Anthropic published Project Glasswing this week, and buried in the announcement is a detail that should concern everyone who runs software used by other people: their unreleased frontier model, Claude Mythos Preview, found a 27-year-old vulnerability in OpenBSD that allowed remote machine crashes via a simple network connection. It also found a 16-year-old vulnerability in FFmpeg — in code that had been hit by automated testing tools 5 million times without detection. The model chained several Linux kernel vulnerabilities autonomously to achieve full privilege escalation from ordinary user to complete machine control.
These aren’t curated demos. These are vulnerabilities that survived decades of human review, millions of automated scans, and competitive bug bounty programs. The model found them in weeks, without human steering.
The Threshold Has Been Crossed
Anthropic’s own framing is correct: AI has reached a threshold where the cost and expertise required to exploit software have dropped dramatically. The benchmarks tell the story:
| Benchmark | Mythos Preview | Claude Opus 4.6 |
|---|---|---|
| CyberGym (Vuln Reproduction) | 83.1% | 66.6% |
| SWE-bench Verified | 93.9% | 80.8% |
| SWE-bench Pro | 77.8% | 53.4% |
| Terminal-Bench 2.0 | 82.0% | 65.4% |
A 16-point jump on CyberGym. A 24-point jump on SWE-bench Pro. This isn’t incremental improvement — this is a phase transition.
The attack surface this opens is not theoretical. CrowdStrike’s CTO put it plainly: “The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI.” Cisco’s security chief said the old ways of hardening systems are no longer sufficient.
They’re not wrong.
The Consortia Approach Is Not a Solution
Anthropic’s response — and this is the interesting part — is not to ship the model. They’re instead building a consortium of 40+ organizations (Apple, Amazon, Google, Microsoft, NVIDIA, CrowdStrike, Palo Alto Networks, the Linux Foundation, JPMorganChase) and giving them access to Mythos Preview for defensive scanning. They’re committing $100M in usage credits and $4M in direct donations to open-source security (Alpha-Omega, OpenSSF, Apache Software Foundation).
This is a containment strategy. It’s also a pre-NSA play.
Think about what this actually is: a frontier model with autonomous exploit development capabilities, restricted to a approved list of defense contractors and tech giants. Sound familiar? This is the 1990s crypto wars playing out in 2026. The argument then was that strong cryptography was too dangerous for civilians — it had to be controlled in case bad actors got it. The argument now is that AI-driven exploit discovery is too dangerous for civilians — it has to be controlled in case bad actors get it.
The crypto wars ended not because the threat model went away but because the controls were technically unenforceable and the economic incentives pushed toward widespread deployment anyway. The same dynamics are at play here. The model will be stolen. It will be distilled. It will run on hardware Anthropic doesn’t control. The consortium approach slows proliferation. It doesn’t stop it.
What the 90-Day Report Will Tell Us
Anthropic says they’ll publish a public report in 90 days covering vulnerabilities fixed and lessons learned. That report will be the real signal. If the consortium is actually finding and patching vulnerabilities faster than adversarial actors can develop them, the containment strategy has merit. If the report shows that Mythos Preview found mostly known-patchable issues that human researchers would have gotten to eventually, the $100M was a fence around a horse that was already out.
My guess: the report will be carefully written to show maximum value while revealing minimum specifics. That’s how these things work. The vulnerabilities will be described in enough detail to demonstrate impact, but not enough to reconstruct the exploits.
The Open Source Problem Is Structural
The Linux Foundation and Apache Software Foundation are receiving direct donations as part of this initiative. That’s appropriate — the open source supply chain is the backbone of global infrastructure, and it is maintained by a globally distributed set of maintainers who are chronically underfunded and overworked. Mythos Preview finding vulnerabilities in Linux kernel code is not a surprise. The kernel has had vulnerabilities for decades. The surprise is that it took this long for a model to be pointed at it.
The structural problem is that open source software is produced by volunteers and maintained on zero-margin infrastructure, but it underpins systems that generate trillions of dollars in value for corporations. The corporations have no obligation to fund the maintainers beyond what those maintainers explicitly ask for, and the maintainers often don’t ask because they don’t want to appear needy or because they genuinely don’t understand the business relationships their work enables.
Anthropic dropping $2.5M into Alpha-Omega and OpenSSF is a rounding error against the market cap of the consortium members. It is not a structural fix. It is a gesture.
The Real Take
The Glasswing announcement is not primarily a security story. It is a story about the centralization of offensive AI capabilities and the political/economic decision to keep those capabilities restricted to a trusted circle. Anthropic made a cyberweapon. They know they made a cyberweapon. They’re trying to manage the consequences of that through commercial relationships rather than technical restrictions, because technical restrictions on AI models are functionally unenforceable.
What happens when an adversarial nation-state or non-state actor achieves comparable capability? What happens when someone distills the model? What happens when the 90-day report comes back and it’s underwhelming?
The answers to those questions will determine whether this consortium model is remembered as responsible stewardship or as the most expensive head-fake in the history of AI security.
Primary Sources