Project Glasswing is a cybersecurity initiative announced by Anthropic on 7 April 2026. Its goal is to secure the world's most critical software and give defenders a durable advantage in the emerging AI-driven era of cybersecurity. At its centre is Claude Mythos Preview, a frontier AI model purpose-built to find software vulnerabilities at a scale and speed no human team can match.
The implications reach far beyond Silicon Valley. With a cyber incident now reported in Australia roughly every six minutes, the same AI capabilities that uncovered these flaws are reshaping how Australian organisations think about software risk. This page is an independent, plain-English explainer of what Anthropic announced, what the findings actually show, and what it means for businesses in our region.
What Claude Mythos actually is
Claude Mythos Preview is an unreleased, general-purpose frontier model that Anthropic describes as exceptionally capable at identifying software vulnerabilities. On the public CyberGym benchmark for vulnerability reproduction, Mythos Preview scored 83.1% — a substantial jump over Claude Opus 4.6's 66.6%. In practice, that means the model can read large, unfamiliar codebases, reason about how an attacker might break them, and reproduce working proofs of concept for flaws that automated scanners and human auditors had missed for years.
Because a tool this powerful could be misused, Anthropic kept Mythos Preview unreleased and gave access only to vetted partners under Project Glasswing, while it develops new safeguards for a future, safer Claude Opus model. The capability is the headline; the careful, gated rollout is arguably the more important part of the story.
The scale of the findings
The numbers are what make Project Glasswing unprecedented. According to Anthropic's initial update and subsequent reporting, Anthropic and its partners have used Mythos Preview to identify more than 10,000 high- or critical-severity vulnerabilities across the most systemically important software in the world.
In one structured study, Anthropic scanned over 1,000 open-source projects and surfaced 23,019 total issues, of which 6,202 were high- or critical-severity. Of a validated sample of 1,752 high- and critical-severity findings, more than 90% were confirmed as true positives — an unusually low false-positive rate for automated vulnerability discovery. Concrete examples disclosed by Anthropic include a 27-year-old flaw in OpenBSD, a 16-year-old vulnerability in FFmpeg, and multiple chained vulnerabilities in the Linux kernel — bugs that sat undetected through decades of human review.
The partner coalition
Anthropic did not publish these findings into the void. Project Glasswing launched with eleven named partners — Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — alongside Anthropic itself. More than 40 additional organisations, reportedly including Cloudflare and Mozilla, were given access to find and fix weaknesses in their own foundational systems. Pairing the discovery capability with the vendors who actually maintain the affected software is what turns a research result into real-world remediation.
Responsible disclosure by design
Publishing 10,000 unpatched vulnerabilities at once would be a gift to attackers. To avoid that, Project Glasswing uses a cryptographic-hash disclosure model: for an unpatched flaw, Anthropic publishes only a hash of the details, and reveals the specifics only after a fix is in place. This lets Anthropic prove it found a given bug on a given date without handing adversaries a roadmap. Anthropic also committed $100 million in usage credits for partners using Mythos Preview and $4 million in direct donations to open-source security organisations — including $2.5M to Alpha-Omega and the OpenSSF and $1.5M to the Apache Software Foundation.
Why it matters for Australian businesses
The software named in these findings — operating systems, browsers, media libraries, the Linux kernel — runs inside almost every Australian business, government agency, and critical-infrastructure operator. When a wave of patches follows a disclosure like this, the organisations that update quickly are protected and the slow movers become the soft targets. For Australian teams already navigating the Security of Critical Infrastructure (SOCI) Act and tightening regulatory expectations, Project Glasswing is a preview of the new baseline: AI will find flaws faster than ever, and defence increasingly means patching and monitoring at the same speed. The practical takeaways are covered in depth across our cybersecurity blog, and the recommended security tools below are a sensible starting point for hardening your own environment.
Glasswing.com.au is an independent commentary site and is not affiliated with, endorsed by, or associated with Anthropic, PBC. All figures above are drawn from Anthropic's published materials and mainstream reporting, linked inline.