Project Glasswing: When AI Finds Vulnerabilities Humans Missed for 27 Years
AI Industry Watch
Anthropic just announced that its unreleased Claude Mythos Preview model found a vulnerability in OpenBSD—one of the most security-hardened operating systems in the world—that had existed for 27 years without detection. It discovered a 16-year-old flaw in FFmpeg in a line of code that automated testing tools had hit five million times without flagging the problem. It autonomously chained together multiple vulnerabilities in the Linux kernel to achieve privilege escalation from ordinary user to complete system control. And those are just three examples from thousands of zero-day vulnerabilities the model has identified across every major operating system and every major web browser.
The announcement, made today under the name Project Glasswing, marks a threshold moment in AI capabilities and cybersecurity. AI models have reached a level where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. For healthcare organizations running electronic health record systems, medical devices, telehealth platforms, and clinical decision support tools built on this same vulnerable software infrastructure, this represents both an existential threat and an unprecedented defensive opportunity.
Anthropic is responding by forming a partnership with Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks to use Mythos Preview for defensive security work before these capabilities proliferate to actors who won't use them safely. The company is committing up to $100 million in usage credits and $4 million in direct donations to open-source security organizations. Over 40 additional organizations that build or maintain critical software infrastructure will receive access to scan and secure their systems.
For healthcare security professionals, this announcement changes the risk landscape immediately and fundamentally. The software that hospitals, clinics, laboratories, and health systems rely on every day contains vulnerabilities that AI can now find and exploit faster than humans can patch them. The race between attackers and defenders has entered a new phase where AI capabilities determine who wins.
What Mythos Preview Can Do That Previous Models Could Not
Claude Mythos Preview represents a significant leap beyond Anthropic's most capable publicly available model, Opus 4.6. On CyberGym, a cybersecurity vulnerability reproduction benchmark, Mythos Preview scores 83.1% compared to Opus 4.6's 66.6%. That sixteen-point gap translates to finding entire classes of vulnerabilities that previous models missed entirely.
The model's capabilities extend beyond simple vulnerability detection. It can autonomously develop sophisticated exploits—working code that actually demonstrates how to leverage a vulnerability to compromise a system. In many cases, Mythos Preview identified vulnerabilities and developed exploits entirely autonomously without any human steering, guidance, or prompt engineering beyond the initial task description.
The technical underpinnings of these cybersecurity capabilities come from the model's strong agentic coding and reasoning skills. On SWE-bench Verified—a benchmark measuring ability to solve real-world software engineering problems—Mythos Preview scores 93.9% compared to Opus 4.6's 80.8%. On Terminal-Bench 2.0, which measures command-line interaction and system administration tasks, Mythos scores 82.0% versus 65.4%. On GPQA Diamond, a graduate-level science and reasoning benchmark, Mythos achieves 94.6% against 91.3%.
These aren't incremental improvements. They represent the kind of capability jump that changes what's possible. A model that can read millions of lines of code, reason about complex interactions between components, spot subtle logic errors that humans and automated tools missed, and then develop working exploit code—that's not a better code reviewer. That's a fundamentally different kind of security tool.
For healthcare organizations, this capability level means that software you've been running for years, that's passed security reviews and penetration tests, that's been scanned by automated vulnerability detection tools, may still contain exploitable flaws that AI can now find. The 27-year-old OpenBSD vulnerability, the 16-year-old FFmpeg flaw hit five million times by testing tools—these aren't edge cases. They're demonstrations that traditional security approaches have systematic blind spots that AI can now see through.
The Vulnerabilities Found So Far: A Sample
Anthropic has been using Mythos Preview for several weeks to scan critical software infrastructure. The results are sobering. The model has found thousands of zero-day vulnerabilities—flaws previously unknown to software developers and maintainers—with many classified as critical severity. Every major operating system has vulnerabilities. Every major web browser has vulnerabilities. The software stack that healthcare organizations rely on has vulnerabilities at every layer.
