Anthropic’s Glasswing uses Claude Mythos to hunt software flaws

Anthropic’s Project Glasswing is a controlled program that uses the restricted Claude Mythos Preview model to search for vulnerabilities in foundational software. The initiative involves 12 launch partners, more than 40 additional organizations and a $100 million pool of usage credits provided by Anthropic.

Anthropic is not releasing the Mythos model to the public. Access has been granted to a set of partners that includes AWS, Microsoft, Google, NVIDIA, JPMorgan Chase and Palo Alto Networks. Participating organizations run the model against core software stacks to surface and remediate security flaws.

Program participants say attackers scan and exploit weaknesses faster than many enterprises can patch them, and development teams are delivering code faster than traditional security reviews can follow. At the same time, autonomous software agents are beginning to connect to internal tools, private databases, cloud environments and developer workflows, expanding the types of assets that need protection beyond networks and endpoints.

Palo Alto Networks reported that work with Project Glasswing produced 26 publicly cataloged CVEs in a single month, covering 75 underlying issues. The company compared that figure with a typical monthly disclosure rate of fewer than five CVEs. Palo Alto Networks estimates organizations may have roughly a three- to five-month window to deploy comparable defenses before similar AI capabilities become more widely available.

CrowdStrike, a founding member of Project Glasswing, is concentrating on protecting the environments where AI runs rather than only on vulnerability discovery. CrowdStrike’s 2026 Global Threat Report reported an 89% year-over-year increase in attacks by adversaries using AI. The company described its role as: “Anthropic builds the model. CrowdStrike secures AI where it executes.”

A second layer of tools aims to govern and constrain what AI agents can access. JFrog launched a registry to govern connectors that allow AI agents to plug into external tools such as project management software and internal databases, applying similar controls as for other software components. Cloudflare introduced Cloudflare Mesh, a private, encrypted network that lets humans, code and AI agents reach internal systems without routing that traffic over the public internet.

Jeffrey Schreiner, vice president of investor relations at JFrog, spoke at J.P. Morgan’s Global Technology, Media & Telecom Conference on May 19, noting that governance will be important as autonomous capabilities expand:

Governance is the next thing. We’ve got Cloud and Security today as growth drivers. As we move to a more autonomous world, your governance is going to be critical.

The ROBO Global Artificial Intelligence Index (THNQ) maps the theme primarily to the Network & Security subsector and notes overlap with Cloud Providers, Big Data/Analytics, Business Process and Semiconductors. Anthropic’s approach keeps Mythos out of the public domain while partners report early findings and apply fixes using the allotted usage credits.