Anthropic’s unreleased Claude Mythos Preview has autonomously identified thousands of high-severity zero-day vulnerabilities across every major operating system and web browser, prompting the company to launch Project Glasswing, a defensive cybersecurity coalition backed by up to $100 million in AI usage credits.
Key Takeaways:
Anthropic’s Claude Mythos Preview scored 83.1% on Cybergym, finding thousands of zero-days across every major OS and browser. Project Glasswing launched April 7, 2026, with 11 founding partners and up to $100 million in Mythos usage credits for defenders. A 27-year-old OpenBSD flaw and a 16-year-old FFmpeg bug survived millions of automated tests until Mythos found them in hours. Claude Mythos AI Scored 83% on Cybergym and Found Critical Flaws Across Every Major Browser and OSOn cybersecurity benchmarks, the gap between Mythos and Claude Opus 4.6 is hard to ignore. Mythos scored 83.1% on Cybergym versus 66.6% for Opus 4.6, and 93.9% versus 80.8% on SWE-bench Verified. On SWE-bench Pro, it posted 77.8% against 53.4% — a 24-point spread. It hit 56.8% on Humanity’s Last Exam without tools, compared to 40.0% for its predecessor.
The model does not need cybersecurity-specific training to find these bugs. Its gains come from broader advances in reasoning, multi-step planning, and autonomous agentic behavior. Given a target codebase in an isolated container, it reads source code, forms hypotheses about memory-safety flaws, compiles and runs the software, uses debuggers like Address Sanitizer, ranks files by vulnerability likelihood, and produces validated bug reports with working proof-of-concept exploits.
The browser results drew particular attention. On Firefox 147 JavaScript engine testing, Mythos produced 181 full shell exploits and 29 register-control cases. Claude Opus 4.6 produced two shell exploits across the same test set. The model also built working Linux kernel privilege-escalation chains, user to root on servers, after filtering 100 recent CVEs down to 40 exploitable candidates and successfully exploiting more than half.
Human validators reviewed 198 of the model’s vulnerability reports and agreed with its severity ratings 89% of the time, with 98% agreement within one severity level.
Project GlasswingAnthropic committed $4 million in open-source security donations: $2.5 million to Alpha-Omega through the OpenSSF via the Linux Foundation, and $1.5 million to the Apache Software Foundation.
