Early findings from Project Glasswing suggest AI could significantly change how tech companies and cybersecurity teams respond to vulnerabilities in open-source software. The initiative aims to counter AI-powered cyber threats by giving open-source maintainers access to advanced defensive tools.
AI research and safety company Anthropic introduced the Claude Mythos Preview in April, a new large language model (LLM) that can autonomously find zero-day vulnerabilities and create exploits for them.
Anthropic's release sparked a broad industry initiative — Project Glasswing — that brought together a dozen major companies to use the frontier AI platform to find more effective defenses against increasingly sophisticated cybersecurity threats.
Project Glasswing's partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, Nvidia, Palo Alto Networks, and The Linux Foundation. This initiative follows $12 million in grants to Alpha-Omega and OpenSSF for open-source security.
Rapid advances in AI are increasing the speed and scale at which vulnerabilities in open-source software are discovered. Maintainers face an unprecedented influx of security findings generated by automated systems but lack the resources or tooling to identify and remediate them effectively.
Natasha Woods, senior director for public relations and analyst relations at The Linux Foundation, told LinuxInsider earlier this month that the organization was still undergoing reviews and had no findings to report publicly yet.
Long-time Linux kernel maintainer Greg Kroah-Hartman, who is testing Mythos as part of the beta program, offered insight on the significance of Project Glasswing.
"We are still in the early stages. However, fixing bugs is time-consuming and tedious work for an open-source developer. Being able to find the bug and write the patch faster for the world’s most important software is a huge positive development,” he told LinuxInsider.
Anthropic Shares Early Mythos Findings
Instead of issuing press releases, Anthropic published initial findings on its Anthropic Research and Frontier Red Team blogs on May 22. The posts argued that AI has crossed a major threshold in cybersecurity and demonstrated that even widely trusted operating systems and software remain vulnerable to attack.
According to Anthropic, the Claude Mythos Preview represents a major advance in agentic AI reasoning. The company said AI models can now match or surpass highly skilled human experts at finding and exploiting software vulnerabilities.
This LLM can autonomously identify zero-day flaws and chain them into sophisticated, multi-step exploits without human steering. Initial testing reportedly uncovered thousands of previously unknown, high-severity vulnerabilities across major operating systems and web browsers.
For example, the AI found three critical bugs that had survived decades of human and automated scrutiny:
- A 27-year-old vulnerability in the security-hardened OpenBSD operating system
- A 16-year-old vulnerability in FFmpeg that traditional automated testing tools had missed despite being hit 5 million times
- A complex exploit chain in the Linux kernel that allowed an attacker to escalate from ordinary user access to complete control of a machine
These discoveries reinforced Anthropic’s assessment that Mythos represents a significant leap in AI-assisted vulnerability discovery and exploit development.
Benchmark Results Highlight AI Gains
Results from two new benchmark evaluations suggest Mythos may represent a major leap in AI cybersecurity performance. In CyberGym, a benchmark for cybersecurity vulnerability reproduction, Mythos Preview scored 83.1%, compared with 66.6% for Claude Opus 4.6. On SWE-bench, a benchmark for software engineering coding tasks, Mythos Preview achieved 93.9% accuracy, compared to 80.8% for Opus 4.6.
Anthropic recognized that an AI model with these capabilities could pose serious national security, economic, and public safety risks if leaked or misused. Thus, the company stated it does not plan to make Claude Mythos Preview generally available.
Instead, Project Glasswing will act as a controlled testing ground. The goal is to use Mythos in a defensive sandbox to build advanced cybersecurity safeguards for a future public Claude Opus model.
According to the company, Anthropic committed $100 million in usage credits to this effort. The company also donated $4 million in direct grants — $2.5M to OpenSSF/Alpha-Omega via the Linux Foundation and $1.5M to the Apache Software Foundation -- to help open-source maintainers patch their code for free.
Project Glasswing Responds to Open-Source Strain
Jim Zemlin, executive director of The Linux Foundation, noted in the foundation's April comments on worsening open-source security problems that, since late last year, AI models have gained the ability to chain multiple vulnerabilities to create critical risks. This resulted in an influx of AI-generated security bug reports, overwhelming human maintainers.
He noted that Kroah-Hartman's early testing suggested that AI is not just finding bugs but generating "pretty good" viable patches.
Zemlin added that software powers everything in the world, with attackers targeting both proprietary and open-source code. Open source is the dominant form of software consumed in enterprise today, making it one of the largest targets for cyberattacks.
Open-source software maintainers have never faced more stress from the growing volume of pull requests and security bug reports, many generated by AI. At the same time, maintainers are dealing with a rising number of cyberattacks and increasingly sophisticated campaigns targeting software supply chains.
"This is why Project Glasswing matters," Zemlin said.
Loading ...