Project Glasswing: Claude Mythos 5 for Cyber Defense

The average eCrime breakout time in 2025 dropped to 29 minutes. The fastest AI-assisted intrusion observed that year took 27 seconds (CrowdStrike 2026 Global Threat Report). Meanwhile, the average time for an enterprise to identify and contain a breach sits at 241 days (IBM Cost of Data Breach Report, Aug 2025). Security teams are outpaced structurally. The attack surface has grown beyond what manual processes can absorb: 48,185 new CVEs published in 2025 alone, a 20.6% year-over-year jump.

Project Glasswing is Anthropic’s answer to that gap. Launched April 7, 2026, it deploys Claude Mythos 5 to scan production software from the world’s most critical technology companies and find exploitable vulnerabilities before adversaries do. In its first month, the program found over 10,000 high and critical issues.

Key Takeaways

Project Glasswing found 10,000+ high/critical vulnerabilities in partner software in its first month; Cloudflare’s bug-finding rate increased 10x (Anthropic, June 2026).

Average eCrime breakout time dropped to 29 minutes in 2025 — the fastest observed was 27 seconds (CrowdStrike 2026 Global Threat Report).

Claude Mythos Preview scored 83.1% on the CyberGym benchmark versus 66.6% for Opus 4.6; it’s also the first model to complete expert-level CTF tasks at a 73% rate (UK AISI, April 2026). Mythos 5 is an upgrade from Preview.

Finding a specific complex vulnerability with Mythos 5 costs under $50. A full exploit chain costs under $2,000, a cost structure that permanently shifts the attacker-defender calculus.

As of June 2026, Glasswing has expanded to 150+ organizations across 15 countries, including AWS, Cisco, Microsoft, NVIDIA, and NATO (Anthropic, June 2026).

What is Project Glasswing, and why did Anthropic launch it now?

Project Glasswing launched on April 7, 2026 with a stated goal: apply AI to find critical security vulnerabilities in the software that powers the world’s most important systems before adversaries can exploit them. The program takes its name from the glasswing butterfly, whose transparent wings reference the transparency-first approach Anthropic is taking to AI-assisted security work.

The scale grew quickly. Starting with roughly 50 founding partners, Glasswing expanded to 150+ organizations across 15 countries by early June 2026. Named participants include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, Okta, Samsung, NATO, and the EU’s cybersecurity agency ENISA. Anthropic committed $100M in model credits to the program and a further $4M in direct donations to open-source security infrastructure.

The timing reflects a structural change in the threat landscape. Vulnerability exploitation surpassed phishing to become the second-leading initial access vector in 2025, reaching 20% of breach entry points versus phishing’s 15% (Verizon DBIR 2025). The 48,185 CVEs published in 2025 represented a 20.6% year-over-year jump. June 2026 set a record with 206 CVEs in a single Patch Tuesday, a figure researchers at Dark Reading directly attributed to the acceleration of AI-assisted discovery programs like Glasswing (Dark Reading, June 2026).

The NVIDIA partnership illustrates what Glasswing is targeting. NVIDIA’s AI infrastructure (driver software, container runtimes, and networking libraries) sits beneath hundreds of thousands of enterprise AI deployments. A vulnerability in that layer has enormous downstream reach. For teams working in that ecosystem, NVIDIA’s AI infrastructure guide covers what that stack actually looks like.

What does Claude Mythos 5 actually do in a Glasswing session?

Claude Mythos Preview scored 83.1% on the CyberGym cybersecurity benchmark when it launched in April 2026, compared to 66.6% for Claude Opus 4.6 (Anthropic, April 2026). Mythos 5, released June 9, is a further upgrade; Anthropic hasn’t published updated CyberGym scores for it specifically. The April data reflects a meaningful capability jump in structured security reasoning compared to Opus 4.6.