Three specific examples Anthropic disclosed (after the vulnerabilities were patched) illustrate the sophistication of what Mythos Preview can find:
The OpenBSD vulnerability allowed remote crash attacks. An attacker could connect to any machine running OpenBSD and crash it without any authentication or user interaction required. OpenBSD has a reputation as one of the most security-hardened operating systems available, used specifically in contexts where security matters—firewalls, network infrastructure, critical systems. That a remotely exploitable crash vulnerability survived 27 years of security-focused development and review demonstrates how difficult it is for humans to find these flaws even when actively looking for them.
The FFmpeg vulnerability existed in a line of code that automated testing hit five million times without detecting the problem. FFmpeg is ubiquitous—it's the video encoding and decoding library used by countless applications, web services, media players, and content management systems. A vulnerability in FFmpeg potentially affects every system that processes user-uploaded video, every streaming service, every video conferencing platform. Healthcare organizations use video extensively—telehealth consultations, medical imaging, patient education content, surgical recordings. A compromised FFmpeg library could become an entry point for attacks on healthcare systems that process video content.
The Linux kernel vulnerability chain involved multiple separate flaws that Mythos Preview autonomously identified and chained together to achieve privilege escalation. An attacker starting with ordinary user access could leverage these vulnerabilities to gain complete control of the machine. Linux runs most of the world's servers, including the vast majority of cloud infrastructure and containerized application environments. Healthcare organizations running Linux-based servers for EHR systems, clinical databases, research platforms, or analytics systems need to assume those systems may be vulnerable to privilege escalation attacks that AI can now discover and exploit.
Anthropic has reported all discovered vulnerabilities to the relevant software maintainers and is waiting for patches before disclosing specifics. For many vulnerabilities, they've published cryptographic hashes of the details as commitment to future disclosure once fixes are deployed. This responsible disclosure approach protects users during the patching window, but it also means the full scope of what Mythos Preview has found isn't yet public. The thousands of vulnerabilities mentioned likely include flaws in software healthcare organizations use every day.
What Project Glasswing Partners Are Finding
The twelve major technology companies participating as launch partners in Project Glasswing have had access to Mythos Preview for several weeks and are already using it in their defensive security work. Their public statements reveal both the capability of the model and the urgency they perceive:
Cisco's Anthony Grieco, SVP and Chief Security & Trust Officer, stated that AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure. His framing is important: "there is no going back." The old ways of hardening systems are no longer sufficient. Technology providers must aggressively adopt new approaches now, and customers need to be ready to deploy.
AWS's Amy Herzog, Vice President and CISO, emphasized that AWS analyzes over 400 trillion network flows every day for threats and that AI is central to their ability to defend at scale. They've been testing Mythos Preview in their own security operations, applying it to critical codebases where it's already helping strengthen their code. The implication for healthcare organizations using AWS infrastructure is clear—even Amazon's massive security operation with dedicated teams and sophisticated tooling found new vulnerabilities when they applied Mythos Preview to their systems.
Microsoft's Igor Tsyganskiy noted that when they tested Mythos Preview against CTI-REALM, their open-source security benchmark, it showed substantial improvements compared to previous models. Microsoft operates at planetary scale with some of the world's largest and most sophisticated security teams. If Mythos Preview is finding issues Microsoft's existing tools and processes missed, healthcare organizations should assume similar gaps exist in their own security posture.
CrowdStrike's Elia Zaitsev emphasized that the window between a vulnerability being discovered and being exploited by an adversary has collapsed to minutes with AI. What once took months now happens almost instantly. The implication is stark: when an attacker discovers a vulnerability using AI tools, healthcare organizations have essentially no buffer time to patch before exploitation attempts begin. The traditional patch cycle—discover vulnerability, develop fix, test fix, schedule deployment window, deploy to production—assumes weeks or months of runway. That assumption no longer holds.
