Anthropic has built an AI that's genuinely scary good at finding security vulnerabilities. Claude Mythos 2 Preview, a model the company isn't releasing to the public, has autonomously found thousands of high-severity bugs in every major operating system and web browser. Some of these flaws had survived decades of human review and millions of automated tests. One was a 27-year-old vulnerability in OpenBSD, an operating system known for being security-hardened. Another sat in FFmpeg for 16 years, hidden in code that testing tools had hit five million times without catching it.

The company is responding with Project Glasswing, a coalition that includes Amazon, Apple, Google, Microsoft, NVIDIA, Cisco, CrowdStrike, and others. Anthropic is putting $100M in usage credits behind this, plus $4M in direct donations to open-source security organizations. The logic is simple: AI capabilities for finding exploits are going to proliferate anyway, so better to arm the defenders first. Over 40 organizations that maintain critical software infrastructure now have access to the model for defensive work.

Anthropic won't release this model generally. They've classified it as an "autonomous saboteur" risk, meaning it could independently identify vulnerabilities and weaponize them without human oversight. The company ran a 24-hour internal alignment review before even using it internally. They published a separate risk report for this specific threat model, [similar to the recent findings on emotional vectors](/news/2026-04-04-anthropic-claude-emotion-vectors-ai-safety). Whether this caution stems from genuine safety concerns or compute constraints (some observers have speculated about the latter), the result is the same: a powerful capability exists, and most people can't access it.

For years, finding serious exploits required rare expertise. Now that capability is condensing into models. [Similar to the discovery of a 57-year-old bug in Apollo 11 Guidance Computer code](/news/2026-04-07-57-year-old-bug-found-in-apollo-11-guidance-computer-code). State-sponsored attackers from China, Iran, North Korea, and Russia are already a problem. AI-augmented cyberattacks could make things much worse. But the same tools can also find and fix bugs before attackers do. Anthropic is betting that giving defenders a head start matters. They're probably right, though it's an open question whether a head start will be enough.