Anthropic announced Project Glasswing on , a coordinated cybersecurity effort that pairs a pre-release version of its next-generation AI model with a coalition of twelve major technology companies. The initiative has already surfaced thousands of previously unknown software vulnerabilities, including critical flaws that have existed in deployed systems for one to two decades without detection. Among the partner organizations are Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
The model running the effort, officially named Claude Mythos Preview, is described as larger than the current Opus family and built with a strong emphasis on agentic reasoning and code analysis. Forty organizations in total have received preview access, though only the twelve named partners are participating in the active vulnerability discovery program. The announcement represents one of the more consequential applications of frontier AI to real-world infrastructure security.
What Project Glasswing Actually Does
The practical operation of Project Glasswing sits somewhere between traditional vulnerability research and the emerging category of AI-assisted penetration testing. Partner organizations submit codebases, firmware, or system configurations to the AI model, which then analyzes them for security weaknesses that human researchers might miss through volume, complexity, or the kind of pattern-matching fatigue that sets in when you're looking at the same class of bug for years.
The zero-days being discovered are not limited to new software. According to the project announcement, many of the vulnerabilities uncovered are in systems that have been in production for ten to twenty years, which means they have been running in data centers, on network devices, and in critical infrastructure through multiple security audits without anyone finding them. That's a different kind of claim than "we found a bug in recently shipped code." It points toward the possibility that AI models can identify structural weaknesses in legacy systems that the original developers, and all the auditors since, have missed.
CrowdStrike and Palo Alto Networks, both active in threat intelligence and endpoint security, are positioned to act on findings directly. Cisco and Broadcom contribute network infrastructure exposure. Apple and Microsoft represent consumer and enterprise operating system coverage. The Linux Foundation participation is particularly significant given how much of global server infrastructure runs on Linux-based systems. The coalition is, in effect, a coverage map designed to reach the majority of software running in the world today.
The Model Behind the Effort
Anthropic's Claude Mythos Preview, the model powering Project Glasswing, operates at a significantly larger scale than the company's current public offerings. The Fortune report on described it as Anthropic's most capable model to date, built for the kind of extended, multi-step reasoning that cybersecurity research demands.
What Anthropic has confirmed is the model's profile: general-purpose, with particular strength in agentic reasoning tasks and code analysis. Agentic reasoning is the category of AI performance most relevant to vulnerability research. A model with strong agentic capability can not only identify a potential flaw in a codebase but reason through its exploitability, understand the surrounding context, and propose remediation steps without human prompting at each stage. That's the difference between a spell checker and an editor.
"The vulnerabilities we are surfacing include some that have existed in deployed systems for fifteen or twenty years. These are not trivial bugs. Many of them are critical severity. The question of why they were not found earlier is, itself, part of the research."
Anthropic Project Glasswing team, via TechCrunch
The model's coding performance has been one of the most closely watched metrics in the AI industry as Anthropic, OpenAI, and Google DeepMind compete on benchmarks that track how well their models can read, write, and analyze code. Project Glasswing is not a benchmark. It is a deployment of that capability against real systems with real stakes, which makes it a more credible demonstration of what the model can actually do in practice.
Why Legacy Vulnerabilities Are the Harder Problem
The security industry has generally been better at protecting new software than old software. This is partially a resource allocation problem: the most visible systems get the most scrutiny, recent code is written with more modern security practices, and organizations tend to focus audit budgets on what they're actively shipping rather than what they shipped in 2004.
Legacy vulnerabilities are a different category of risk. A flaw that has survived twenty years of audits has done so because it doesn't look like the patterns that security tools are trained to find, or because the architectural context required to understand it isn't obvious from the code alone. Some classes of memory corruption bugs in C and C++ codebases fall into this category. Buffer overflows that only trigger under specific hardware states. Race conditions in multithreaded code that require particular timing to exploit.