The Linux Foundation's Jim Zemlin highlighted that open source software constitutes the vast majority of code in modern systems. Historically, open source maintainers have been left to figure out security on their own without the resources that large organizations can dedicate to security teams. By giving maintainers access to Mythos Preview, Project Glasswing offers a path to AI-augmented security becoming available to every maintainer, not just those who can afford expensive security teams. For healthcare organizations, this matters because the software stack running their systems is built primarily on open source components. Securing that stack requires securing the upstream open source projects.
Why Healthcare Organizations Should Care Right Now
Healthcare systems run on software with vulnerabilities that AI can now find faster than humans can patch. That's not speculation or future risk—it's current reality demonstrated by the vulnerabilities Mythos Preview has already discovered. The question for healthcare security teams isn't whether their systems are vulnerable but how quickly they can find and fix vulnerabilities before attackers using similar AI capabilities discover and exploit them.
The specific vulnerabilities disclosed so far—operating systems, web browsers, video encoding libraries, kernel privilege escalation chains—map directly to components healthcare organizations depend on. Linux servers running EHR databases, web browsers accessing patient portals, video encoding for telehealth sessions, containerized microservices running clinical decision support systems—all potentially affected by vulnerabilities AI can now discover.
The healthcare sector has already experienced devastating cyberattacks. The WannaCry ransomware attack in 2017 crippled the UK's National Health Service, canceling thousands of appointments and diverting ambulances. The Colonial Pipeline attack demonstrated that critical infrastructure can be paralyzed by ransomware. Hospital ransomware attacks have forced facilities to divert ambulances, cancel surgeries, and operate without electronic health records for days or weeks. Individual hospitals and school systems targeted by smaller-scale attacks still face substantial economic damage, data exposure, and in healthcare contexts, potential patient harm.
AI-augmented cyberattacks will make these incidents more frequent and more destructive. When attackers can use AI to find zero-day vulnerabilities in the specific software versions a healthcare system runs, develop exploits tailored to that environment, and chain multiple vulnerabilities together for maximum impact, the defensive challenge becomes exponentially harder. Healthcare organizations can't assume that patching known CVEs and following security best practices provides adequate protection when AI can discover unknown vulnerabilities faster than patches can be developed and deployed.
The financial costs of cybercrime globally are estimated around $500 billion annually. For healthcare, the costs include not just direct financial losses but regulatory penalties for HIPAA violations when protected health information is exposed, reputational damage when patient data is compromised, operational disruption when clinical systems are unavailable, and in the worst cases, patient harm when cyberattacks affect clinical care delivery.
The Defensive Opportunity: Using AI Before Attackers Do
The same capabilities that make AI models dangerous in the wrong hands make them invaluable for defenders who act quickly. If healthcare organizations can use AI to find and fix vulnerabilities in their systems before attackers discover them, they gain a temporary defensive advantage. The emphasis is on temporary—these capabilities will proliferate. The window for proactive defense using AI tools before attackers gain equivalent capabilities is measured in months, not years.
Project Glasswing represents Anthropic's attempt to give defenders a head start. By providing Mythos Preview access to major technology companies, critical infrastructure operators, and open source maintainers before general release, the initiative aims to create a period where defensive security work can get ahead of offensive capability development. Healthcare organizations that build or maintain critical software should be exploring participation in similar programs or partnerships that provide early access to defensive AI tools.
The immediate use cases for Mythos Preview in defensive security include vulnerability detection in source code, black box testing of compiled binaries, securing endpoints, and penetration testing of systems. For healthcare organizations, these map to scanning EHR systems for vulnerabilities, testing medical device software for exploitable flaws, hardening workstations and servers, and red team exercises that use AI to simulate sophisticated attackers.
Anthropic is committing $100 million in usage credits for Mythos Preview access across Project Glasswing participants. After the research preview period, the model will be available at $25 per million input tokens and $125 per million output tokens—pricing that makes comprehensive scanning of large codebases economically feasible for organizations with significant security budgets. For context, scanning millions of lines of code with human security reviewers costs orders of magnitude more and takes far longer.
The company has also donated $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation to enable open source maintainers to respond to the changing threat landscape. Healthcare organizations that depend on open source software—which is nearly all of them—benefit indirectly when upstream projects use AI to find and fix vulnerabilities before releasing new versions.
