The software your business depends on — your operating system, your browser, the open-source libraries inside every application you use — is written by humans. Humans make mistakes. And some of those mistakes have been sitting in code for decades, waiting to be discovered. Anthropic just deployed an AI model that found thousands of them.
What Project Glasswing actually is
Glasswing is a cybersecurity initiative announced by Anthropic in partnership with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation. The center of it: a specialized AI model called Claude Mythos Preview has been tasked with finding vulnerabilities in critical software before bad actors do. It's purely defensive — find the flaws, patch them, close the window before anyone can exploit it.
What the model found
The early results are not incremental. Claude Mythos Preview has already identified thousands of high-severity zero-day vulnerabilities across major operating systems and browsers — including a 27-year-old flaw in OpenBSD and a 16-year-old vulnerability in FFmpeg that had survived 5 million automated test runs without being caught. These aren't edge-case bugs. These are the kinds of issues that enable remote system crashes and privilege escalation attacks. The model scores 83.1% on cybersecurity vulnerability benchmarks, up significantly from previous AI generations.
Why the timing matters
Anthropic is explicit about the urgency: they want defensive AI capabilities established before these same techniques reach malicious actors. An AI that can find vulnerabilities can, theoretically, also exploit them. Getting the defensive tools deployed at scale first — with proper partners, proper governance, and patches already in place — is the strategic play. It's the same logic as distributing vaccines before an outbreak rather than during one.
What this means for your business
You won't interact with Project Glasswing directly. But the software you use every day is maintained by the open-source communities and enterprise vendors that Glasswing is protecting. More vulnerabilities found and patched before exploitation means fewer breaches hitting the tools you depend on. The initiative also includes $4 million in grants to open-source security foundations — organizations like Alpha-Omega, OpenSSF, and the Apache Software Foundation that do critical work, often without significant resources.
This is what defensive AI at scale looks like in practice. Not a product announcement. An infrastructure play for the security of software itself — and a signal that the most capable AI labs are thinking carefully about getting the defensive applications deployed before the offensive ones.