Anthropic Restricts Claude Mythos Over Vulnerability-Finding Power

Anthropic unveiled Project Glasswing on Tuesday, a coordinated effort to use an unreleased AI model called Claude Mythos Preview to find and fix software vulnerabilities at scale. The company simultaneously announced it will not release Mythos publicly—the first time since OpenAI withheld GPT-2 in 2019 that a major AI lab has restricted a model over safety concerns.

The initiative brings together Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic is committing up to $100 million in compute credits and $4 million in direct donations to open-source security organizations.

What Claude Mythos Can Do

According to Anthropic's announcement, Mythos Preview has already discovered thousands of high-severity vulnerabilities across major operating systems, web browsers, and widely-deployed open-source software. Several of these flaws had gone undetected for years—the oldest being a 27-year-old bug in OpenBSD, an operating system specifically designed for security.

The model's capabilities extend beyond finding bugs. Internal testing showed Mythos could develop working exploits for newly discovered vulnerabilities faster than most human security researchers. That dual-use potential—defensive discovery paired with offensive capability—drove Anthropic's decision to restrict access.

This development comes as AI continues reshaping how security researchers approach vulnerability discovery. Just yesterday, we reported on a 13-year-old ActiveMQ bug found by Claude AI, demonstrating that even current-generation models are proving valuable in security research.

Why Anthropic Is Withholding the Model

The company's risk assessment documents the reasoning: Mythos-class models could lower barriers for attackers who lack the expertise to find vulnerabilities themselves. An attacker armed with Mythos could potentially discover and weaponize zero-days faster than defenders could patch them.

"We believe Mythos represents a category of AI system that requires new safeguards before broad deployment," Anthropic wrote in the announcement. The company plans to eventually release Mythos-class models once those safeguards exist—but provided no timeline.

The decision invites comparisons to OpenAI's 2019 choice to stage GPT-2's release over concerns about generated text being used for disinformation. That restriction was controversial at the time; the model was eventually released in full nine months later. Whether Anthropic follows a similar path remains unclear.

Project Glasswing Structure

Partner organizations will gain access to Mythos Preview specifically for defensive security research. The terms prohibit using discovered vulnerabilities for offensive operations or disclosing them outside coordinated disclosure processes.

Approximately 40 additional organizations responsible for critical infrastructure software will receive limited access. Anthropic didn't name these organizations but indicated they include maintainers of widely-deployed open-source projects.

The CrowdStrike partnership focuses on endpoint protection software, while Cisco's involvement targets network infrastructure. Microsoft and Google will apply the model to their respective operating systems and browsers.

For organizations dealing with AI security threats in their own deployments, we've covered similar sandbox escape vulnerabilities that highlight why AI-assisted security tools themselves need rigorous hardening.

Industry Reaction

Security researchers expressed mixed reactions. Some praised the responsible approach to dual-use AI capabilities. Others questioned whether restricting access would slow defensive progress while attackers eventually develop similar capabilities independently.

The timing coincides with increasing concern about nation-state actors using AI to accelerate cyber operations. Recent campaigns by North Korean threat actors and Iranian APT groups targeting critical infrastructure demonstrate the escalating sophistication of state-sponsored attacks.

What This Means for Defenders

Project Glasswing won't directly benefit most security teams—at least not immediately. The vulnerabilities discovered will flow through standard coordinated disclosure, appearing as CVE entries and vendor patches without necessarily revealing the AI-assisted discovery method.

For the broader industry, this represents a significant escalation in the AI-security intersection. If Mythos can find 27-year-old bugs that escaped human review, the implication is clear: legacy codebases harbor more undiscovered vulnerabilities than anyone assumed.

Organizations running critical infrastructure should:

1. Accelerate patch cycles for any software included in Glasswing's scope
2. Monitor vendor advisories from partner organizations over the coming months
3. Review network segmentation to limit blast radius from potential zero-days
4. Assume existing vulnerabilities exist in long-running codebases

The first wave of Glasswing-discovered vulnerabilities will likely appear in coordinated disclosures over the next quarter. Whether this initiative ultimately improves security or merely shifts the attacker-defender balance remains to be seen.