Project Glasswing Fortifies AI's Software Defenses

Project Glasswing was formed out of a stark realization: AI models can now surpass most skilled humans at uncovering and exploiting software vulnerabilities. This capability, demonstrated by Claude Mythos Preview, poses a significant risk if leveraged by malicious actors. Anthropic's goal is to redirect this power towards defensive cybersecurity, mitigating potential fallout for economies, public safety, and national security.

The Dual-Edged Sword of AI in Cybersecurity

Software vulnerabilities have always been a target for cyberattackers, leading to severe consequences for critical infrastructure, healthcare systems, and government agencies. Historically, finding and exploiting these flaws required specialized human expertise. However, the landscape has changed dramatically.

Over the past year, AI models have become highly effective at reading, reasoning about, and spotting weaknesses in code. Claude Mythos Preview represents a leap in these cyber skills. It has found vulnerabilities that eluded decades of human review and millions of automated security tests, developing sophisticated exploits autonomously, Anthropic states.

The same capabilities that make AI dangerous in the wrong hands also make it invaluable for identifying and fixing flaws, and for producing new software with fewer security bugs. Project Glasswing seeks to give defenders a crucial advantage in the AI era.

Unprecedented Vulnerability Detection

Anthropic's testing with Claude Mythos Preview has yielded remarkable results. The model has autonomously identified thousands of zero-day vulnerabilities (previously unknown flaws), many of them critical, in various major software components.

For instance, Mythos Preview found a 27-year-old vulnerability in OpenBSD, an operating system known for its security. This flaw allowed remote crashes. It also uncovered a 16-year-old bug in FFmpeg, a widely used video encoding library, despite 5 million automated tests missing the issue. The model even chained together multiple vulnerabilities in the Linux kernel to achieve full machine control from basic user access. These specific vulnerabilities have since been reported and patched.

Performance benchmarks underscore Mythos Preview's advanced capabilities. On the CyberGym vulnerability reproduction benchmark, Mythos Preview scored 83.1%, significantly higher than Anthropic's next-best model, Claude Opus 4.6, which scored 66.6%. The model also achieves the highest scores on various software coding tasks, including SWE-bench Pro at 77.8% compared to Opus 4.6's 53.4%.

Industry Collaboration and Future Outlook

Project Glasswing is a collaborative effort involving major industry players like Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. These partners will use Mythos Preview in their defensive security operations.

Anthropic is committing up to $100 million in usage credits for Mythos Preview across Project Glasswing participants and an additional 40 organizations involved in critical software infrastructure. These organizations can use the model to scan and secure both first-party and open-source systems. Anthropic also plans to donate $4 million directly to open-source security organizations, including $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation.

Anthony Grieco, SVP & Chief Security & Trust Officer at Cisco, emphasized the urgency of this shift.

AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back. Our foundational work with these models has shown we can identify and fix security vulnerabilities across hardware and software at a pace and scale previously impossible.
— Anthony Grieco, SVP & Chief Security & Trust Officer, Cisco