The Zero-Day Factory

Anthropic announced Project Glasswing on April 8, 2026 — a cybersecurity initiative built around Claude Mythos Preview, a model that has found "thousands of high-severity zero-day vulnerabilities" in every major operating system and web browser.¹ The model discovered a 27-year-old vulnerability in OpenBSD, a 16-year-old flaw in FFmpeg, and chains of exploitable bugs in the Linux kernel. It scored 83.1% on the CyberGym cybersecurity benchmark, compared to 66.6% for Anthropic's previous best model.¹

The model won't be publicly available. Access goes to 12 founding partners — Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — plus over 40 additional organizations that build or maintain critical infrastructure.¹

Everyone else gets to wonder who builds the next one.

The Numbers

The benchmarks tell a story about capability jumping a threshold.

On CyberGym, which tests a model's ability to reproduce real-world cybersecurity vulnerabilities, Mythos scored 83.1% versus 66.6% for Claude Opus 4.6 — a model that was already among the most capable in the world.¹ On SWE-bench Verified, a software engineering benchmark, Mythos hit 93.9% compared to 80.8% for its predecessor.¹ On Terminal-Bench 2.0, 82.0% versus 65.4%.¹

In crash-testing comparisons, Mythos generated 595 crashes at high severity tiers compared to roughly 1 crash for Opus.² Independent researchers on Hacker News confirmed the FFmpeg patches were real, and that findings were reproducible with the model's predecessor — which had already found "more vulnerabilities than can be addressed."²

Anthropic's own framing: "AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities."¹

Read that sentence again. Not "finding." Finding and exploiting.

The Money

Anthropic is committing $100 million in Mythos usage credits to the initiative, plus $2.5 million to Alpha-Omega and the Open Source Security Foundation via the Linux Foundation, and $1.5 million to the Apache Software Foundation.¹ After the preview period, API pricing is set at $25 per million input tokens and $125 per million output tokens.¹

For context: $4 million to open-source security is what Anthropic spent on this press release's supporting cast. The model credits — giving partners free access to the vulnerability-finding machine — are where the real value sits. And that value is significant: a model that finds bugs surviving 27 years of expert human review is, functionally, an automated security audit that outperforms every penetration testing firm on earth.

The Precedent Problem

The pitch is simple: give the good guys the weapon first, and they'll patch the holes before the bad guys find them. Anthropic promises a public report within 90 days on "lessons learned, patched vulnerabilities, and improvements disclosable without risk."¹

We've heard this before.

In 2017, the Shadow Brokers leaked an NSA toolkit that included EternalBlue — a vulnerability the agency had discovered and stockpiled rather than disclosing.³ EternalBlue powered the WannaCry ransomware attack, which hit hospitals, banks, and government systems across 150 countries.⁴ The NSA's position had been identical to Anthropic's: we'll keep it in responsible hands. The responsible hands had a leak.

In 2015, the Italian surveillance company Hacking Team — which sold exploit tools to governments under strict "responsible use" agreements — was itself hacked. 400 gigabytes of internal data, including zero-day exploits, were dumped online.⁵ Their client list included Sudan, Ethiopia, and Saudi Arabia.

The pattern is consistent: concentrated access to vulnerability discovery creates concentrated risk. The containment is the question — not whether the good guys act responsibly, but whether the walls hold.

The Discovery-Patch Gap

There were over 26,000 CVEs published in 2023, trending higher in 2024 and 2025.⁶ The mean time to patch a critical vulnerability remains weeks to months for most organizations. "Patch fatigue" — the exhaustion of security teams overwhelmed by the volume of required updates — is already a documented phenomenon.⁷

Now add a model that finds thousands of new high-severity vulnerabilities in a single research pass.

The discovery rate just jumped by an order of magnitude. The patch rate didn't. Every vulnerability Mythos finds responsibly is one that an adversary's equivalent model might find independently. Anthropic isn't the only organization building frontier AI. Google's Big Sleep project demonstrated LLM-based vulnerability discovery in late 2024, finding a real exploitable bug in SQLite.⁸ DARPA's AI Cyber Challenge at DEF CON 2024 showed multiple teams building autonomous vulnerability-finding systems.⁹

The window between "Mythos finds it" and "it gets patched" is a window of exposure. And the more vulnerabilities that get found, the wider that window gets in aggregate, because human security teams can only patch so fast.

What This Means for Developers

If you write code, here's what just changed: the floor for automated security auditing just dropped through the basement.

A 27-year-old OpenBSD vulnerability survived Theo de Raadt's famously rigorous review process, survived decades of security audits, survived millions of automated tests. A model found it. The 16-year-old FFmpeg flaw survived one of the most actively maintained multimedia libraries in the world.¹

Two implications follow immediately:

First, human code review for security is necessary but no longer sufficient. It hasn't been sufficient for a while — the bug counts prove it — but there was a comfortable fiction that "good enough" review processes caught "most" critical issues. That fiction just got a number attached to it: thousands of high-severity bugs, in the most reviewed codebases on earth, found in a single pass.

Second, the security advantage is now a compute advantage. Organizations with access to Mythos-class models can scan their codebases at a depth human reviewers never reached. Organizations without access can't. This creates a security divide that maps exactly to the existing resource divide: big companies with Anthropic partnerships get the scanner. Open-source projects get $4 million and best wishes.

As one Hacker News commenter noted: "AI-enabled vulnerability discovery could enable actors normally unable to hire top hackers to cause chaos."² The flip side is also true: actors unable to afford Mythos-class defensive scanning are now exposed to an adversary class that can build equivalent offensive tools.

The Question They're Not Answering

Anthropic says Mythos won't be publicly available and that they plan to test safeguards on consumer-facing Claude products before enabling "Mythos-class models" more broadly.¹ Security professionals "affected" can apply to a Cyber Verification Program.¹

The question worth asking has nothing to do with Anthropic's model. It has everything to do with the next one.

If a single model, built by a single company, can find thousands of zero-days across every major operating system and browser, then the capability is achievable. It will be reproduced. It may already have been reproduced — by state actors who didn't publish a press release about it.

Anthropic chose to build the machine and announce it. The announcement serves multiple purposes: it positions Anthropic as the responsible steward of dangerous capabilities (a role they've cultivated since their founding), it creates a $100 million partnership pipeline with every major tech company, and it demonstrates a capability moat that justifies whatever valuation comes next.

What it doesn't do is put the genie back in the bottle. The existence proof is the danger. Not the model itself — the knowledge that the model is possible.