Anthropic Just Dropped a Model Too Dangerous to Release — And Gave It to Apple, Google, and Microsoft Instead

On 7 April 2026, Anthropic announced Project Glasswing — a cybersecurity consortium built around a model called Claude Mythos Preview that the company has explicitly refused to release to the public. Their reasoning: it is too capable at finding and exploiting software vulnerabilities to put in anyone's hands.

Instead, they handed it to twelve of the most powerful technology and financial organisations on the planet. AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Over 40 additional organisations maintaining critical infrastructure software were also granted access.

Named after the glasswing butterfly — transparent wings, hard to detect — the metaphor is not subtle. This is a model designed to see what others cannot.

Whether you view this as a landmark moment for defensive AI or the most brazen act of corporate gatekeeping in the history of the field depends entirely on where you sit. Let us look at the facts first.

What Claude Mythos Preview Actually Found

Forget the benchmarks for a moment. The raw output is what matters.

Over the past few weeks, Anthropic claims Claude Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and web browser. Not edge cases. Not theoretical. Exploitable vulnerabilities that had been sitting in production code, undetected, for years — in some cases decades.

The standout findings:

• A 27-year-old vulnerability in OpenBSD — a system whose entire reputation is built on being the most security-hardened operating system available. This flaw survived 27 years of audits, penetration tests, and the scrutiny of some of the best security engineers alive.
• A 16-year-old bug in FFmpeg that had evaded five million automated test executions. FFmpeg is embedded in virtually every media application you have ever used. VLC, Chrome, Firefox, OBS — all of them.
• Multiple chained vulnerabilities in the Linux kernel enabling privilege escalation — the kind of exploit chain that gives nation-state attackers root access to servers running half the internet.

The model did this largely autonomously. No human steering, no hand-holding. Anthropic's own description: it discovers vulnerabilities and develops exploits "entirely autonomously, without any human steering."

That sentence should make every CISO on the planet sit up.

The Benchmarks — And Why They Matter

Claude Mythos Preview is not a narrow cybersecurity tool. It is a general-purpose frontier model that happens to be extraordinarily good at security work. Anthropic positioned it against their current flagship, Claude Opus 4.6, across multiple benchmarks:

The SWE-bench numbers are particularly striking. A jump from 53.4% to 77.8% on SWE-bench Pro represents a step change in the model's ability to reason about, diagnose, and fix complex software problems. This is not an incremental improvement. This is a different class of capability.

And it is not publicly available.

The Consortium — Who Gets Access and Why

The twelve founding partners read like a roll call of organisations that control critical digital infrastructure. Between them, they operate the cloud platforms, operating systems, networking equipment, security tools, and financial systems that underpin the global economy.

The logic is straightforward: if Mythos can find vulnerabilities this effectively, the defenders need it before the attackers reverse-engineer something comparable. Give it to the organisations that maintain the software billions of people rely on, let them patch the holes, and publish the results.

Anthropic has committed $100 million in usage credits for Glasswing participants. They have also pledged $2.5 million to Alpha-Omega and the Open Source Security Foundation (via the Linux Foundation), and $1.5 million to the Apache Software Foundation. Within 90 days, they will publish findings on vulnerabilities patched and security improvements achieved.

For approved partners, pricing sits at $25 per million input tokens and $125 per million output tokens — roughly five times the cost of Claude Opus 4.6. That is not consumer pricing. That is enterprise infrastructure pricing, and it tells you exactly how Anthropic views this model's position in their lineup.

Access will eventually be available through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry. But "eventually" is doing a lot of work in that sentence. For now, access requires approval, and a forthcoming "Cyber Verification Programme" will gate who qualifies.

The Access Question — And the Legitimate Criticism

Here is where it gets uncomfortable.

The security community's reaction has been split. One camp — mostly enterprise security professionals and infrastructure maintainers — views this as exactly the right approach. A model this capable at finding exploits needs to be in the hands of defenders first, not released into the wild where every script kiddie and ransomware group on the planet can use it to automate their operations.

