Anthropic has begun rolling out its new AI model, Claude Mythos Preview, to a limited group of companies after the system identified thousands of critical security vulnerabilities across operating systems, web browsers, and other widely used software. The model also uncovered high-severity flaws in every major operating system and web browser currently in use. Anthropic expressed concern about the potential consequences if comparable AI capabilities were to fall into the hands of malicious actors.
To address these risks, Anthropic announced Project Glasswing on Tuesday, a new defensive cybersecurity initiative that brings together more than 40 organizations. Partners include Amazon Web Services, Apple, Cisco, Google, JPMorgan, the Linux Foundation, Microsoft, and Nvidia. The initiative will use Claude Mythos Preview to proactively identify software bugs, share findings with partners, and apply patches before vulnerabilities can be exploited.
The effort targets what are known as zero-day vulnerabilities — software flaws that can be exploited before developers are even aware they exist. Historically, detecting and patching such bugs has required rare and costly human expertise. Anthropic argues that AI can dramatically increase both the scale and speed at which these vulnerabilities are found and addressed.
Many of the vulnerabilities uncovered are decades old. The oldest identified so far is a now-patched 27-year-old bug in OpenBSD, an operating system widely regarded for its strong security record. Other findings include a 16-year-old flaw in the FFmpeg media processing library, a 17-year-old remote code execution vulnerability in the open-source FreeBSD operating system, and multiple weaknesses in the Linux kernel. Anthropic noted that the vulnerabilities it finds are frequently subtle and difficult to detect through conventional means.
Claude Mythos Preview also identified weaknesses in several widely used cryptography libraries, algorithms, and protocols, including TLS, AES-GCM, and SSH. Web applications were found to contain a broad range of vulnerabilities as well, spanning cross-site scripting and SQL injection to cross-site request forgery, a technique commonly used in phishing attacks. The breadth of the findings underscores the scale of the challenge facing the global software industry.
Anthropic stated that 99% of the vulnerabilities it has discovered remain unpatched, which it cited as the reason for withholding specific details about them publicly. The company said that disclosing information prematurely would be irresponsible given the current state of remediation. Partners within Project Glasswing are expected to receive and act on the shared data as patches are developed.
The broader cybersecurity landscape adds urgency to the initiative. According to AllAboutAI, AI-powered cyberattacks increased 72% year-over-year, with 87% of global organizations reporting they experienced AI-enabled attacks in 2025. Anthropic acknowledged that fully defending the world’s cyber infrastructure could take years, but maintained that AI represents a meaningful tool for hardening software and systems against future threats.
Originally reported by CoinTelegraph.
