Anthropic's Project Glasswing Shows What Happens When AI Gets Too Good at Breaking Software

Anthropic built a frontier model so effective at finding software vulnerabilities that they decided the right move was to not ship it publicly. That decision alone is the story.

Claude Mythos Preview, the unreleased model behind Project Glasswing, has autonomously discovered thousands of zero-day vulnerabilities — including flaws in every major operating system and web browser. One OpenBSD vulnerability had survived 27 years of review. Another in FFmpeg eluded 16 years and five million automated test runs. The model can chain exploits for full privilege escalation — something previously only elite human red teams could pull off.

Rather than release Mythos Preview, Anthropic formed a 12-company defensive coalition: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Over 40 additional organizations are scanning critical infrastructure with it. Anthropic is committing $100M in usage credits and $4M to open-source security foundations.

The PM takeaway: "Capability overshoot" is now a real product strategy constraint. When your model surpasses elite hackers at exploit development, broad release becomes an existential risk decision — not a GTM one. Two things matter for product leaders: AI-powered security scanning will rapidly become table stakes, and sometimes the most defensible move is to restrict access, build a consortium, and own the safety narrative rather than race to ship.

Source: Anthropic — Project Glasswing