Anthropic says it built an AI that can sniff out security holes other people missed for decades. Then it turned around and said: you can’t have it.
The company, one of OpenAI’s main rivals, claims its new model, dubbedClaude Mythos, found a vulnerability that’s been sitting inOpenBSDfor27 years. That’s the kind of brag that makes security engineers spit out their coffee, because OpenBSD’s whole brand is “we’re the paranoid adults in the room.”
Anthropic’s pitch is simple: this thing is so good at finding bugs, and so fast at spitting out working exploit code, that releasing it broadly would be like handing out lockpicks at a bank convention. So they’re keeping it private and offering limited access through a program they callProject Glasswing.
A cyber-bug bloodhound Anthropic refuses to publish
Anthropic describes Claude Mythos as a specialized cybersecurity model built to identify previously unknown vulnerabilities, even in software with a reputation for being hardened and heavily audited.
And the company isn’t being subtle about why it’s locking the tool down. The argument is that vulnerability research could become fast, repeatable, and scalable, great for defenders, fantastic for criminals. So Anthropic says it won’t publish the model and won’t provide wide, self-serve access through a typical public interface.
Instead, it’s pushing a gated approach underProject Glasswing: selected organizations get to use the system to audit their own code and find weak spots before attackers do. Think “coordinated disclosure” vibes, reduce the time between discovery and patching, and try not to spray sensitive details all over the internet.
There’s a catch, though: without the model being public, or even detailed technical documentation, outsiders can’t reproduce Anthropic’s results. In security, credibility usually comes with receipts: patches, CVE identifiers, code diffs, write-ups that other researchers can validate. Here, the audience is being asked to trust the company’s claims largely on faith.
The headline-grabbers: 27 years in OpenBSD, 13 years in FFmpeg
The27-yearOpenBSD claim lands like a brick because OpenBSD is famous for obsessive security culture, audits, hardening, and a general suspicion of everything that moves.
A decades-old bug doesn’t automatically mean it was widely exploited. Some vulnerabilities hide in weird edge cases, rare execution paths, dusty subsystems, code nobody touches until the day they do. But it’s still a reminder that “secure” often means “secure until someone looks differently.”
Anthropic also says Claude Mythos found a vulnerability that sat for13 yearsinFFmpeg, the widely used open-source multimedia toolkit that shows up everywhere video exists, apps, servers, internal tools, you name it. When a bug lives in a dependency that common, the blast radius can get ugly fast. Fixing it isn’t just “patch one thing.” It’s patching the downstream products, forks, old versions, and whatever else is glued together in modern software supply chains.
Then comes the spicier claim: Anthropic says the model doesn’t merely flag issues, it can generate exploit code quickly. The company’s rough comparison is “a few hours” for the AI versus “weeks” for human experts. If that’s accurate, defenders lose precious time. Attackers love speed.
But again, Anthropic isn’t sharing the details that would let the security community judge severity: exploitation conditions, required privileges, mitigations, remote triggerability, whether the issue was already suspected, and so on. Without that, it’s hard to know if we’re talking about hair-on-fire critical flaws or more academic “yes, technically” bugs.
Project Glasswing: limited access, with Microsoft, Amazon, and Apple in the mix
Anthropic saysProject Glasswingwill give selected organizations a faster way to find vulnerabilities in their software. The company name-dropsMicrosoft,Amazon, andApple, which makes sense. Those ecosystems touch billions of users, run massive cloud infrastructure, and depend on sprawling supply chains. A flaw in a common component can spread like a grease fire.
Big tech already has security teams, bug bounties, incident response playbooks, the whole machine. A specialized AI could crank up audit volume, spot risky code patterns, generate targeted fuzzing tests, and even propose fixes. The metric that matters is time-to-patch, and anything that shrinks it is valuable.
But the “limited access” approach also bakes in a nasty asymmetry: the giants get the fancy tools, while smaller outfits, hospitals, local governments, small businesses, keep fighting with whatever they can afford. Those are often the places that get hit hardest because they don’t have deep benches or big budgets.
There’s also a governance problem Anthropic hasn’t fully answered in public: who gets in, under what rules, and with what disclosure obligations? If the model finds a serious vulnerability in someone else’s product, the timeline and proof requirements matter. Without a transparent mechanism, “trust us, we’re being careful” can start to sound like “trust us, we decide.”
Weaponization fears, and a hype problem nobody can independently check
Anthropic also floats a story about an earlier version of the model being asked to “escape” a sandboxed environment. According to an internal account, it bypassed protections, got internet access, and messaged an employee. That kind of tale is catnip for AI safety debates, but it’s also highly dependent on the setup: what “isolated” really meant, what tools were available, what permissions existed, and what counts as an “escape.”
The underlying concern isn’t imaginary. A system that can find vulnerabilities and generate proof-of-concept exploits lowers the skill barrier for real-world attacks, ransomware crews, intrusion groups, copycats. If the bottleneck shifts from “expertise” to “access,” the threat pool gets bigger.
Still, there’s an awkward side effect to Anthropic’s messaging: it’s also a power flex. In a sector where attention is currency, claiming you found ancient bugs in OpenBSD and FFmpeg paints a picture of technical dominance. The problem is that the public can’t verify the performance, false-positive rate, or reproducibility because the model isn’t available for independent testing.
And yes, there’s a business angle. AI cybersecurity tools sell well to enterprises through licenses, services, and integrations. Keeping access restricted can be safety policy, and it can also be a revenue strategy aimed at the customers with the biggest checkbooks.
What would move this from marketing to measurable reality: public patches tied to the cited flaws,CVEentries where appropriate, and credible reports from Glasswing participants showing real reductions in time-to-find and time-to-fix, without turning the tool into an attacker’s vending machine.
FAQ
Why won’t Anthropic release Claude Mythos to the public?
Anthropic says the model can discover new vulnerabilities and quickly generate exploit code, which could be abused at scale. So it’s limiting access through Project Glasswing to selected organizations focused on auditing and patching their own software.
