Project Glasswing: When the Lab Won't Release Its Own Model

Anthropic announced Project Glasswing today. A coalition of twelve organizations, including AWS, Apple, Google, Microsoft, NVIDIA, CrowdStrike, and JPMorganChase, will use a new frontier model called Claude Mythos Preview for defensive cybersecurity. The model found thousands of high-severity vulnerabilities across every major operating system and browser. A 27-year-old bug in OpenBSD. 181 Firefox exploits where prior models found two.

The model will not be released to the public.

Read that again. Anthropic built a model, measured its capabilities, and decided the correct response was to restrict access to a curated coalition of defenders plus roughly 40 critical infrastructure organizations. No API. No general availability. No plans for either.

This is the most significant AI governance decision of 2026. Not because of the vulnerabilities found, but because of the deployment model chosen.

From Individual to Industrial Scale

Two days ago, we covered a researcher using Claude to find a 23-year-old Linux kernel vulnerability with a bash script and a CTF prompt. Nicholas Carlini’s experiment demonstrated what a single person with API access could accomplish. Several hundred unvalidated crashes sat in his backlog because validation is slower than discovery.

Glasswing is what happens when you take that experiment and hand it to a coalition with the resources to actually process the results. The same asymmetry we identified (discovery scales with compute, validation scales with human expertise) now has institutional backing to address the validation bottleneck.

But the model powering Glasswing is not the same model Carlini used. Mythos Preview scores 83.1% on UC Berkeley’s CyberGym benchmark versus 66.6% for Opus 4.6. On SWE-bench Verified, 93.9% versus 80.8%. These are not incremental gains. This is a capability jump that Anthropic itself considers too dangerous for open access.

The pricing tells the same story from a different angle. $25 per million input tokens, $125 per million output tokens. That is a 5x premium over Opus 4.6. The markup is not a margin play. It is a friction mechanism. When you price a model at five times the cost of your flagship, you are selecting for organizations with serious budgets and serious use cases. You are filtering out casual experimentation.

The Arsonist-Firefighter Problem

Let us be honest about the tension here. Anthropic builds increasingly capable AI models. Those models create offensive capabilities. Anthropic then offers restricted defensive access to those capabilities at premium prices. The circular logic is obvious: we built something dangerous, so trust us to control it.

This deserves scrutiny. But dismissing Glasswing on these grounds alone misses the structural significance of what is happening.

Every cybersecurity vendor operates in this space. CrowdStrike’s threat intelligence depends on studying attacks. Palo Alto Networks builds firewalls because networks are attackable. The security industry has always monetized the offense-defense dynamic. Anthropic is not unique in profiting from the threats its technology category enables.

What is unique is the choice to withhold the product from the market entirely. CrowdStrike sells Falcon to anyone who can pay. Anthropic will not sell Mythos to anyone at all. The coalition model restricts access to vetted organizations working on defensive applications. Whether this restriction holds long-term is an open question. That it exists at all is the news.

The $100 Million Signal

Anthropic committed $100 million in usage credits for the coalition, plus $2.5 million to the Alpha-Omega Project at OpenSSF and $1.5 million to the Apache Software Foundation.

The $100 million number needs context. Distributed across 50-plus organizations, it amounts to roughly $2 million per participant. At Mythos pricing, that buys approximately 16 million output tokens per organization. Meaningful for targeted vulnerability research. Not transformative for continuous security operations.

The OpenSSF and Apache contributions are more telling. These are direct investments in the open source infrastructure that Glasswing’s vulnerability discovery will pressure. As we documented in The Two-Front Supply Chain Crisis, AI-discovered vulnerabilities create downstream patch burdens that open source maintainers are already struggling to absorb. Finding thousands of new high-severity bugs is only useful if the projects receiving disclosures have the capacity to fix them.

Less than 1% of the vulnerabilities Mythos has discovered have been patched so far. That number should concern everyone celebrating the announcement.

What the Coalition Is Missing

The twelve founding members are notable. So are the absences.

Meta, Oracle, IBM, Samsung, Intel. None are part of Glasswing. Meta operates its own frontier AI lab. Oracle runs critical infrastructure for thousands of enterprises. IBM has a 19-year track record in security research. These are not peripheral players.

The absence matters because Glasswing’s value depends on coverage. A vulnerability discovered in software that Oracle maintains is only useful if Oracle is in the room to receive the disclosure and prioritize the patch. A coalition that finds bugs faster than non-member organizations can fix them creates a new kind of information asymmetry: one where coalition members have advance knowledge of vulnerabilities in systems their competitors use.

JPMorganChase CISO Pat Opet called it “a unique, early stage opportunity to evaluate next-generation AI tools for defensive cybersecurity.” The word “evaluate” is doing significant work in that sentence. This is not operational deployment. It is a pilot. The distinction matters for anyone trying to assess Glasswing’s near-term impact versus its long-term implications.