What Anthropic Is Not Releasing
Anthropic has made a deliberate decision not to make Claude Mythos Preview generally available. The model's offensive cybersecurity capabilities are too dangerous to release without safeguards that can detect and block the most dangerous outputs. The company's eventual goal is to enable users to safely deploy Mythos-class models at scale for both cybersecurity purposes and other benefits that highly capable models bring, but that requires developing robust safety mechanisms first.
The plan is to launch those safeguards with an upcoming Claude Opus model that doesn't pose the same level of risk as Mythos Preview. Anthropic can then improve and refine the safety mechanisms in a production environment before applying them to more dangerous models. Security professionals whose legitimate work requires bypassing those safeguards will be able to apply to a Cyber Verification Program for access.
This approach—developing powerful capabilities, demonstrating them with controlled partners, and delaying general release until safety mechanisms are proven—represents responsible AI development that other labs should emulate. It also creates a window where the capabilities demonstrated by Mythos Preview exist but aren't widely available. Healthcare organizations should not assume that this window will last long. State-sponsored attackers, sophisticated criminal organizations, and well-funded threat actors will develop equivalent capabilities independently or through other channels.
The technical details Anthropic has released—benchmark scores, example vulnerabilities, partner testimonials—provide enough information for security teams to understand the capability level without providing the actual model that could be misused. This balance between transparency about capabilities and restriction of access to dangerous tools is difficult to maintain as AI capabilities advance, but it's essential for managing the transition period where offensive capabilities develop faster than defensive responses.
Implications for Healthcare Security Strategy
Healthcare organizations need to update security strategies to account for AI-augmented attackers with capabilities equivalent to or exceeding Mythos Preview. This means several specific changes to current practice:
Vulnerability scanning and penetration testing should incorporate AI tools as they become available for defensive use. Traditional automated scanners and human security reviewers will miss vulnerabilities that AI can find. Healthcare organizations should be planning now for how to integrate AI-augmented security testing into their security assessment processes. This may mean partnering with security vendors who have access to advanced AI models, participating in programs like Claude for Open Source if applicable, or budgeting for access to AI security tools as they become available.
Patch management processes need to account for dramatically compressed exploitation timelines. When the window between vulnerability discovery and exploitation attempts shrinks to minutes, waiting weeks to deploy patches during scheduled maintenance windows is no longer viable for critical systems. Healthcare organizations need emergency patching procedures, the infrastructure to deploy critical security updates rapidly, and the operational practices to verify that patches don't break clinical workflows before deploying to production.
Threat modeling should assume adversaries have AI-augmented capabilities. Security architectures designed to withstand manual attacks or automated scanning may be insufficient against adversaries who can discover novel vulnerability chains, develop custom exploits, and adapt tactics in real-time. Defense-in-depth becomes even more critical when attackers can systematically probe for weaknesses across the entire attack surface.
Security staffing and training need to account for AI augmentation on both sides. Defensive security teams need skills in working with AI tools for vulnerability detection, exploit analysis, and threat hunting. But they also need to understand how attackers will use AI so they can anticipate and counter AI-augmented attack techniques. This may require security training that specifically addresses AI-augmented threats and defenses.
Open source dependency management becomes more critical. Healthcare applications typically include hundreds or thousands of open source components. Each component represents potential attack surface if it contains vulnerabilities. Healthcare organizations should be tracking their software bill of materials comprehensively, monitoring for vulnerabilities in dependencies, and having processes to update or replace vulnerable components quickly. The risk that AI will find vulnerabilities in widely-used open source libraries makes dependency hygiene essential.
The Broader Industry Response Anthropic Is Calling For
Anthropic is framing Project Glasswing as a starting point rather than a complete solution. No single organization can solve these cybersecurity problems alone. The announcement calls for collaboration among frontier AI developers, software companies, security researchers, open source maintainers, and governments across the world.