An AI model analyzing a codebase at scale can hold more context simultaneously than a human researcher working through the same code section by section. That capacity for broad contextual analysis is the theoretical advantage. Project Glasswing's early results suggest it is a real one.
| Partner Organization | Primary Security Coverage | Role in Glasswing |
|---|---|---|
| Amazon | Cloud infrastructure, AWS | Cloud system vulnerability analysis |
| Apple | macOS, iOS, Safari | Consumer OS and browser surface |
| Broadcom | Semiconductor, networking chips | Firmware and hardware-level analysis |
| Cisco | Network infrastructure, routers | Enterprise networking systems |
| CrowdStrike | Endpoint security, threat intel | Direct response and remediation |
| Android, Chrome, Google Cloud | Consumer OS, browser, cloud coverage | |
| JPMorganChase | Financial infrastructure | Financial systems vulnerability analysis |
| Linux Foundation | Open-source Linux ecosystem | Server and embedded systems coverage |
| Microsoft | Windows, Azure, Office | Enterprise and consumer OS surface |
| NVIDIA | GPU drivers, CUDA ecosystem | AI infrastructure and driver security |
| Palo Alto Networks | Firewall, cloud security | Network perimeter and cloud analysis |
The Pentagon Conflict and What It Means
Project Glasswing's announcement landed against a complicated backdrop for Anthropic. The company is currently in a legal dispute with the U.S. Department of Defense, which has categorized Anthropic as a potential supply-chain risk in certain government contracting contexts. The Pentagon designation has created friction for federal agencies that want to use Anthropic's models and has not been publicly explained beyond the supply-chain label.
The timing of Glasswing, which demonstrates Anthropic's AI being used to strengthen the security posture of major commercial infrastructure, reads in part as a public positioning move. A company that is identifying and helping fix critical vulnerabilities in the systems that run global commerce and communications is making an argument with actions rather than press releases. Whether that argument is sufficient to resolve the Pentagon designation is a separate question.
The broader regulatory environment around AI and national security is unsettled enough that the conflict between Anthropic and the Defense Department is unlikely to be the last of its kind. The question of whether AI frontier labs should be trusted with government contracts, critical infrastructure access, or classified systems is not resolved by any single project, however well-designed.
The 40 Organizations With Preview Access
Beyond the twelve named partners actively running vulnerability discovery, Anthropic has granted preview access to the Capybara-generation model to 40 organizations in total. The identities of the remaining 28 have not been disclosed. Preview access at this scale is consistent with how major frontier AI releases have been staged in recent years: a core group of institutional partners gets early access for specific applications, a wider preview cohort runs general capability evaluations, and public release follows some months later.
For security applications specifically, the preview cohort is relevant because it shapes the threat model for the model itself. A highly capable AI model that can find zero-day vulnerabilities can also theoretically be used to exploit them. Anthropic's choice to partner with companies that have existing security infrastructure and compliance programs, rather than opening access broadly, is a structural response to that concern. It does not eliminate the risk, but it limits the blast radius of any misuse during the preview period.
- Twelve active vulnerability discovery partners, all named and with established security operations
- 28 additional preview-access organizations, undisclosed, evaluating general capabilities
- 40 organizations total with any preview access as of the April 7 announcement
- General public release timeline not yet announced
What Comes Next
The immediate next phase of Project Glasswing involves disclosure coordination for the vulnerabilities already discovered. Zero-day disclosure is a structured process: the researcher notifies the software vendor, the vendor develops and deploys a patch, and the vulnerability details are made public after a fixed window (typically 90 days for most disclosure programs). With thousands of vulnerabilities identified, the coordination effort across dozens of software vendors is itself a significant operational undertaking.
Longer term, the question for the security industry is whether AI-assisted vulnerability research becomes a standard component of software development pipelines rather than a special initiative run by frontier AI labs. The answer probably depends on how well the current effort translates to models that are accessible to the broader security research community, not just organizations with direct relationships to companies like Anthropic.
The model powering Glasswing will eventually be released publicly, at which point the same capability that found thousands of zero-days for defensive purposes becomes available to everyone else as well. Managing that transition is the long game that Project Glasswing is, in part, preparing for.
