Anthropic's Project Glasswing is the public name for an unusual cybersecurity initiative: a tightly-vetted programme that pairs a model the company says it will not release publicly — Claude Mythos Preview — with a roster of partners that includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. Anthropic has committed up to $100 million in model-usage credits to the partners and a further $4 million in donations to open-source security projects.
Glasswing has been visible in pieces since the original launch in April. The structure that has emerged this week — through Anthropic's project page and reporting from a half-dozen specialist outlets — is more substantial than the early descriptions suggested.
What Glasswing actually is
Anthropic frames Glasswing as "a unique, early-stage opportunity to evaluate next-generation AI tools for defensive cybersecurity across critical infrastructure both on our own terms and alongside respected technology leaders." In practice it is three things at once.
First, it is access — partners get to use Mythos Preview, an unreleased frontier model that has already identified thousands of high-severity vulnerabilities in operating systems and browsers, against software they operate or maintain. Second, it is funding — the $100M in credits removes the cost barrier for partners to actually run Mythos at scale, while the $4M open-source security donation underwrites the smaller projects that produce most of the dependency tree the partners ship. Third, it is a research collaboration — partners feed back results that inform Mythos training and Anthropic's broader Responsible Scaling Policy decisions.
Mythos itself is positioned as a general-purpose frontier model, not a security-specific one. Anthropic's argument is that the same capabilities that make a model dangerous in the wrong hands — long-horizon planning, code understanding, exploit chaining — make it uniquely valuable to defenders if access is gated to vetted parties.
The partner list, decoded
The eleven publicly-named partners cover the bulk of US-headquartered critical-software vendors and one Linux Foundation seat:
| Partner | Sector | Role in Glasswing |
|---|---|---|
| AWS | Hyperscaler | Hosts Mythos inference via Bedrock; customer infrastructure scope |
| Hyperscaler | Inference via Vertex; broad consumer + enterprise surfaces | |
| Microsoft | Hyperscaler | Azure inference; Windows + M365 attack surface |
| Apple | OS / consumer | First formal outside-lab security partnership in years |
| Broadcom | Silicon + enterprise SW | VMware estate + networking gear |
| NVIDIA | Silicon | Driver stack, CUDA ecosystem |
| Cisco | Security vendor | SD-WAN, network infrastructure customers |
| CrowdStrike | Security vendor | EDR distribution to enterprise endpoints |
| Palo Alto Networks | Security vendor | NGFW + cloud security distribution |
| JPMorgan Chase | Banking | Financial-services exemplar; regulator-relevant |
| Linux Foundation | Open source | $4M donation funds upstream-dependency hardening |
Two notable absences: no European banking representative, and no major Chinese or non-US AI lab. The first is likely to change after the FSB briefing; the second is a deliberate consequence of Anthropic's stated export-control posture. A handful of additional partners are reportedly in evaluation — including at least one European bank and two further security vendors — but Anthropic has not publicly confirmed names. The shape of the eventual full roster will determine whether Glasswing remains a US-centric programme or evolves into something closer to an international assurance arrangement.
Why a restricted release
Anthropic's stated rationale is that Mythos crosses a capability threshold that warrants restraint. The company says the model can independently identify chains of low-severity bugs that compose into high-severity exploits, including in code that has been through extensive prior security review. Releasing such a model openly would invite asymmetric harm: defenders would have to upgrade every critical system on Earth on a rolling basis; attackers would only need to find one combination that works.
This logic is debated. Critics inside the security community argue that withholding access also withholds the capability from the defenders who need it most — smaller organisations and open-source maintainers that are not on Anthropic's partner list. Glasswing's $4M open-source donation is partly an answer to that critique, but it does not give those maintainers Mythos access directly.
The Pentagon has separately described Glasswing and Mythos as "opportunities" — language that hints at federal interest in the same access model. Whether that ends in a public-sector Glasswing-equivalent or a quieter arrangement with specific defence and intelligence customers is not yet public.
What partners do with it
Concrete uses described publicly include three categories. Software vendors point Mythos at their own code to find vulnerabilities before public disclosure — Apple, Microsoft and the security vendors have indicated they are doing exactly this. Hyperscalers are using Mythos to evaluate customer-deployed images and platform infrastructure for novel classes of misconfiguration. The Linux Foundation has been more careful in describing its use, but at least includes triaging legacy code in widely-deployed projects.
