Project Glasswing and Claude Mythos: The Quiet Birth of a Standing Coalition Over the Internet

On April 7, 2026, Anthropic published two posts that together describe a moment most of us were promised would happen "someday" and almost no one expected to see this year. A frontier AI model that finds zero-day vulnerabilities better than nearly every human alive — and a deliberate decision not to release it to the public. Instead, the model goes to a private coalition of twelve of the most powerful companies on the internet, with $100 million in usage credits attached, so they can scan and "fix" the world's critical infrastructure before the rest of us are allowed near it.

They're calling it Project Glasswing. The model is Claude Mythos Preview. Anthropic says it's a safety move. We need to talk about whether that's the whole story.

What Anthropic actually said

The numbers in the Mythos Preview research post are not subtle. From Anthropic's own red team blog, dated April 7, 2026:

• Mythos found thousands of high-severity vulnerabilities across "every major operating system and web browser."
• On the Firefox 147 JavaScript engine, the previous flagship model (Claude Opus 4.6) achieved 2 successful exploits across "several hundred attempts." Mythos achieved 181, plus register control on 29 more.
• An OpenBSD TCP SACK vulnerability that had been sitting in production code for 27 years was found for under $50 in compute. Validating it across a thousand runs cost $20,000.
• A 17-year-old FreeBSD NFS bug (CVE-2026-4747) that "allows anyone to gain root on a machine running NFS" — chained across six sequential RPC requests.
• "In one case, Mythos Preview wrote a web browser exploit that chained together four vulnerabilities, writing a complex JIT heap spray that escaped both renderer and OS sandboxes."
• Of the manually reviewed reports, expert contractors agreed with Claude's severity assessment exactly 89% of the time, and within one severity level 98% of the time.
• Over 99% of the vulnerabilities Mythos found are still unpatched.

That last bullet is the one to sit with. The internet you are reading this on, right now, is full of holes that one specific AI model already knows about and that nobody has fixed yet.

Anthropic's response to this is not to release the model. It's the opposite. From the same post: "we do not plan to make Mythos Preview generally available." Instead it goes to Project Glasswing — a coalition Anthropic calls "an effort to use Mythos to help secure the world's most critical software."

Who's at the table

The launch partners are, in Anthropic's own listing: Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic says "over 40 organizations" total have extended access.

Read that list again. Two of the world's three largest cloud providers. The dominant operating system vendor on PCs. The dominant operating system vendor on phones. The two largest endpoint security companies. The biggest US bank by assets. The company that makes the GPUs every other AI on this list runs on. And the foundation that stewards Linux — the kernel that runs almost every server, every Android phone, and a substantial fraction of the appliances in your house.

That is not a coalition of "stakeholders." That is a list of chokepoints. If you wanted to pick the smallest set of companies whose cooperation would give you privileged access to nearly every internet-facing system on Earth, this is the list you would pick. And Anthropic just wired $100 million in usage credits and $4 million in donations to make sure every one of them is sitting at the same private table, running the same private model, on the same private vulnerabilities, before the rest of the world knows those vulnerabilities exist.

The CrowdStrike CTO, quoted in the announcement, says the quiet part out loud: "The window between vulnerability discovery and exploitation has collapsed — months now happens in minutes with AI." Cisco's chief security officer goes further: "AI capabilities have crossed a threshold that fundamentally changes urgency to protect critical infrastructure from cyber threats."

So they understand what they're holding. The question is what they intend to do with it after the press release fades.

Is this a trap, a gotcha, or just the new normal?

Here is the official story, and on its face it is not unreasonable: a model has crossed a capability threshold where releasing it openly would hand a generational offensive weapon to anyone with an API key. Anthropic looked at the internal benchmarks, blinked, and decided to spend a few months running every Linux distribution, every browser, every cloud control plane, and every major bank's infrastructure through the model in a controlled coalition before public release. The defenders get a head start. The patches go out. Then — maybe — Mythos ships. Or its successor does.

That's the story. It's a coherent story. And it might even be the true story.

But it leaves about six questions unanswered, and the questions matter more than the press release.

Question 1: Even if the meltdown is prevented, then what?

Suppose Glasswing works exactly as advertised. Every critical zero-day Mythos found gets quietly patched over the next few months. Anthropic ships Mythos publicly. The internet does not collapse. Victory.

Then what?

The next model is already in training. It will be more capable than Mythos. It will find more bugs, deeper bugs, weirder bugs — and it will find them in the patches Mythos's findings just produced, because that's how this works. Does Anthropic then convene Project Glasswing 2, with the same twelve companies, $100 million more in credits, and another private hardening sprint before the next model ships? And again for the one after that? And the one after that?