Within 90 days, Anthropic will report publicly on what they've learned from Project Glasswing, including vulnerabilities fixed and improvements made that can be disclosed. They'll also collaborate with leading security organizations to produce practical recommendations for how security practices should evolve in the AI era. These recommendations may address vulnerability disclosure processes, software update processes, open source and supply chain security, software development lifecycle and secure-by-design practices, standards for regulated industries, triage scaling and automation, and patching automation.
For healthcare, these evolving standards will directly impact regulatory compliance requirements and security best practices. Healthcare security teams should be tracking the public outputs from Project Glasswing and participating in industry discussions about how cybersecurity practices need to change. The regulatory frameworks that govern healthcare security—HIPAA, HITRUST, state-level requirements—were written before AI-augmented cyberattacks became feasible. Those frameworks will need updates to address the new threat landscape.
Anthropic has been in discussions with US government officials about Mythos Preview and its offensive and defensive cyber capabilities. Securing critical infrastructure is a national security priority, and the emergence of AI cyber capabilities is another reason why the US and its allies must maintain a decisive lead in AI technology. Governments have roles to play in assessing and mitigating national security risks from AI models, maintaining technological leadership, and potentially coordinating defensive responses across critical infrastructure sectors.
The announcement suggests that an independent third-party body bringing together private and public sector organizations might be the ideal long-term home for continued work on large-scale cybersecurity projects. For healthcare, this could mean industry-specific collaborations—perhaps a Healthcare ISAC working group specifically addressing AI-augmented cybersecurity threats, or coordination between HHS, CISA, and major health systems to develop sector-specific defensive strategies.
The Timeline: Why This Matters Now
Anthropic's framing emphasizes urgency: "The work of defending the world's cyber infrastructure might take years; frontier AI capabilities are likely to advance substantially over just the next few months. For cyber defenders to come out ahead, we need to act now."
This timeline matters for healthcare planning. If AI cyber capabilities will advance substantially over the next few months, and the defensive work required takes years, healthcare organizations cannot afford to wait for perfect solutions or comprehensive guidance before acting. The actions available now—participating in defensive AI tool programs if eligible, updating vulnerability management processes, accelerating patch deployment capabilities, training security teams on AI-augmented threats—should begin immediately even as long-term strategies develop.
The Project Glasswing partners—AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks—represent a significant portion of the technology infrastructure healthcare organizations depend on. When AWS finds and fixes vulnerabilities in their cloud infrastructure, healthcare organizations using AWS benefit. When Microsoft hardens Windows and Azure, healthcare systems running on those platforms become more secure. When the Linux Foundation distributes AI security tools to open source maintainers, the software supply chain that healthcare depends on improves.
But healthcare organizations also build and maintain custom software—clinical applications, integration layers, data analytics platforms, patient portals, mobile apps—that won't automatically benefit from the security improvements Project Glasswing partners make to their own systems. Healthcare security teams need to be thinking about how to apply similar AI-augmented security practices to the software they develop and deploy internally.
What Healthcare Security Teams Should Do This Week
The Project Glasswing announcement should trigger immediate action items for healthcare security teams:
Inventory software components and versions across critical systems. You can't defend what you don't know you have. Healthcare organizations should have comprehensive software bills of materials for all systems that handle protected health information, support clinical workflows, or connect to the internet. When vulnerabilities are disclosed, you need to know instantly whether they affect your systems.
Review patch management processes and timelines. Can you deploy critical security patches to production systems within hours if necessary? Do you have processes to test patches rapidly without breaking clinical functionality? Can you coordinate emergency patching across distributed facilities and vendors? If exploitation timelines have compressed to minutes, your response timelines must compress accordingly.
Assess security vendor capabilities for AI integration. Are your vulnerability scanning vendors incorporating AI capabilities? Are penetration testing providers using AI tools to find vulnerabilities automated scanners miss? When evaluating security products and services, ask specifically about AI augmentation and what that means for detection capabilities.
