Anthropic's yet-unreleased Claude Mythos Preview AI model has autonomously discovered thousands of high-severity zero-day vulnerabilities in all major operating systems and web browsers. This breakthrough has prompted the company to launch Project Glasswing, a defensive cybersecurity coalition backed by up to $100 million in AI usage credits, with 11 founding partners including Amazon Web Services, Apple, Google, Microsoft, and Nvidia.
Claude Mythos Scores 83.1% on Cybergym, Outperforms Predecessor by Wide Margins
Anthropic describes the model as the largest capability improvement for a single model in the history of frontier AI. Training completed in early April 2026, with internal details leaked weeks earlier via a misconfigured content management system that exposed roughly 3,000 internal files. The Claude Mythos Preview scores 83.1% on Cybergym compared to 66.6% for Claude Opus 4.6, 93.9% on SWE-bench Verified (vs. 80.8%), and 77.8% on SWE-bench Pro (vs. 53.4%). On Humanity's Last Exam without tool assistance, it achieved 56.8%, up from 40.0%.
Notably, the model requires no specialized cybersecurity training to find these bugs. Its improvements stem from broader advances in reasoning, multi-step planning, and autonomous agent behavior. Given a target codebase in an isolated container, the AI reads source code, forms hypotheses about memory safety errors, compiles and runs the software, uses debuggers like Address Sanitizer, ranks files by vulnerability likelihood, and produces validated bug reports with working proof-of-concept exploits.
27-Year-Old OpenBSD Bug and 16-Year-Old FFmpeg Bug Cracked Within Hours
According to Tomshardware.com, a 27-year-old OpenBSD TCP SACK vulnerability — a subtle integer overflow allowing remote attackers to crash any responding host with crafted packets — was found autonomously after about 1,000 runs at a total cost of less than $20,000. A 16-year-old FFmpeg H.264 bug survived over five million automated tests and multiple audits before Mythos discovered it.
When testing Firefox 147's JavaScript engine, Mythos produced 181 full shell exploits and 29 instances of register control. Claude Opus 4.6 produced only two shell exploits in the same test set. The model also built working Linux kernel privilege escalation chains from user to root on servers, after filtering 100 recent CVEs down to 40 exploitable candidates and successfully exploiting over half of them. Human validators reviewed 198 of the model's vulnerability reports and agreed with severity ratings in 89% of cases, with 98% agreement within one severity level.
Project Glasswing: A Defensive Coalition with $100M in AI Credits
Anthropic announced Project Glasswing alongside the model on April 7, 2026. Less than 1% of identified bugs have been fully patched so far. The company is coordinating responsible disclosure, publishing cryptographic SHA-3 commitments for unpatched issues, and following a 90-plus-45-day timeline before full details are released. The FreeBSD NFS server remote code execution bug CVE-2026-4747, 17 years old, granting full unauthenticated root access, is among the examples already made public.
Founding partners of Project Glasswing include Amazon Web Services, Apple, Broadcom, Cisco, Crowdstrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. Access is being extended to over 40 other critical software organizations. Anthropic has committed $4 million in donations to open-source security: $2.5 million to Alpha-Omega via the OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation.
Anthropic Registers AnthroPAC Amid Pentagon Dispute
On April 3, 2026, Anthropic registered AnthroPAC with the FEC, establishing its first employee-funded PAC ahead of midterm elections focused on artificial intelligence. The company acknowledged that AI tools like Mythos lower the barrier for discovering and exploiting vulnerabilities, pointing to near-term risks from state actors (China, Iran, North Korea, Russia) and criminal groups if similar capabilities spread uncontrolled. It described a period of transitional turbulence before defenders fully integrate the technology. Upcoming releases of Claude Opus will include safety measures to detect and block dangerous cybersecurity outcomes, and a Cyber Verification Program is planned for screened security professionals. A public report on partner findings and patched vulnerabilities is expected within 90 days.

