Anthropic Glasswing: Securing Software for AI

Announcement of Project Glasswing — a coalition (AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks) using Anthropic’s unreleased Claude Mythos Preview to find and fix software vulnerabilities.

Key Claims

  • Claude Mythos Preview can surpass all but the most skilled humans at finding and exploiting software vulnerabilities
  • Found thousands of zero-day vulnerabilities in every major OS and web browser, many autonomously
  • Notable finds:
    • 27-year-old vulnerability in OpenBSD (remotely crash any machine)
    • 16-year-old vulnerability in FFmpeg (hit 5 million times by automated testing without catching)
    • Multiple Linux kernel vulnerabilities chained for privilege escalation
  • CyberGym benchmark: Mythos Preview 83.1% vs Opus 4.6 66.6%
  • Anthropic committing 4M to open-source security organizations
  • Model not generally available — access only through partners and vetted organizations

Takeaways

  • This is a watershed moment: AI models are now competitive with the best human security researchers
  • The offensive/defensive asymmetry is real: same capabilities that find vulns can exploit them
  • The restricted access model is the source of significant controversy (see Closing of the Frontier)
  • “The window between vulnerability discovery and exploitation has collapsed — what once took months now happens in minutes with AI” (CrowdStrike)
  • Open-source maintainers getting access is critical — they maintain most of the world’s critical infrastructure

Connections