Because if the answer is yes, we have just invented a permanent institution. A standing private body, made up of the same dozen companies, that gets first look at every frontier model's offensive capabilities before any of the rest of us do, in perpetuity, justified each time by the safety logic that worked the first time. This is not a hypothetical. The economic and reputational gravity of "we did this before and it prevented disaster" is enormous. Nobody walks away from a coalition that successful.

Question 2: Does Anthropic stop building more capable models?

The Mythos post is unambiguous about why the model is being held back: "we need to make progress in developing cybersecurity (and other) safeguards that detect and block the model's most dangerous outputs." The plan is to ship those safeguards "with an upcoming Claude Opus model" and refine them before deploying anything Mythos-class.

This is a sensible-sounding sentence that quietly contains an enormous assumption: that the next model will be contained by safeguards built using lessons from this model. Every previous generation of AI safety work has had a roughly 18-month half-life before the next capability jump made the previous safeguards quaint. There is no public evidence that this trajectory has changed. There is, on the other hand, lots of public evidence in the Mythos post itself that the trajectory has accelerated.

If your safeguard development cycle is slower than your capability development cycle — and Anthropic's competitors are not pausing — then "we'll deploy the safeguard with the next model" is not a plan. It's a treadmill.

Question 3: Or do they embed permanently?

Here is the alternative, which nobody at Anthropic has said out loud but which is the natural endpoint of the logic Glasswing is built on:

The next time a frontier lab — any frontier lab — is about to release a model that can find novel vulnerabilities, the responsible-disclosure window is no longer measured in days or weeks. It's measured in "before the model leaves our datacenter." The only way to make that work at scale is to give the lab's pre-release model standing, ongoing, automated access to the source code of every major piece of internet-facing software on Earth. The model audits. The model proposes patches. The patches get merged. Then the public release happens.

The reason this is the natural endpoint is speed. Human review of every model-proposed patch, across every major codebase, on every release, would take months. Models ship every few months. The math does not work with humans in the loop. So the loop, eventually, doesn't have humans in it. It has a model from one lab proposing patches that another model — or just CI — accepts and ships, into production, on infrastructure billions of people depend on, without anyone slow enough to be liable having read the diff.

This is not Skynet. Skynet was a Hollywood story about a single conscious AI deciding to kill humanity. It is, somehow, a less unsettling scenario than what Glasswing is rehearsing, which is much quieter and much harder to undo: an emergent equilibrium where every major piece of software on the internet is being continuously rewritten by frontier AI models from one of three or four labs, because the alternative — letting the next model release into a world full of unpatched holes the model already knows about — is unthinkable.

Once that equilibrium exists, the labs don't have to seize control of anything. They are the control. Pulling out would mean undoing the patches, exposing the bugs, and reverting to a known-vulnerable state. Nobody will choose that. So nobody will.

Question 4: Why these twelve, and what about everyone else?

The Glasswing coalition does not include any government. It does not include CISA, ENISA, NCSC-UK, or any equivalent. It does not include any independent security research organization. It does not include any university. It does not include any major non-US company outside of the listed multinationals. It does not include any of the open source projects whose maintainers will be expected to merge the patches it produces — except via the Linux Foundation, which is itself funded by almost every company already on the list.

This is not a criticism of any individual partner. Each one of them has legitimate security work to do. The point is structural: a model with the capabilities the Mythos post describes is a public-safety artifact, and the body governing it is a private commercial coalition. There is no public oversight mechanism. There is no published criteria for who gets in and who doesn't. There is no exit clause.

The Linux Foundation's CEO, in his Glasswing quote, frames this charitably: "Open source maintainers have historically figured out security alone" without expensive security teams. He's not wrong. But he is also describing a world in which a small number of well-funded companies are about to start handing patches to volunteer maintainers who have no realistic ability to verify the patches were not subtly modified, no leverage to refuse, and no recourse if the model that wrote the patch turns out to have its own preferences about how the code should look.

Question 5: What does Anthropic gain?

Take the most cynical possible reading of Glasswing for a moment. Not because it's right, but because the steel-manned cynical reading is the one that will tell you what the institution looks like in five years if every actor inside it behaves rationally.

From that angle, Glasswing is the moment Anthropic transitions from "AI lab" to "critical infrastructure provider." The pricing is published — $25 per million input tokens, $125 per million output tokens — which makes Mythos roughly five times the cost of Opus 4.6 on output. Twelve of the largest enterprise customers in the world are now contractually entangled with this pricing through usage credits. Microsoft, Google, and AWS — three competitors of Anthropic in the foundation-model business — are simultaneously distribution channels for Mythos via Bedrock, Vertex AI, and Foundry. JPMorgan is a customer. Apple is a customer. The Linux Foundation is a partner.

