The Clarke Standard

Project Glasswing and the Frontier Nobody Can See

Anthropic built an AI that can crack any OS on earth. They won't let you have it — and that's the point.

By Joseph Clarke·
ai servers computing

Project Glasswing and the Frontier Nobody Can See

There is a version of artificial intelligence that you are not allowed to use. It has found a 27-year-old flaw in OpenBSD's TCP implementation — a denial-of-service vulnerability that lets an attacker crash any server running the operating system by sending a pair of crafted packets. It has found a 16-year-old vulnerability in FFmpeg, the media library embedded in billions of devices. It has found critical flaws in every major web browser and every major operating system. It has identified more than 10,000 high- or critical-severity vulnerabilities in widely used software in under two months. It has done most of this without any human guidance, starting from nothing but a prompt.

The model is called Claude Mythos Preview. It was built by Anthropic, and Anthropic has decided, for the moment, that you cannot have it.

What you get instead is Project Glasswing — an invitation-only coalition of roughly 200 organizations across more than 15 countries, hand-selected by Anthropic to wield the most capable AI hacking tool ever built for the purposes of defense. The question nobody in the industry seems comfortable answering directly is whether that distinction — defense versus offense, curator versus gatekeeper — can hold.

A Tool Too Dangerous to Democratize

Anthropic announced Project Glasswing on April 7, 2026, alongside a coalition of launch partners that reads like an attendance list for a Davos panel on digital sovereignty: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Together they would receive access to Claude Mythos Preview — Anthropic's most capable model yet, and one the company has explicitly said it will not make publicly available.

The rationale is unusual for an AI company, which tend to treat general availability as both a business goal and a point of pride. Anthropic's explanation was unusually direct. The company stated that Mythos Preview can "surpass all but the most skilled humans at finding and exploiting software vulnerabilities," and that releasing such a model without restriction could make large-scale cyberattacks "significantly more likely." They briefed senior U.S. officials on those risks. The White House held meetings with major technology companies and financial institutions to discuss the implications. Whatever Anthropic showed those officials was apparently alarming enough that no one pushed back publicly on the decision to withhold the model.

The name comes from the glasswing butterfly — the Greta oto — a tropical species whose wings are almost entirely transparent. You can see through it, but only because of what it is, not because it is trying to hide. Whether Anthropic's version of transparency lives up to its namesake is another matter.

What Mythos Can Do

The specific things Mythos Preview has demonstrated in the weeks since Glasswing launched are not abstract. The model found a critical flaw in wolfSSL, an open-source cryptography library deployed across billions of devices. It then autonomously constructed a working exploit — meaning no human told it what to do next — that would allow an attacker to forge TLS certificates and impersonate a bank or email provider with a website indistinguishable from the real thing. That vulnerability has since been patched and assigned CVE-2026-5194.

Separately, Mythos identified a 17-year-old remote code execution vulnerability in FreeBSD's NFS server, designated CVE-2026-4747. Anthropic described the discovery as "fully autonomous," meaning no human was involved after the initial prompt — the model read the code, identified the stack buffer overflow, built a 20-gadget exploit chain, and confirmed root access. That claim has attracted scrutiny from independent security researchers, some of whom note the underlying code traces to a University of Michigan implementation from 2000 that MIT's branch patched in 2007, raising the question of whether Mythos retrieved something latent in its training data rather than reasoned its way to a genuinely novel discovery. Anthropic researcher Nicholas Carlini confirmed the model found it independently during internal testing. The exploit itself — a 20-step return-oriented programming chain split across multiple packets — is technically sophisticated regardless of how the vulnerability was first identified, and the FreeBSD advisory credits Anthropic by name. The authentication boundaries of the vulnerability are also more nuanced in the public advisory than Anthropic's marketing language suggested, applying cleanly to userspace RPC servers while the kernel NFS server case involved conditions that security researchers are still debating. None of this changes the core finding. It does suggest Anthropic's public framing of Mythos's capabilities has occasionally outrun the precision of its supporting evidence.