Engage with vendors and open source projects you depend on. Ask software vendors how they're using AI for security testing. Inquire whether critical open source projects you rely on have access to AI security tools. Consider whether your organization can contribute to open source security initiatives financially or through participation.
Begin security team training on AI-augmented threats and defenses. Your security analysts, incident responders, and security engineers need to understand how AI changes attacker capabilities and what defensive tools are emerging. This doesn't require deep AI expertise, but it does require updating mental models of what threats look like and how to respond.
Update threat models and risk assessments. Document the assumption that adversaries may have AI-augmented capabilities equivalent to or exceeding what Anthropic has demonstrated. Evaluate what that means for your existing security controls, whether current defenses are sufficient, and where additional investment is needed.
Plan for AI tool integration when defensive tools become available. Even if you don't have access to Mythos Preview now, assume that similar capabilities will become available through security vendors, cloud providers, or direct access programs. Having a plan for how to integrate AI security tools into your existing workflows means you can move quickly when opportunities arise.
The Larger Context: AI Safety and Cybersecurity Converge
Project Glasswing demonstrates convergence between AI safety concerns and cybersecurity challenges. Anthropic has been vocal about AI safety risks, implementing responsible scaling policies, developing constitutional AI, and delaying releases when safety mechanisms aren't ready. The decision not to release Mythos Preview generally reflects those safety commitments applied to cybersecurity capabilities specifically.
But the announcement also shows that safety-focused development doesn't mean withholding capabilities from legitimate defensive use. Controlled release to vetted partners for defensive purposes, with monitoring, safeguards, and reporting commitments, represents a middle path between unrestricted release and complete restriction. This approach may become a model for how frontier AI labs handle other powerful capabilities—not freely available, not completely locked down, but carefully distributed to parties who can use them for beneficial purposes under appropriate oversight.
For healthcare, this has implications beyond cybersecurity. As AI capabilities advance in medical diagnosis, treatment planning, drug discovery, and clinical decision support, similar questions will arise about how to make powerful capabilities available for beneficial use while preventing misuse. The frameworks Anthropic and other labs develop for cybersecurity tool distribution may inform how medical AI capabilities get deployed.
The Project Glasswing announcement also highlights that AI capabilities can create both risks and defenses simultaneously. The same model that can find vulnerabilities for attackers can find them for defenders. The same reasoning capabilities that enable sophisticated exploit development can be applied to automated patch generation and security hardening. The key is ensuring defenders get access first and that safety mechanisms prevent misuse.
Looking Ahead: The Next Phase
Anthropic plans to share learnings from Project Glasswing publicly, produce practical recommendations for evolving security practices, and potentially establish an independent body to coordinate ongoing work. Healthcare security teams should monitor these outputs closely and participate in industry discussions about implementation.
The company has stated that while Mythos Preview won't be generally available, their goal is to eventually enable users to safely deploy Mythos-class models at scale. This implies that future Claude models—possibly the upcoming Opus release mentioned in the announcement—will have cybersecurity capabilities approaching Mythos level but with safeguards that make broader deployment safe.
Healthcare organizations should be preparing now for that future state. When AI-augmented security testing becomes widely available, organizations that have already updated their processes, trained their teams, and integrated AI tools into their workflows will realize benefits immediately. Those still operating with pre-AI security practices will face a painful transition while adversaries already using AI tools press their advantage.
The cybersecurity landscape has fundamentally changed. AI models can now find vulnerabilities that humans and automated tools missed for decades. The software healthcare organizations depend on contains exploitable flaws that AI will discover whether those AIs are used for attack or defense. The organizations that survive and thrive in this new environment will be those that recognize the urgency, act quickly to adopt defensive AI capabilities, and update their security practices for an era where both attackers and defenders wield AI as their primary tool.
Project Glasswing is Anthropic's opening move in what will be a multi-year campaign to secure critical software infrastructure before AI-augmented attackers can exploit it at scale. Healthcare organizations should treat this announcement as a call to action. The work begins now.
This is an AI Industry Watch post. For security-focused coverage, see the AI Security Series.