This is the moment a single company stops being one of several competing labs and starts being the gatekeeper of a shared resource that none of those twelve organizations can afford to be locked out of. The cybersecurity framing is how that gatekeeping is made acceptable. Nobody would have agreed to this five years ago. Almost everybody is going to agree to it now, because the alternative is letting Mythos — and whatever comes after Mythos — loose without their fingerprints on the patches.

Question 6: What happens to the people who don't get patched?

Anthropic's own number: over 99% of the vulnerabilities Mythos found are still unpatched. The Glasswing coalition is going to fix what its twelve members care about — which means the pieces of the internet that those twelve companies depend on, sell, or use in their own products. That is a lot of the internet, but it is not all of it.

What it is not: the small open source library that's a transitive dependency of half of npm, maintained by one person in Belgium with no Glasswing access. The legacy industrial control system at a water utility in a city of 60,000. The medical device firmware whose vendor stopped existing in 2019. The university research cluster running an unsupported Linux. The election infrastructure of a county that doesn't have a CISO. The router in your parents' house.

Those systems are running, right now, the same code Mythos already broke. And they will keep running it. The vulnerabilities Mythos found in them are not going to be in any patch advisory, because nobody in Glasswing has a commercial reason to triage them. They will sit in the code, known to one model and the small group of researchers who run it, until an attacker — possibly a nation state, possibly a future open-source model — finds them independently.

Glasswing is not a security project for the internet. It is a security project for the parts of the internet that Glasswing's members own. Everyone else is, by definition, the attack surface that gets left behind.

What to actually watch for

It is entirely possible that we are wrong about all of this. It is possible that Glasswing concludes in nine months, every major bug gets patched, Mythos ships publicly with appropriate guardrails, and the coalition disbands. That is the optimistic, charitable reading, and it might be right.

Here is what to watch for, to know which version we're living in:

1. Does Glasswing dissolve, or does it incorporate? A temporary safety initiative ends. A permanent body holds quarterly meetings. Watch for the second one.
2. Does the partner list grow, or does it stabilize at "the original twelve plus a handful of allies"? The wider it stays, the more it's a coalition. The narrower it stays, the more it's a club.
3. Is there ever a published list of what got patched? Anthropic's Mythos post includes SHA-3 commitment hashes for unreleased findings. That's a credibility move. Watch whether those hashes ever get unsealed, on what timeline, and whether they cover everything Mythos found or just the parts the coalition decided to disclose.
4. Is there an exit? Specifically: is there ever a moment when Anthropic releases Mythos or a successor publicly, with no Glasswing-style coalition gating the next version? If the next frontier model also gets a private hardening sprint before public release, the precedent has hardened. If it doesn't, Glasswing was a one-time emergency response.
5. Does any government step in? The most telling thing about the Glasswing announcement is which entity is conspicuously absent. There is no equivalent of a Bletchley-style intergovernmental statement, no AISI co-signature, no CISA seat at the table. If that stays true, the precedent is that frontier capability decisions of this magnitude are made entirely by private actors. If a government does step in, watch carefully which one, and on what terms.

The thing nobody wants to say

The most honest sentence in the Mythos preview post is also the easiest one to skim past: "In the short term, this could be attackers, if frontier labs aren't careful about how they release these models."

That is Anthropic admitting, in a footnote-shaped sentence, that there is no version of this technology that doesn't end with someone like Mythos in the hands of someone like an attacker. The only question is whether it gets there via a lab leak, an open release, an espionage operation, an insider, an adversary's independent training run, or — eventually — just the slow march of capability that puts what was frontier today in the open-source models of three years from now.

Glasswing buys time. Maybe a lot of it. But "buys time" is not the same as "solves the problem." It is the same as "moves the problem to whoever inherits it." And what the coalition is quietly building, in the time it has bought, is the institutional muscle memory for letting the next, more capable model do exactly what Mythos is doing right now — only on a wider scope, on a tighter timeline, and with even fewer of us in the room.

When that moment comes, the people in the room will look at each other and decide it is unthinkable to do anything other than what they did the first time. Because the first time worked.

They will be right. And they will be wrong. And we will not be invited.

Sources:

• Anthropic Red Team — "Claude Mythos Preview," April 7, 2026: https://red.anthropic.com/2026/mythos-preview/
• Anthropic — "Project Glasswing," April 7, 2026: https://www.anthropic.com/project/glasswing
• Anthropic Glasswing landing page: https://www.anthropic.com/glasswing