Cloudflare, one of the Glasswing partners, reported finding 2,000 bugs through Mythos, 400 of them rated high or critical severity. The model's false-positive rate, Cloudflare's security team noted, was better than that of human testers. Mozilla used Mythos Preview to find and fix 271 vulnerabilities in Firefox 150 — more than ten times the number found in Firefox 148 using Claude Opus 4.6, Anthropic's previous-generation public model. The UK's AI Security Institute reported that Mythos Preview is the first model to solve both of their cyber ranges — simulations of multi-step cyberattacks — end to end.

In aggregate, across roughly 50 initial partners and more than 1,000 open-source projects, the project generated 23,019 candidate vulnerability findings. External security firms reviewed a subset of 1,900 of them and confirmed 1,726 as valid — a true-positive rate of 90.8%. Of those, 1,596 were reported to software maintainers. As of late May 2026, only 97 had been patched.

That last number — 97 out of 1,596 disclosed — is what everyone should be thinking about.

The Bottleneck Nobody Planned For

For most of software security's history, the limiting constraint was finding vulnerabilities. It required rare expertise, painstaking manual review, and significant time. Automated scanning tools helped, but they generated enough false positives that human triage remained essential. Defense was always reactive for the same reason offense was slow: both sides were constrained by the same scarce human skill.

Mythos Preview has decoupled those constraints asymmetrically. The model finds vulnerabilities at a pace that does not slow down, does not take sick days, and does not require a PhD. It has a 90.8% accuracy rate. The bottleneck is no longer discovery — it is the human capacity to triage, understand, report, and patch.

Anthropic acknowledged this directly in its initial update on the project. The company noted that high- or critical-severity findings take an average of two weeks to patch. Some open-source maintainers — the often-volunteer developers who maintain the foundational code that the entire internet runs on — have asked Anthropic to slow its disclosure rate because they cannot keep up. They are receiving more confirmed vulnerability reports than they have staff to process.

This is the structural irony at the heart of Glasswing. Anthropic has built a machine that is dramatically better at finding security problems than humans are at fixing them, and has deployed it specifically to help the people responsible for fixing things. The result has been a surge of work that the open-source ecosystem, chronically underfunded and understaffed, was not designed to absorb.

The gap between what AI can find and what humans can fix is not a temporary scaling problem. It is, increasingly, the shape of modern cybersecurity.

The Gatekeeper Problem

Anthropic has been transparent that its rationale for restricting Mythos is time, not permanence. The company believes that similar capabilities will be available from other AI developers within six to twelve months, at which point a Mythos-class model will exist whether or not Anthropic controls access to one. The goal of Glasswing is to get defensive infrastructure — patched codebases, trained security teams, established frameworks — in place before that proliferation happens. Anthropic framed this explicitly: the program is "an urgent attempt to put these capabilities to work for defensive purposes" before the capabilities end up in other hands.

The argument is coherent. It is also the argument that every organization in history has made when it decided to be the one in charge of something dangerous.

Security researcher Bruce Schneier has raised the obvious objection: if equivalent models are indeed twelve months away, the window during which Anthropic's gatekeeping matters is narrow and narrowing. Once the capabilities proliferate — from other AI labs, from fine-tuned open-source models, from state-sponsored research programs — the fact that Anthropic ran a curated coalition for a year will be a footnote. The question is whether the work done in that window was sufficient to meaningfully change the defensive posture of the global software ecosystem before attackers catch up.

There is also a question of who counts as a defender. The initial 50 Glasswing partners were, with limited exceptions, large corporations and well-resourced technology companies: Microsoft, Google, Cisco, JPMorganChase. The June expansion brought the total to roughly 200 organizations across sectors including healthcare, energy, water, and communications. But the open-source software maintainers who most urgently need help — the small, often volunteer-staffed projects whose code is embedded in millions of other systems — are not large corporations. They are individuals. They are working on nights and weekends. And they are, in some cases, the ones asking Anthropic to stop sending them more vulnerability reports because they do not have enough hours in the day to process the ones they already have.

The Transparency Paradox

There is something worth examining in the way Anthropic has communicated about all of this. The company has been more forthcoming about Mythos's capabilities than almost any comparable disclosure in recent AI history. It published a detailed technical blog post on its Frontier Red Team site describing specific exploits the model developed, including the wolfSSL certificate forgery and the FreeBSD root access vulnerability. It maintains a public coordinated vulnerability disclosure dashboard that tracks, in real time, the progress of each finding from discovery through patch. It has acknowledged the bottleneck problem in its own communications rather than spinning it as a success story.

