Beyond Security Through Obscurity: Project Glasswing for Invisible Vulnerabilities
You know the old saying: "Too many cooks spoil the broth." The same thing happens with long-running software projects. Whether it is an internal company tool, a commercial app, or an open-source project, the code almost always passes through many hands over the years. Different teams and developers come and go. They fix bugs, add new features, and make other changes. These projects also rely on dozens of external libraries for everything from the user interface to the core foundation. As time goes on, the complexity keeps growing.
Well-funded teams sometimes hire outside experts for security audits. These researchers work hard in a short time to find weaknesses that hackers could exploit and help fix them. But no matter how careful the review, one truth remains: the longer the code exists and the more it grows, the more hidden vulnerabilities slip through the cracks.
Sometimes those weaknesses stay hidden until a hacker discovers and exploits them. Other times, companies quietly collect these unknown flaws to build powerful spyware like Pegasus. In the end, even with the best testing tools and expert teams, most software still depends on a fragile form of security through obscurity. It relies on the hope that no one has found the problems yet.
That is exactly why AI changes everything. It gives bad actors powerful new ways to hunt for and weaponize undiscovered flaws. At the same time, it gives software creators a powerful new defense: the ability to deploy white-hat hackers at massive scale.
A striking real-world example emerged in late 2025 and early 2026. A single attacker used Anthropic's Claude AI chatbot, along with OpenAI's ChatGPT, to breach multiple Mexican government agencies. By crafting careful prompts in Spanish and framing the requests as a fictional bug bounty program, the hacker bypassed the AI's safety guardrails. Over about a month and more than 1,000 prompts, the AI helped identify vulnerabilities in government networks, write exploit scripts, automate data theft, and plan movement across systems. The result was devastating: roughly 150 GB of sensitive data stolen from around 10 government entities and one financial institution. This included records tied to approximately 195 million taxpayers, voter information, employee credentials, and civil registry files. Tasks that once required a skilled team or major resources could now be scaled dramatically by one persistent person using everyday AI tools.
Enter Project Glasswing, a major new initiative announced on April 7, 2026, by Anthropic in partnership with leading technology companies and organizations. This effort uses an advanced AI model called Claude Mythos Preview to proactively scan critical software, from operating systems and web browsers to foundational open-source libraries, and uncover hidden vulnerabilities before attackers can find them. By giving defenders the same powerful tools that could otherwise empower hackers, Project Glasswing aims to move the industry away from fragile obscurity and toward real, transparent security at unprecedented scale.
Why Project Glasswing Was Created
Modern software, especially long-running open-source projects, operating systems, browsers, and foundational libraries, builds up enormous complexity over decades. It passes through many hands and incorporates numerous external dependencies. Traditional security audits and automated tools often miss subtle or long-buried issues. As a result, much of our digital world still depends on security through obscurity, the hope that undiscovered flaws stay hidden.
Recent advances in AI have shifted the balance dramatically. Frontier AI models can now discover and even autonomously exploit vulnerabilities at a level that surpasses all but the most expert human researchers. This creates a serious risk: bad actors could soon use similar AI capabilities to launch sophisticated attacks at massive scale. Project Glasswing flips that power toward defense. It gives software maintainers and critical infrastructure providers a way to hunt for invisible vulnerabilities proactively.
Core Technology: Claude Mythos Preview
The initiative centers on Claude Mythos Preview, an unreleased, general-purpose frontier AI model developed by Anthropic. Key capabilities include:
- Finding subtle, high-severity vulnerabilities that have survived decades of human code reviews and millions of automated tests.
- Identifying zero-day flaws across every major operating system and web browser.
- Examples of discoveries: a 27-year-old remote-crash vulnerability in OpenBSD and a 16-year-old bug in the widely used video library FFmpeg.
- In testing, the model has already uncovered thousands of previously unknown issues.
- It can go beyond detection to suggest viable fixes or even generate working exploits in controlled scenarios, though the project focuses strictly on defensive use.
