Anthropic has dropped a bombshell on the cybersecurity world: Claude Mythos Preview has discovered thousands of zero-day vulnerabilities across every major operating system and web browser. Some of these bugs had been hiding in plain sight for over 17 years.
What Is Claude Mythos?
Mythos is a new general-purpose language model that performs well across a range of tasks, but it has one standout capability: finding and exploiting software vulnerabilities. Anthropic says the model surpasses virtually all human security researchers at discovering exploitable flaws in critical software.
This is not incremental improvement. Previous AI models could assist with vulnerability research, but Mythos can autonomously identify, analyze, and exploit complex security flaws — a capability that fundamentally changes the cybersecurity landscape.
Project Glasswing
Rather than keeping this capability locked away or selling it to the highest bidder, Anthropic launched Project Glasswing — a controlled security initiative. Approximately 50 major organizations have received limited access to Mythos Preview to find and fix vulnerabilities in their own systems.
The partner list reads like a who’s who of tech: Apple, Google, Microsoft, the Linux Foundation, Amazon Web Services, NVIDIA, and JPMorgan Chase, among others.
What Has Mythos Found?
One of the most striking discoveries was a 17-year-old remote code execution vulnerability in FreeBSD (tracked as CVE-2026-4747) that allowed anyone to gain root access through NFS. Mythos found and exploited this bug entirely on its own.
But that is just the tip of the iceberg. Thousands of additional vulnerabilities have been identified, with over 99% still unpatched. Anthropic has responsibly withheld technical details, following coordinated vulnerability disclosure processes.
The Glasswing Paradox
This creates a fascinating paradox: the same tool that can break everything is also the tool that can fix everything. If Mythos can find thousands of bugs, then similar models in the hands of attackers could do the same — but for malicious purposes.
Anthropic’s own team estimates that similar capabilities will proliferate to other AI labs within 6 to 18 months. The clock is ticking for defenders to patch vulnerabilities before offensive AI catches up.
Industry Response
Just one week after Anthropic announced Glasswing, OpenAI released its own cybersecurity-focused model in a similarly limited rollout. This confirms that an AI arms race in cybersecurity has begun.
We have entered an era where AI can find bugs that the best human security teams overlooked for decades. The critical question is whether defenders will leverage these tools faster than attackers will.
Project Glasswing represents a responsible approach to an extraordinarily dangerous capability. But the reality is that this technology is spreading rapidly, and cybersecurity will never be the same.