TL;DR

Anthropic has handed a more capable, unreleased model called Mythos to Apple, Amazon, Microsoft, Cisco, Broadcom and CrowdStrike under a new initiative named Project Glasswing, focused on hunting software vulnerabilities. The company has no plans for a broad public release and is in discussions with US officials about the model’s security uses.

Restricted release for a dual-use tool

Anthropic unveiled Project Glasswing on Tuesday, giving vetted partners access to Mythos to identify flaws in their own products and share findings across the group. Bloomberg reports the model has already flagged a 27-year-old bug in critical internet software and a 16-year-old flaw in a line of video software code that automated testing tools had executed five million times without spotting it.

The company describes Mythos as a general-purpose model rather than a bespoke cyber tool, but has chosen a limited rollout because the same capabilities that find zero-days can be used to exploit them. Anthropic is committing up to $100 million in model credits to participating organisations and donating $4 million to open-source security groups.

A difficult month for Anthropic’s security posture

The announcement follows two embarrassing incidents. Last month, draft documents describing Mythos were found in a publicly accessible data cache, and last week the source code for Claude Code was briefly exposed. Anthropic attributed both to “human error”. Launching a tightly controlled cyber model days later puts the company’s own data handling under fresh scrutiny from the same enterprise customers it wants to convince.

Looking forward

For UK security teams, the signal matters even if Mythos never ships broadly. If frontier models can reliably surface decade-old flaws in widely deployed code, defensive roadmaps built around periodic scanning and manual triage will need rethinking. The more immediate question is how quickly similar capabilities appear in models without Project Glasswing’s access controls — and whether UK regulators will treat vulnerability-finding AI as a dual-use technology requiring oversight, as the US government is already signalling through its ongoing discussions with Anthropic.