In a Glasswing session, the model runs through three phases: autonomous codebase scanning, exploit generation to validate severity, and patch draft production. It connects to no external networks. All partner data has a 30-day maximum retention window, and every human access to session outputs is logged. The methodology is aggressive on discovery and conservative on action; findings get validated before any external disclosure.

The Phase 1 results show what this looks like at scale.

Project Glasswing Phase 1 discovery pipeline — funnel chart: 23,019 vulnerabilities identified → 6,202 high/critical → 1,587 validated true positives → 530 reported → 75 patched. Source: Anthropic Research, June 2026.

The funnel reveals the real constraint. Mythos 5 can identify 23,000 potential issues in a month. The human system that validates, triages, and patches them handled 75. Discovery has been solved. Remediation velocity is the new bottleneck, and no current security stack addresses it at the speed AI-assisted discovery now creates the need.

The UK AI Safety Institute evaluated Mythos Preview (April 2026, the direct precursor to Mythos 5) on expert Capture the Flag tasks, which require the same multi-step reasoning as real intrusion sequences. The model completed 73% of tasks, making it the first AI model to solve expert-level CTFs at all. On a simulated 32-step corporate network attack, it averaged 22 of 32 steps, with a human security team requiring roughly 20 hours for the equivalent scenario (UK AISI, April 2026).

Mythos 5, released June 9, 2026, is an upgrade from Preview. AISI hasn’t published separate Mythos 5 numbers yet; the 73% CTF and 32-step figures are Preview benchmarks. The trajectory is upward.

The cost figures are where the analysis becomes concrete. In one documented case, finding a specific kernel vulnerability with Mythos 5 cost under $50; building a complete exploit chain from an existing bug report cost under $2,000 (Anthropic Research). Those economics work both ways: they apply to defenders as much as adversaries.

How does Mythos 5 compare to prior AI security tools?

Claude Mythos Preview is the first AI model to complete expert-level CTF tasks; every prior model tested by UK AISI failed them entirely (UK AISI, April 2026). The 83.1% CyberGym score versus Opus 4.6’s 66.6% reflects the same capability gap.

AI cybersecurity benchmarks: Mythos 5 vs Opus 4.6 — CyberGym 83.1% vs 66.6%, Expert CTF 73% vs 0%. Sources: Anthropic / UK AISI, April 2026.

Cloudflare’s Phase 1 result illustrates what that capability gap means in practice. Their bug-finding rate increased 10x compared to prior automated approaches. Mozilla Firefox separately found 271 vulnerabilities in a Mythos Preview scan, at roughly 10x over its prior testing baseline. The model reaches vulnerability classes that prior methods missed structurally.

What does the attacker-defender time gap mean for enterprise teams?

Average eCrime breakout time in 2025 ran 29 minutes, down 65% from 2024. The fastest observed intrusion that year took 27 seconds. Against that baseline, the mean time to identify and contain a breach was 241 days (IBM Cost of Data Breach, 2025). An attacker operates in minutes; defenders operate in quarters.

The June 2026 Patch Tuesday (206 CVEs in a single month) is the first observable symptom of a structural change security teams haven’t fully named yet. AI-assisted discovery is now producing more vulnerability data than human remediation pipelines can absorb. Glasswing Phase 1 confirmed 1,587 true positives and had 75 patched in month one, a 95.3% backlog rate. The bottleneck moved. Finding vulnerabilities is no longer the hard part; acting on them fast enough is.

Alert fatigue was already a crisis before AI-assisted discovery entered the picture. According to the Cybersecurity Insiders AI SOC Report 2025, 76% of organizations cite alert fatigue as their top operational challenge. Average enterprise security teams receive 2,992 alerts per day, and 63% go unaddressed. Stack AI-generated vuln discovery on top of that existing load and the backlog compounds.

The workforce gap makes it worse. The global cybersecurity talent shortage stands at approximately 4.8 million unfilled roles (ISC2 estimates, 2025). Hiring velocity isn’t the solution. Applying Mythos 5 on the defender’s side changes the prioritization math: if teams use it to surface the highest-risk findings before human review begins, the 95% unpatched rate starts moving.

