Anthropic just dropped something that sounds like a cyberpunk plot, but it’s very real. They’re launching Project Glasswing, a coalition that reads like a who’s who of tech—Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic themselves. The goal? Secure the world’s most critical software before AI-powered attacks make a mess of everything.
Here’s the background that makes this urgent. Anthropic has been training a new frontier model called Claude Mythos Preview. It’s not released to the public yet, and after hearing what it can do, I’m not surprised. This thing has already found thousands of high-severity vulnerabilities, including some in every major operating system and every major web browser. Not “some” as in a few edge cases—every one of them.
The implication is stark: AI models have reached a point where they can surpass all but the most skilled humans at finding and exploiting software flaws. And given how fast AI is progressing, it won’t be long before these capabilities spread to actors who aren’t interested in using them responsibly. The potential fallout for economies, public safety, and national security is severe. Project Glasswing is an attempt to get ahead of that curve by putting these same capabilities to work defensively.
How it works
The launch partners will use Mythos Preview as part of their defensive security work. Anthropic is also sharing what they learn so the whole industry benefits. They’ve extended access to over 40 additional organizations that build or maintain critical software infrastructure—both first-party and open-source systems. And they’re putting real money behind it: up to $100 million in usage credits for Mythos Preview across these efforts, plus $4 million in direct donations to open-source security organizations.
That’s a serious commitment. But it’s also a starting point. No single organization can solve these cybersecurity problems alone. Frontier AI developers, other software companies, security researchers, open-source maintainers, and governments all have essential roles to play.
Why this matters now
The software running banking systems, medical records, logistics networks, power grids, and everything else has always contained bugs. Most are minor, but some are serious security flaws that, if discovered, could let attackers hijack systems, disrupt operations, or steal data. We’ve already seen the consequences—corporate networks compromised, healthcare systems locked up, energy infrastructure attacked, government agencies breached. State-sponsored attacks from China, Iran, North Korea, and Russia threaten the infrastructure underpinning civilian life and military readiness. Even smaller attacks on individual hospitals or schools can inflict substantial economic damage, expose sensitive data, and put lives at risk. Current global financial costs of cybercrime might be around $500 billion every year.
Many flaws go unnoticed for years because finding and exploiting them required expertise held by only a few skilled security experts. With the latest frontier AI models, the cost, effort, and level of expertise required have dropped dramatically. Over the past year, AI models have become increasingly effective at reading and reasoning about code—they show a striking ability to spot vulnerabilities and work out ways to exploit them. Claude Mythos Preview demonstrates a leap in these cyber skills. The vulnerabilities it has spotted have in some cases survived decades of human review and millions of automated security tests.
Ten years after the first DARPA Cyber Grand Challenge, frontier AI models are now becoming competitive with the best humans at finding and exploiting vulnerabilities. Without safeguards, these capabilities could be used to exploit the many existing flaws in the world’s most important software. That could make cyberattacks much more frequent and destructive, and empower adversaries of the United States and its allies.
The glass half full
Although the risks from AI-augmented cyberattacks are serious, there’s reason for optimism. The same capabilities that make AI models dangerous in the wrong hands make them invaluable for finding and fixing flaws—and for producing new software with far fewer security bugs. Project Glasswing is an important step toward giving defenders a durable advantage.
Over the past few weeks, Anthropic has used Claude Mythos Preview to identify thousands of zero-day vulnerabilities (flaws previously unknown to the software’s developers), many of them critical, in every major operating system and every major web browser, along with a range of other important packages. The exploits it develops are increasingly sophisticated.
What I find interesting is the composition of the coalition. You’ve got cloud providers (AWS, Google, Microsoft), hardware companies (Apple, Broadcom, Cisco, NVIDIA), security specialists (CrowdStrike, Palo Alto Networks), a financial institution (JPMorganChase), and the Linux Foundation representing open source. This isn’t just a tech industry problem—it’s a cross-sector problem that requires cross-sector solutions.
The $100 million in usage credits is a smart move. It lowers the barrier for organizations that might otherwise not have access to this level of AI capability. And the $4 million in direct donations to open-source security organizations addresses a chronic underfunding problem in the open-source ecosystem.
What’s next
Project Glasswing is a starting point, not an end state. The work of defending the world’s cyber infrastructure might take years, but frontier AI capabilities are likely to advance substantially over just the next few months. For cyber defenders to come out ahead, they need to act now.
I’m cautiously optimistic about this. The coalition is impressive, the commitment is real, and the timing is right. But I’ve seen too many industry initiatives fizzle out to be fully confident. The proof will be in the execution—how many vulnerabilities actually get fixed, how quickly, and whether the defensive capabilities can keep pace with the offensive ones.
One thing is clear: the era of AI-powered cybersecurity is here, whether we’re ready or not. Project Glasswing is a bet that we can be ready. I hope they’re right.
Comments (0)
Login Log in to comment.
Be the first to comment!