The published numbers are still small. Mythos has produced thousands of high-severity findings in scope, but coordinated disclosure timelines mean most of those findings have not yet surfaced as CVEs. The trickle will become a flood over the next 6–12 months as the disclosure embargoes lapse.
The breach last month — and what it changes
On 21 April, a small group of unauthorised users reached Mythos via a third-party vendor environment on the same day the model was announced. The intrusion was not directly through Anthropic's primary infrastructure but through a partner's surface, and was contained quickly. The episode has, however, sharpened a regulatory question: if a frontier security model leaks, what happens? The Financial Stability Board has asked Anthropic to brief regulators on Mythos findings and the breach; Andrew Bailey, Bank of England Governor and FSB member, formally requested the meeting.
For Glasswing, the breach is a credibility test. Anthropic's argument for restricting Mythos is that controlled distribution materially lowers asymmetric harm. The April incident did not produce a public release of model weights or capabilities, and the company has moved to tighten vendor controls — but it complicates the narrative.
What to track
Three near-term markers matter for Glasswing's trajectory. First, CVE disclosure rate — when the embargoed findings start landing in CVE databases over Q3 and Q4, the volume and severity profile will reveal whether Mythos's contribution to defence is structural or marginal. Second, partner additions or removals — particularly any non-US bank or non-US security vendor joining the named partner list. Third, regulatory framing — whether the FSB briefing produces a model the SEC, the EU AI Office and US Treasury can accept, or whether it accelerates pressure for either compulsory access or compulsory withholding.
Glasswing is not the model release; it is the access mechanism. The trade-off it represents — concentrated capability paired with concentrated accountability — will increasingly define how frontier security tools enter the world.
How the access tier compares with public-sector parallels
Glasswing's restricted-access model has analogues in other technology categories that operate under similar capability-versus-harm tensions. The most useful comparison is with cryptographic-research access controls — specifically the way frontier symmetric and asymmetric primitives have historically been released under coordinated-disclosure regimes that brief governments and major industry users before general publication. The legal architecture is different (export controls under the Wassenaar Arrangement versus voluntary access agreements) but the operational logic is similar: capability that benefits everyone if widely understood, but disadvantages defenders if released without preparation time.
A second comparison is with the Common Criteria evaluation regime for cryptographic and security products. Common Criteria has been criticised for slowness and bureaucracy, but its underlying premise — that government-aligned evaluators can produce assurance reports that private buyers rely on — is structurally similar to what Glasswing partners are receiving when they run Mythos against their own software. The difference is that Glasswing is private rather than public, and produces findings rather than certifications.
A third, less obvious parallel is with vulnerability bounty programmes. Anthropic's model with Glasswing inverts the bounty dynamic: rather than paying outside researchers to find bugs in Anthropic's products, the company is paying (via model credits) for partners to find bugs in their own products using Anthropic's tool. The cost-flow direction is reversed, but the discovery economics are similar — concentrate skilled discovery effort against the most security-sensitive surfaces and pay for it.
What none of these comparisons fully captures is the speed differential. Common Criteria evaluations take quarters or years; cryptographic disclosure cycles run months. Mythos is producing thousands of high-severity findings in weeks. The discovery cadence has compressed by an order of magnitude, which has compressed the disclosure-and-patch cycle by the same factor. Vendors on the Glasswing roster have had to upgrade their security-engineering capacity simply to absorb the rate at which Mythos surfaces actionable findings — a hidden cost of the programme that the headline $100M in model credits does not fully convey.
The compressed cadence also changes who can participate at all. A vendor with a six-person product-security team is fundamentally not equipped to triage hundreds of new findings per month — Glasswing's deliberately small roster is partly a recognition of that operational constraint, not just a security-of-access decision. Whether the access pattern eventually broadens depends as much on whether downstream organisations build the absorption capacity as on whether Anthropic decides the model can safely be released more widely. Several Glasswing partners have publicly noted that they are now hiring AI-augmented application-security engineers — a job description that did not exist a year ago — at multiples of their prior hiring rate.
Sources
View author profile → · Editorial policy
