Cybersecurity experts feared AI-powered hacking for years. Anthropic’s Project Glasswing just flipped that fear into a defense strategy and the results are already hard to ignore.
I’ll be honest with you. When I first heard AI-powered cybersecurity initiative. my instinct was to skim past it. We’ve seen plenty of announcements dressed up as breakthroughs. But then I read one specific detail about Glasswing and I couldn’t move on.
Claude Mythos Preview is the specialized model Anthropic built for this project. It found a vulnerability that had been hiding inside OpenBSD for 27 years. OpenBSD is not a niche tool. It powers critical servers globally. Security professionals, penetration testers and some of the sharpest engineering teams in the world had reviewed that code repeatedly. Nobody caught it.
That’s not a headline. That’s a wake-up call.
What Project Glasswing Actually Is
Launched in April 2026, Project Glasswing is Anthropic’s initiative to use AI to proactively find and fix vulnerabilities in the world’s most widely used software and open-source infrastructure.
It is not a product you can buy. It is closer to a mission with a coalition behind it. Apple, Google, Microsoft, Amazon and NVIDIA are all involved. These are direct competitors who rarely share the same stage for anything other than earnings calls. The fact that they are cooperating on this tells you something important about how serious the underlying problem is.
Anthropic is also backing it financially. They committed $100 million in model usage credits and $4 million in direct funding to open-source security organizations. That is not a marketing budget. That is a signal of long-term commitment.
The Bug That Should Make Everyone Pay Attention
Let me put the 27-year-old OpenBSD vulnerability into context.
OpenBSD has a reputation as one of the most security-focused operating systems ever built. Its developers are meticulous. Its codebase gets reviewed obsessively. Yet a flaw introduced nearly three decades ago sat there undetected through countless audits.
Claude Mythos also flagged a 16-year-old vulnerability in FFmpeg. FFmpeg is a library embedded in nearly every platform that handles video, from social media apps to video editing software to streaming services.
Two flaws. Decades old. Missed by humans. Found by an AI model in a comparatively short window of time.
This does not mean human security researchers have been doing poor work. It means the sheer volume and complexity of modern software has outgrown what human teams can manually audit at scale. AI does not replace security expertise. It extends the reach of that expertise into places humans simply do not have the bandwidth to look.
The Tension Worth Talking About
Here is what a lot of coverage is dancing around. If Claude Mythos Preview is this good at finding vulnerabilities. It could theoretically be used to exploit them too.
Anthropic’s response is restricted access. Only around 50 vetted organizations are currently working with the model. That is a reasonable starting position. But anyone who has watched how AI capabilities have evolved over the last few years knows that restricted access is often a temporary state.
The dual-use problem is the defining tension of AI in security. The same capability that defends can also attack. Glasswing is the most credible attempt yet to build a defense-first framework before that tension becomes a crisis. Whether the governance holds up over time is a question worth watching closely.
Why This Is Personal, Not Just Corporate
You might be wondering what a coalition of tech giants and an Anthropic AI model has to do with your actual life.
The answer is everything running on your device right now.
The software libraries Glasswing is scanning are not abstract backend systems. They are embedded in your browser, your operating system, your apps and the services your bank uses. The flaws Claude found had been present and undetected for years in infrastructure that hundreds of millions of people depend on daily.
Glasswing is not solving a corporate problem. It is patching the foundation of the internet most of us take for granted.
What This Tells Us About AI’s Real Role in Security
The narrative around AI and cybersecurity has always leaned toward risk. AI will automate attacks. AI will write malware. AI will make hackers more dangerous.
That risk is real. But Glasswing makes the counter-argument with evidence, not theory. When deployed with clear intent and proper oversight. AI can do something human teams genuinely cannot. It can audit decades of complex code at scale without fatigue and without gaps.
The question going forward is not whether AI belongs in cybersecurity. It is already there. The question is who controls it, how it is governed and whether initiatives like Glasswing set the right precedent before the less careful versions arrive.
If a 27-year-old bug just got found in 2026, you have to ask: what else are we still sitting on?
