is the fastest way to understand where yours actually stands, no generic checklist, no pressure. Book your low cost assessment here to see where you stand and what you need.