Anthropic has issued an update on Project Glasswing, its initiative to protect critical software from attacks by malicious Artificial Intelligence models. The effort follows the company’s decision to withhold public release of Claude Mythos, a cybersecurity model that proved highly effective at identifying security vulnerabilities in code. Concern over potential misuse led Anthropic to limit access to about 50 key partners, including AWS, Apple, Google, Microsoft, CrowdStrike, Nvidia, Broadcom, Cisco and Palo Alto Networks.
Early partner testing showed both the strength of the model and the fragility of widely used software. Cloudflare found 2,000 bugs, 400 of which were critical; Mozilla found 271 vulnerabilities in Firefox, more than 10 times the number in a previous model; and the latest Palo Alto Networks release required five times as many patches as usual. Anthropic said these findings affected software that is “fundamental to the functioning of the internet and other essential infrastructure.”
Anthropic also said it had used the Mythos preview version to scan more than 1,000 open source projects over the past few months. Among 23,019 vulnerabilities, 6,202 were estimated to be of high or critical severity, with one of the most serious involving wolfSSL, a cryptography library. That flaw could have allowed attackers to forge certificates and host a fake website for a bank or email provider. Although that issue has been patched, remediation overall has been slow.
Only 75 of the 530 high- or critical-severity bugs reported to maintainers to date have been resolved. Anthropic said the imbalance between how easily vulnerabilities can be found and how difficult they are to fix creates a major cybersecurity challenge. The company warned that models with cybersecurity capabilities similar to Mythos Preview will soon become more widely available, increasing pressure on the software industry to handle a growing volume of findings and reduce the window of opportunity for attackers.
Mythos remains unavailable for public release, and Anthropic said it is still not ready for broader access. Even so, the company indicated that the Glasswing initiative could be expanded beyond its current group of select partners.
