Anthropic just convinced eleven of the most guarded companies on earth to point the same unreleased AI model at the code that runs the modern world. AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation rarely agree on anything, yet all of them signed on to Project Glasswing. The hook is not the membership list. It is what the model already found before the project was even public: a security flaw that had been sitting inside OpenBSD for 27 years.
What Actually Happened
Anthropic unveiled Project Glasswing as an industry-wide effort to apply frontier AI to the analysis of critical software. At the center sits Claude Mythos Preview, an unreleased model that Anthropic is making available to the founding partners and roughly 40 additional organizations responsible for critical software infrastructure, with plans to expand access to 150 organizations across more than 15 countries. Mythos is not a generic chatbot bolted onto a linter. It currently leads the GPQA Diamond reasoning benchmark at 94.6%, and Anthropic has tuned it specifically to read large, unfamiliar codebases and reason about how they break, which is a different and harder task than autocompleting a function.
The early results are what made the announcement land. In its first testing phase, Mythos surfaced thousands of previously unknown vulnerabilities, including a 27-year-old bug in OpenBSD and a 16-year-old vulnerability in FFmpeg, two pieces of software that sit underneath an enormous fraction of internet infrastructure and media processing. These are not theoretical edge cases. They are flaws that survived decades of human review, fuzzing campaigns, and bug bounties, then fell to a model reading the source the way a patient senior security researcher would, except across millions of lines at a pace no human team can match.
Anthropic paired the technology with money. The company committed up to $100 million in usage credits for project participants and another $4 million in direct donations to open-source security organizations. That second number matters more than its size suggests, because it targets the maintainers who keep foundational libraries alive on nights and weekends without the budget that a bank or a hyperscaler takes for granted. The structure makes clear this is positioned as shared infrastructure rather than a product launch with a price tag attached.
Why This Matters More Than People Think
For two years the loudest AI security conversation has been about offense: prompt injection, jailbreaks, models that help write malware, autonomous agents probing networks. Glasswing flips the framing toward defense at industrial scale. If a single frontier model can read OpenBSD and FFmpeg and find decades-old flaws, then the same capability applied continuously across the open-source dependency graph changes the economics of finding bugs before attackers do. The marginal cost of a deep code audit collapses from a scarce human expert's week to a metered API call measured in dollars.
The competitive subtext is just as loud. Anthropic spent late May reaching a $965 billion valuation and confidentially filing for an IPO, and it is now positioning Mythos as the model serious institutions trust with their crown-jewel source code. Getting Apple, JPMorgan, and the Linux Foundation to co-sign is a credibility play that no benchmark score can buy. It tells enterprise buyers that the company will hand its frontier capability to defenders rather than hoard it, which is exactly the reputation an AI lab wants when regulators in Washington and Brussels are circling the cybersecurity question.
There is also a structural shift hiding in the partner list. The Linux Foundation sitting alongside ten commercial giants signals that the industry has finally accepted that open-source security is a shared liability, not a charity line item. When a flaw in a free library can take down a bank's payment rails or an airline's booking system, the firms downstream have every reason to fund the upstream. Glasswing turns that diffuse self-interest into a single coordinated program with a named model behind it, which is a sharper instrument than the scattered grants and one-off audits the industry has relied on until now.
Consider the asymmetry Glasswing is trying to correct. A motivated attacker only needs to find one exploitable flaw in one widely deployed library to compromise thousands of downstream systems. Defenders, by contrast, have had to find and fix every flaw, an impossible standard when the code is volunteer-maintained and the reviewers are scarce. Mythos does not eliminate that asymmetry, but it changes the ratio. For the first time the defensive side can run the same exhaustive analysis at the same scale the most sophisticated attackers can, and it can do so continuously rather than in occasional audits. The 27-year OpenBSD bug is the proof of concept: a flaw that no funded red team ever surfaced, found by a model in a single pass. If that result generalizes across the dependency graph that underpins banking, telecom, and energy, the defensive economics of the entire internet shift in a direction they have not moved in twenty years.
The Competitive Landscape
Anthropic is not alone in pointing AI at vulnerabilities. Google has run its Big Sleep and OSS-Fuzz efforts, which have already used large models to surface real-world bugs in open-source projects. Microsoft, a Glasswing partner, also ships its own security copilots and runs its MAI model family. XBOW and a wave of AI-native security startups have spent the past year automating penetration testing and bug-bounty submissions, in some cases topping HackerOne leaderboards with machine-generated reports. The space is crowded, and that is precisely why Anthropic built a coalition instead of shipping yet another scanning product into a saturated market.
The historical parallel is the formation of shared security infrastructure after earlier internet-wide scares. After Heartbleed gutted OpenSSL in 2014, the industry created the Core Infrastructure Initiative under the Linux Foundation to fund the libraries everyone depended on and no one owned. Glasswing is the AI-era successor to that idea, except the scarce resource being pooled is not money for maintainers but access to a frontier model that can actually do the auditing work. The same Linux Foundation that organized the post-Heartbleed response is back, this time with eleven corporate names and a model that reads code at a scale no funded human team ever could.
What separates Anthropic's move from rivals is distribution strategy. Google tends to surface its findings through its own teams and tooling, keeping the capability close. Anthropic is instead seeding the model into the institutions that own the critical software, from Cisco's networking stack to Palo Alto's security products to the open-source projects the Linux Foundation stewards. That decentralized approach trades some control for reach, and reach is what determines whether a 27-year-old bug gets found in year 27 or never. It is a bet that the defensive value of broad access outweighs the risk of letting the capability spread.
