Anthropic built the most dangerous AI for finding software bugs ever made. Then it refused to sell it.
Instead, the company has assembled the largest private-sector cybersecurity coalition in history: twelve founding partners including JPMorgan Chase, Cisco, CrowdStrike, and every major cloud provider, backed by $100 million in compute credits and $4 million in direct funding to open-source security projects. The initiative, called Project Glasswing, was announced alongside Claude Mythos Preview on April 7. Its explicit purpose is to find and patch vulnerabilities before the model that discovered them becomes broadly available.
The question regulators and security experts are now wrestling with is whether that containment strategy can outrun the capability it was built to address.
Mythos Preview is not a product in any normal sense. Anthropic has declined to release it publicly, a decision that is itself exceptional: frontier AI labs routinely cap capabilities, add safety warnings, or phase rollouts, but voluntarily declining to ship a model because it is too dangerous to deploy is rare. According to Anthropic's own benchmarks, the model found exploitable vulnerabilities in every major operating system and every major web browser tested. It discovered a 27-year-old bug in OpenBSD, an operating system used to run firewalls and other critical infrastructure that has a reputation for security-first design. It found a 16-year-old flaw in FFmpeg, a widely used open-source library for processing audio and video that had been hit five million times during automated testing without anyone catching the problem.
Those are the bugs Anthropic is willing to describe. In a technical blog post, the company said it had found thousands of additional vulnerabilities but could not disclose them because most remain unpatched.
The benchmarks beyond the disclosure wall are more striking. Against OSS-Fuzz, a standard automated testing corpus, Mythos achieved 595 crashes at tiers one and two, added a handful at tiers three and four, and reached full control flow hijack on ten separate, fully patched targets. Anthropic's previous best model, Opus 4.6, managed a single crash at tier three. When both models were run against the same set of Firefox JavaScript engine vulnerabilities, Opus 4.6 turned them into working shell exploits roughly two times out of several hundred attempts. Mythos did it 181 times, with 29 additional runs achieving register control. In one case, Mythos independently wrote a web browser exploit that chained together four vulnerabilities, executed a complex JIT heap spray, and escaped both the browser's renderer sandbox and the operating system's sandbox. It also autonomously developed local privilege escalation exploits on Linux by exploiting subtle race conditions and KASLR bypasses.
These capabilities are not hypothetical. "Non-experts can also leverage Mythos Preview to find and exploit sophisticated vulnerabilities," Anthropic's researchers noted. "Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight, and woke up the following morning to a complete, working exploit."
Christian Sewing, president of the German Banking Association and CEO of Deutsche Bank, said on April 20 that banks are in close contact with European regulators about the model. "It's certainly not something that's causing panic or setting off any alarm bells on our end right now, but it's definitely something we need to keep in mind in our day-to-day risk management -- and that's exactly what we're doing," he told journalists. Kolja Gabriel, an executive board member of the German Banking Association, said talks involve the Bundesbank and BaFin, Germany's financial watchdog, and that IT security firms are already using Mythos in a controlled manner to identify vulnerabilities before they can be weaponized.
That coordinated disclosure model is what Glasswing is meant to institutionalize. The founding partners receive access to Mythos Preview to scan their own systems and the open-source software they depend on. Anthropic shares what it learns so the entire industry can benefit. The company has committed up to $100 million in usage credits across the effort and $4 million in direct donations to open-source security organizations. More than 40 additional organizations, beyond the twelve founding partners, have also been granted access.
The regulatory response has been global. The European Central Bank is gathering information about the model and planning to ask banks under its supervision about their preparedness. Australia's ASIC said it expects financial services licensees to be on the front foot. South Korea's Financial Supervisory Service held a meeting with information security officials from financial firms, and the country's Financial Services Commission convened an emergency session with chief information security officers from banks and insurers. In the United States, Treasury Secretary Scott Bessent and Fed Chair Jerome Powell convened an urgent meeting with bank chief executives; President Trump acknowledged the risks to the banking system and backed government safeguards. St. Louis Fed President Alberto Musalem said the development had prompted the central bank to revisit its thinking on cybersecurity resilience.
Britain's government was more direct. Technology Secretary Liz Kendall and Security Minister Dan Jarvis wrote to businesses warning that Mythos is "substantially more capable at cyber offence than any model previously tested by the government's AI Security Institute." A new generation of AI models, they wrote, is "becoming capable of doing work that previously required rare expertise: finding weaknesses in software, writing the code to exploit them, and doing so at a speed and scale that would have been impossible even a year ago."
The Cloud Security Alliance, a coalition of cybersecurity executives and former senior U.S. government officials, warned in an April 12 briefing that Mythos represents a step change that "lowers the cost and skill floor for discovering and exploiting vulnerabilities faster than organizations can patch them."
Bruce Schneier, a security researcher and author whose work on cryptography and cybersecurity has been influential for three decades, offered a more complicated read. "Anthropic's Mythos announcement is a PR play that worked," he wrote on April 13. But he added a significant caveat: the security company Aisle was able to replicate the vulnerabilities Anthropic found using older, cheaper, publicly available models. "There is a difference between finding a vulnerability and turning it into an attack," Schneier wrote. "This points to a current advantage to the defender."
That distinction matters. Glasswing addresses the harder problem of coordinated vulnerability disclosure: finding bugs, notifying maintainers, giving them time to patch, then publishing. But if the barrier to operationalization is lower than Glasswing's proponents assume, the model may be solving the simpler half of the problem while the harder half remains accessible to anyone with a consumer GPU.
The timeline matters here. Anthropic announced Mythos Preview and Project Glasswing on April 7, 2026. The regulatory warnings from the ECB, U.S. Treasury, and UK government followed within days. Whether Glasswing was a proactive containment strategy or a reactive PR response to anticipated regulatory pressure is not yet clear from public sources. Anthropic declined to comment beyond its April 7 announcement.
What is clear is that the banking sector's exposure is not hypothetical. Financial institutions run some of the oldest and most interconnected technology stacks in existence. Core banking systems at large banks often include decades-old mainframe code. ATM networks, interbank settlement systems, and know-your-customer platforms frequently depend on shared vendors and shared infrastructure. A vulnerability in any one of those systems does not stay contained to that system.
The pressure on banks is compounding. Regulators in multiple jurisdictions are demanding they demonstrate preparedness for a threat category that did not exist a year ago. The infrastructure to respond is being built in parallel, under the auspices of a coalition whose effectiveness has not yet been tested at scale. And the underlying capability that created the problem is not standing still: Anthropic's own benchmarks show the gap between its current model and its predecessor doubling and tripling across multiple measures. If that trajectory holds, the race Glasswing is trying to win may be one whose finish line keeps moving.
What to watch next: whether any of the 40-plus organizations beyond the twelve founding partners begin publishing vulnerability disclosures attributable to Mythos Preview findings, and whether those disclosures arrive faster than the coordinated regulatory inquiries currently underway produce formal guidance. Either data point would begin to answer whether Glasswing is a real containment model or an exceptionally well-funded press release.