The Benchmark Question

All published performance data for Mythos comes from Anthropic. CyberGym is a real benchmark from UC Berkeley, but the scores are self-reported. There is no independent verification.

This is not unusual for model launches. But it matters more here because the restricted-access model means independent researchers cannot reproduce the results. When Google releases a model, anyone with API access can run benchmarks. When Anthropic restricts Mythos to coalition partners, the performance claims are unfalsifiable by outsiders.

Meanwhile, existing public-good security research continues to deliver results without restricted access. Google’s Project Zero has been finding and disclosing critical vulnerabilities for over a decade, for free. OSS-Fuzz has discovered more than 10,000 vulnerabilities in open source software. DARPA’s AIxCC competition demonstrated AI-powered vulnerability discovery at $152 per task. These programs produce real, verified, publicly disclosed results without requiring membership in a coalition.

Glasswing may well find vulnerabilities these programs miss. But the claim that restricted frontier models are necessary for defensive cybersecurity should be evaluated against the demonstrated record of open alternatives.

The Governance Precedent

Here is where Glasswing connects to our broader argument. In AI Governance IS Cybersecurity, we made the case that separating AI governance from cybersecurity creates structural blind spots. Glasswing validates this thesis from an unexpected direction.

Anthropic did not separate the model capability decision from the security deployment decision. The same process that evaluated what Mythos could do also determined how it would be deployed. The governance framework and the security framework were unified from the start. The result: a deployment model that restricts access based on assessed risk, limits use cases to defensive applications, and creates institutional accountability through coalition membership.

Compare this to how most enterprises deploy AI. The procurement team evaluates capability. The security team evaluates risk. The governance team evaluates compliance. Three separate assessments, three separate timelines, three separate approval chains. By the time all three align, the model has been in shadow deployment for months.

Anthropic’s decision to withhold Mythos is the strongest possible argument for governed deployment. The organization that built the model, that understands its capabilities better than anyone, concluded that unrestricted access is irresponsible. If the lab itself will not deploy without governance controls, the enterprise argument for moving fast and governing later collapses.

The Non-Expert Test

One finding from the Glasswing announcement deserves separate attention. Anthropic reported that a non-expert achieved a working remote code execution exploit overnight, for under $2,000 in compute costs.

This is the number that should reframe every enterprise AI risk assessment currently in progress.

The barrier to sophisticated offensive capability is no longer expertise. It is not tooling. It is not access to classified vulnerability databases. It is $2,000 and a few hours. The implication: every employee with access to a frontier model and a target system is, in capability terms, an advanced offensive operator. Not in intention. In capability.

CrowdStrike’s 2026 Global Threat Report documented an 89% year-over-year increase in AI-augmented attacks. The non-expert finding explains the mechanism. The pool of people capable of discovering and exploiting vulnerabilities just expanded from thousands of specialists to anyone with a credit card and curiosity.

The 90-Day Clock

Anthropic committed to publishing a lessons-learned report within 90 days. This is the deliverable that matters most.

The report should answer several questions the announcement left open. How were coalition members selected? What governance controls exist within the coalition? Who arbitrates disagreements about disclosure timelines? What happens when Mythos finds a vulnerability in a coalition member’s own product? What is the protocol when a discovered vulnerability is already being exploited in the wild?

The EU AI Act enforcement date of August 2, 2026, adds regulatory urgency. The Act imposes penalties of up to 3% of global revenue for non-compliance. A model as capable as Mythos will face scrutiny under the Act’s provisions for high-risk AI systems. How Anthropic navigates this intersection of voluntary coalition and mandatory regulation will set precedent for every frontier model deployed in Europe.

What This Means for Enterprise Security

The practical takeaway is uncomfortable but clear.

If you are an enterprise security leader, the announcement of Glasswing means three things. First, the vulnerability discovery rate for your entire software stack just accelerated. Bugs that have survived decades of human review will surface in months. Your patch management process needs to handle this volume or it becomes your primary exposure.

Second, the offensive capability available to your adversaries jumped. Not gradually. Not next year. Now. A non-expert with $2,000 can achieve what required nation-state resources five years ago. Your threat model needs to reflect this new baseline.

Third, the governance model Anthropic chose for its most capable system is the governance model you should be applying to your own AI deployments. If the builder of the model will not release it without institutional controls, coalition oversight, and restricted access, your policy of “deploy first, govern later” is indefensible.

The restricted model is the governance framework. The coalition is the control structure. The pricing is the access control. Every element of Glasswing’s design is a governance decision disguised as a product decision.

The question for every organization is whether they will arrive at similar governance conclusions through design or through incident response.

---

This analysis synthesizes Anthropic’s Project Glasswing announcement (April 2026), the CrowdStrike 2026 Global Threat Report (February 2026), and research from governance.ai on cybercrime economics (2025).

Victorino Group helps organizations build governance frameworks for frontier AI capabilities before the deployment decision is made for them. Let’s talk.