Hidden Insight: The Disclosure Problem Just Got Ten Times Harder
The triumphant headline is that AI found decades-old bugs. The uncomfortable part is what happens next. A model that can find thousands of previously unknown vulnerabilities across the open-source ecosystem also generates thousands of disclosure decisions, patch-coordination problems, and windows of exposure. Each newly discovered flaw in a widely used library is a race: the defenders inside Glasswing now know about it, but so might anyone running a comparable model on the same public code. Finding the bug is the easy half. Fixing it across every downstream system before it gets weaponized is the hard half, and that half still runs at human speed.
This is the deeper signal about where AI security is heading. The bottleneck is moving from detection to remediation. For a decade the industry assumed that most catastrophic vulnerabilities were simply undiscovered, lurking in code no one had time to read. Glasswing suggests that assumption was right, and that the lurking flaws are now discoverable on demand. That is good news only if patching keeps pace. A maintainer of a volunteer-run library that suddenly receives a verified report of a serious flaw, complete with a working analysis, is now on the clock against every adversary with API access, and most of those maintainers still have day jobs and no security staff.
There is a darker second-order effect worth naming. The same frontier capability that powers Glasswing's defense is, by construction, an offense engine. Anthropic gates Mythos behind partner access and a usage policy, but the underlying truth is that reading code for exploitable flaws is symmetric. Open-source code is, by definition, readable by attackers too. If defenders only win because they got the model first and built the relationships to coordinate fixes, then the entire safety case rests on Anthropic's ability to keep that lead and police access. That is a governance promise, not a technical guarantee, and governance promises have a poor track record once the underlying capability becomes commoditized.
The bear case, however, is straightforward, and it is the part the announcement glides past: a flood of AI-discovered vulnerabilities could overwhelm the volunteer maintainers and corporate security teams who have to act on them. Skeptics point out that the bottleneck in open-source security has never been only finding bugs. It has been triage, reproduction, patch review, and the social labor of coordinated disclosure. Pour thousands of machine-found reports into that system and you risk alert fatigue, burned-out maintainers, and a backlog that attackers can mine for known-but-unpatched flaws. A $4 million donation is a gesture against a problem that may need a hundred times that to fund the humans on the receiving end of every report.
There is a quieter strategic move embedded in all of this. By making Mythos the model that eleven blue-chip institutions trust with their source code, Anthropic is building a moat that has nothing to do with raw benchmark scores. Trust, relationships, and regulatory goodwill are far harder for a competitor to replicate than a percentage point on GPQA Diamond. GPT-5.5 or Gemini may match Mythos on raw reasoning, but they cannot retroactively claim they were the model that secured OpenBSD and FFmpeg for the Linux Foundation. In a market where every frontier lab is converging on similar capabilities, the durable advantage is increasingly about which institutions you are embedded in, not which leaderboard you topped last week. Glasswing is as much a distribution and positioning play as a security program, and that dual purpose is exactly why it will be copied within the year.
What to Watch Next
Over the next 30 days, watch the disclosure cadence. Anthropic and its partners will have to publish how they are handling the thousands of findings: which CVEs get assigned, how long the embargo windows run, and whether maintainers of small projects get real support or just a report and a deadline. The OpenBSD and FFmpeg fixes are the first public test cases, and how cleanly those patches ship will tell you whether the remediation pipeline can actually carry the load the detection engine creates. A clean, well-supported rollout would be the strongest evidence the model is more than a press release.
Over the next 90 days, watch the access list grow from 40 toward the promised 150 organizations across 15-plus countries, and watch which governments and critical-infrastructure operators get in. If power utilities, hospital systems, and national CERTs join, Glasswing becomes de facto public-safety infrastructure, which invites the regulatory attention that the Trump administration's June executive order on frontier-model cybersecurity review already foreshadowed. The line between a private Anthropic program and a quasi-public security utility will blur fast, and that blur carries both leverage and liability for Anthropic.
Over the next 180 days, watch whether rivals answer with coalitions of their own or whether the industry consolidates around Mythos as the shared defensive model. Also track the first credible report of a comparable open model being used offensively against the same libraries, because that is the moment the symmetry argument stops being theoretical. The metric that matters is not how many bugs Glasswing finds. It is the gap, measured in days, between discovery and a deployed patch across the long tail of the software supply chain, because that gap is where every real-world breach lives.
A model that can find a 27-year-old bug on demand has not solved security. It has just proven the bugs were always there, waiting for whoever read the code first.
Key Takeaways
- 11 founding partners including AWS, Apple, Google, Microsoft, NVIDIA, JPMorgan, and the Linux Foundation joined Anthropic's Project Glasswing to secure critical software with AI.
- Claude Mythos Preview, an unreleased model leading GPQA Diamond at 94.6%, already found a 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw.
- $100 million in usage credits plus $4 million in direct donations to open-source security groups back the initiative, with access expanding to 150 organizations in 15-plus countries.
- The bottleneck shifts to remediation: finding thousands of vulnerabilities on demand only helps if maintainers can patch faster than attackers can weaponize the same public code.
- The capability is symmetric: the defensive lead rests on Anthropic gating access and coordinating fixes, a governance promise rather than a technical guarantee.
Questions Worth Asking
- If a frontier model can find decades-old flaws in the most-reviewed open-source code, what does that say about the security of the proprietary code your business actually runs on?
- When detection becomes cheap and remediation stays expensive, who pays for the human labor of patching the long tail of critical software?
- If your company depends on open-source libraries, do you know which ones, and would you even hear about a verified Glasswing finding before an attacker did?