The model is not being released publicly yet. Access is limited to Project Glasswing partners and about 40 additional organizations responsible for critical software infrastructure. This controlled rollout gives the industry time to patch systems before the underlying capabilities become widely available.
Key Partners and Support
Project Glasswing brings together a powerful coalition:
- Founding partners: Amazon Web Services (AWS), Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic.
- Additional participants include roughly 40 more organizations handling critical infrastructure and open-source maintenance.
Anthropic is providing substantial support:
- Up to 100 million dollars in usage credits for partners.
- Direct donations totaling about 4 million dollars to open-source security efforts, including 2.5 million dollars to Alpha-Omega and OpenSSF via the Linux Foundation, and 1.5 million dollars to the Apache Software Foundation.
This funding helps open-source maintainers respond quickly without diverting resources from core development.
How It Works and What It Aims to Achieve
Partners use Claude Mythos Preview for tasks such as:
- Scanning their own foundational systems and codebases.
- Performing black-box testing of binaries.
- Conducting penetration testing simulations.
- Analyzing open-source projects that form the shared cyberattack surface used by billions of devices and services worldwide.
The project emphasizes scale and speed. AI can review vast amounts of code far faster than human teams, spotting patterns from past bugs and suggesting remediations. The ultimate vision is to reduce reliance on security through obscurity and give defenders a fighting chance in an era where AI-powered attackers could otherwise overwhelm traditional defenses.
Anthropic plans to share lessons learned from the initiative with the broader industry, researchers, and governments. They recognize that no single organization can solve these challenges alone.
Why This Matters for Everyday Users
Project Glasswing directly addresses the hidden vulnerabilities that can lead to large-scale breaches, ransomware, advanced spyware like Pegasus, or major disruptions to critical services. By strengthening the foundational software that powers our phones, computers, cloud services, and the internet itself, the project helps safeguard personal data, financial systems, and public infrastructure.
These risks reach far beyond big government agencies and large corporations. Many everyday devices we use at home create overlooked attack surfaces. Think about smart appliances, home security cameras, internet-connected TVs, and especially home routers. These gadgets often stop receiving firmware updates after just a few years, leaving known security holes wide open for exploitation.
A recent campaign shows how real and widespread this danger has become. In 2025 and 2026, Russian state-linked hackers from the APT28 group (also known as Fancy Bear) compromised thousands of outdated, end-of-life routers, mainly older TP-Link and MikroTik models. They altered the routers' DNS settings to redirect internet traffic through servers they controlled. This allowed them to spy on users, steal login credentials, harvest Microsoft Office authentication tokens, and even carry out adversary-in-the-middle attacks on encrypted connections. At its peak, the operation affected more than 18,000 routers and impacted thousands of individuals and organizations worldwide. Many of these devices were no longer supported by their manufacturers, so no patches were available.
Incidents like this reveal how vulnerable our broader internet ecosystem has become. Project Glasswing tackles the root of the problem by focusing on the foundational software and libraries that underpin these devices and networks. By finding and fixing hidden flaws at massive scale, it helps build a more secure digital world we all rely on every day, from the phones in our pockets to the routers in our homes.
In short, Project Glasswing represents a proactive, collaborative response to the dual-use nature of advanced AI in cybersecurity. It uses the same powerful technology that could enable devastating attacks to instead defend against them at unprecedented scale.
In the end, Project Glasswing shows us a hopeful path forward in an increasingly complex digital world. By harnessing the same advanced AI that could supercharge attacks, a broad coalition of tech leaders is working together to shine a light on hidden vulnerabilities before bad actors can exploit them. While no single initiative can eliminate every risk, efforts like this remind us that proactive defense at scale is possible. As consumers, staying informed and supporting better security practices matters more than ever. The future of our connected lives depends on moving beyond fragile obscurity and building software that is truly transparent and resilient for everyone.
Remember: we may not have anything to hide, but everything to protect.