This level of transparency is genuinely unusual for a company sitting on a capability it has decided to withhold. It is also strategically coherent. By publishing what Mythos can do, Anthropic establishes the urgency of the problem — and therefore the legitimacy of its own role as gatekeeper. The capability is terrifying enough to justify restriction, and Anthropic is the responsible party trusted to decide who gets access. The transparency makes the argument for the program while simultaneously cementing the company's authority over it.

Critics might note that this is a very convenient position for a company that also has an IPO filing in progress and a $65 billion Series H valuation to protect.

Who Decides What the Frontier Looks Like

The deeper issue that Glasswing surfaces is one that the AI industry has not yet fully confronted: the question of who gets to decide when a capability is too dangerous to share, and according to what criteria.

Anthropic's decision to withhold Mythos Preview is not, in isolation, obviously wrong. The evidence that the model could cause serious harm in unvetted hands is substantial and, unusually, publicly documented. A model that can autonomously forge TLS certificates, construct kernel-level privilege escalation exploits, and identify 27-year-old denial-of-service flaws in hardened operating systems is not a tool that should be available through an API to anyone with a credit card.

But the decision to withhold was made by Anthropic. The decision about which 200 organizations qualify for access was made by Anthropic. The decision about what "security requirements" prospective partners must meet was made by Anthropic. The company has consulted with the U.S. government and worked alongside open-source maintainers, but at the end of the process, a private company with its own financial incentives and institutional perspectives is the entity deciding which organizations in which countries get to use the most powerful hacking tool ever built.

There is no international treaty governing this. There is no independent oversight body. There is no appeal process for organizations that apply and are rejected. There is Anthropic's judgment, and the trust the broader ecosystem has chosen to extend to it.

The glasswing butterfly's transparency is a product of evolution — its wings contain no pigment, only nanostructures that scatter light in ways that make them nearly invisible to predators. The transparency is not performed. It is structural.

Whether the same can be said of a private company deploying a trillion-dollar AI capability behind a vetting process it controls entirely is, at minimum, a question worth asking more loudly than the industry currently is.

The Race That Is Already Happening

The scenario Anthropic is trying to outrun is not hypothetical. The company's own research has documented AI models being used to write functional malware, to assist ransomware operations, and to identify exploitable vulnerabilities in production systems. OpenAI has launched a parallel program called Daybreak, providing similar restricted access to GPT-5.5-Cyber for vetted security professionals. Neither model is publicly available. Both companies are making the same bet: that getting defensive infrastructure in place before the capabilities proliferate is possible, and that the window to do it is now.

Anthropic estimates that window at six to twelve months. That is not a lot of time. It is also a number derived from Anthropic's own modeling of AI progress, which is not a neutral or disinterested prediction.

What the first two months of Glasswing have demonstrated is that the capabilities are real, the defensive applications are real, and the structural challenges are also real. A model that can find 10,000 critical vulnerabilities cannot make 10,000 open-source maintainers appear to fix them. A coalition of 200 curated organizations cannot secure the software infrastructure of a connected world that runs on millions of codebases, many of them maintained by people who have never heard of Project Glasswing and would not qualify for it if they had.

The butterfly has transparent wings. What you can see through them is a problem that is larger than any single company was ever going to solve.

Back to Cybersecurity

Suggested Reading

driving a car in the city
technology

When Your Car Becomes a Witness

Your car knows where you've been, how fast you drove, and who you called. And it may have already told someone you didn't choose.

transmission power lines with sun set
technology

The Grid Wasn't Built for This

"Behind every AI prompt is a GPU cluster, a cooling system drinking millions of gallons, and a power grid that wasn't designed for any of it."

ai influencer eye
technology

You're Not Following a Person. So Who Are You Following?

"She has 400,000 followers, a backstory, and a cat. She also doesn't exist. The feelings her audience has for her are entirely real."

someone checking a smart phone
technology

The Notification Debt

The ping means nothing specific. Your brain was trained to treat it like it might mean everything. That ambiguity was engineered in.