The other camp — independent security researchers, smaller firms, open-source contributors — sees something different. They see the largest technology companies on Earth being handed a decisive security advantage while everyone else is locked out. They see Fortune 500 gatekeeping dressed up as responsible deployment.

Both camps have a point.

The defensive argument is strong. An AI model that can autonomously discover and exploit zero-day vulnerabilities in critical infrastructure is, by any reasonable definition, a dual-use technology. Releasing it publicly would be like publishing the blueprints for every lock in every building and hoping the locksmiths get there before the burglars. The asymmetry between attacker and defender is already brutal in cybersecurity. Giving attackers a tool this powerful would make it catastrophic.

But the gatekeeping criticism is also valid. The organisations with access are not neutral parties. They are commercial entities with their own interests, competitive dynamics, and incentive structures. Apple gets to harden its own products with a tool its competitors cannot access. Microsoft gets to scan Azure infrastructure while smaller cloud providers are left exposed. JPMorganChase gets a security advantage that community banks and fintechs cannot match.

Anthropic has acknowledged this tension. The Cyber Verification Programme is their answer — a structured path for legitimate security professionals to apply for access. Whether that programme is genuinely accessible or becomes another enterprise procurement exercise will determine whether the criticism sticks.

What This Means for Your Business

If you are not one of the 52-odd organisations with direct access, you are probably wondering what this means for you. Three things.

First, the patches are coming. The entire point of Glasswing is to find and fix vulnerabilities in software you already use. Within 90 days, Anthropic will publish findings. The Linux kernel, FFmpeg, major browsers, and operating systems will all receive patches. Your job is to apply them promptly. If your patching cadence is quarterly, make it monthly. If it is monthly, make it weekly for critical systems. The vulnerabilities Mythos found are not new — they have been exploitable for years. The difference is that now everyone knows they exist.

Second, this raises the bar for security expectations. If an AI model can find a 27-year-old vulnerability in OpenBSD, the standard for what constitutes "adequate" security testing has fundamentally shifted. Your penetration testing provider, your code review processes, your static analysis tools — all of these need reassessing in a world where AI-powered vulnerability discovery is this effective. The question boards and leadership teams will start asking is: "If Mythos can find these things, why can't our security team?"

Third, this is a preview of AI-native security tooling. Even if you cannot access Mythos directly, the capability it represents will filter into commercial security products within 12 to 18 months. CrowdStrike and Palo Alto Networks are both founding partners. Their next-generation products will be informed by what they learn from Mythos. Budget for AI-augmented security tooling now, because by 2027 it will not be optional.

The Bigger Picture — Defensive AI Gets Real

Project Glasswing matters beyond cybersecurity because it represents the first time a major AI lab has explicitly built a deployment framework around the principle that some models are too capable for general release. Anthropic is not saying Mythos is dangerous because it might hallucinate or produce biased text. They are saying it is dangerous because it works too well at a specific, consequential task.

That is a fundamentally different kind of AI safety problem. And the solution they have chosen — restricted access through a vetted consortium — is a fundamentally different kind of deployment model. It is closer to how governments handle classified defence technology than how Silicon Valley typically ships products.

Whether you think that is appropriate or alarming probably depends on whether you trust these twelve organisations to act in the public interest. Reasonable people can disagree on that.

What is harder to disagree with is the underlying reality: AI models are now better than most human experts at finding software vulnerabilities, and that capability gap is only going to widen. The question is no longer whether AI will reshape cybersecurity. It is whether the reshaping happens on terms that benefit defenders more than attackers.

Anthropic has placed a large, expensive, and very public bet that the answer is yes — but only if access is controlled.

They might be right. The next 90 days will tell us a lot about whether the execution matches the ambition.

Digital by Default helps businesses navigate the rapidly shifting AI landscape — from security to automation to strategy. If your organisation needs to understand what developments like Glasswing mean for your operations, [get in touch](/contact).