Who can access Project Glasswing, and what are the criteria?

As of June 2026, Project Glasswing has 150+ partner organizations across 15 countries. The program remains invitation-based and targets what Anthropic calls systemically important software: codebases whose compromise would have broad downstream effects. In practice, that means open-source projects with millions of dependents, critical infrastructure operators, and major platform providers.

Sectors covered include power generation and distribution, water utilities, healthcare systems, telecommunications, hardware and firmware, identity and access management, and financial market infrastructure. Most growth-stage SaaS companies won’t qualify directly; the bar is globally significant at the infrastructure level.

Mythos 5 itself is fully available. The standard API costs $10 per million input tokens and $50 per million output tokens. Code analysis, exploit hypothesis generation, and patch drafting are all available to any enterprise team through the standard API. Glasswing provides partner access governance, coordinated disclosure channels, and Anthropic oversight. It doesn’t gate the underlying model capability.

How can enterprise teams apply Mythos 5 for security without Glasswing access?

Working through this methodology with enterprise security leads, the most common mistake is scope. Teams try to ingest an entire codebase and generate a comprehensive vulnerability list. That produces noise. The approach that delivers actionable findings is narrower: pick a specific surface, scope tightly, and run structured prompts with document context grounded in actual files.

The workflow that produces reliable results follows three phases.

Phase 1: Surface scoping. Identify your highest-risk code segments before any AI interaction. Authentication logic, payment processing, API input handling, and session management are where the majority of exploitable vulnerabilities concentrate. Document the specific files and modules you’re targeting before you start.

Phase 2: Grounded analysis via Files API. Upload the targeted code segments via the Files API to create persistent file IDs. This is the same document-grounding technique covered in the Files API methodology guide. With context loaded, run structured analysis prompts:

“Review this codebase segment [via Files API file IDs]. Identify: (1) authentication vulnerabilities; (2) injection attack surfaces; (3) any hardcoded credentials or secrets. For each finding, cite the specific file and line number and assess exploitability. Do not generate working exploit code.”

Phase 3: Human validation before action. Treat Mythos 5 findings as analyst-grade first-pass output, not final determination. Your security team validates high-priority findings before any disclosure or patch activity. This is the checkpoint Glasswing formalizes through human access logging; build the same step into your internal workflow explicitly.

For teams setting up the Claude API for the first time, authentication for Mythos 5 is identical to other Claude API integrations. The difference is in prompting methodology. Framing requests around specific vulnerability categories rather than asking for general security issues sharpens the signal-to-noise ratio.

What Mythos 5 won’t do for your internal use: replace a penetration test for SOC 2 Type II or ISO 27001 compliance. Those frameworks require a qualified human tester, a defined scope-of-work agreement, and a signed report. Mythos 5 analysis doesn’t satisfy those requirements. The right frame is the same one that applies to Claude Fable 5 in high-stakes scientific workflows: the model sharpens the question, the expert validates the answer.

What does Project Glasswing mean for AI governance and enterprise risk?

Glasswing is also a reference implementation for responsible dual-use AI deployment at scale. The governance structure Anthropic embedded in the program (30-day data retention caps, no unauthorized network access, human review logging, coordinated disclosure timelines) is the kind of framework enterprise risk and compliance teams should be borrowing now rather than waiting for regulators to mandate.

The dual-use concern with Mythos 5 is real and acknowledged openly in Anthropic’s documentation. The same model that finds vulnerabilities efficiently could theoretically be directed toward exploitation. Glasswing addresses this through access governance: partners work under defined scope limits with logged session activity. Enterprise teams running Mythos 5 internally should build equivalent guardrails: defined scope documentation, human validation checkpoints, no autonomous patching or external disclosure without team review.

Regulatory frameworks are converging on the same requirements. The EU AI Act’s high-risk classification system will cover AI used in critical infrastructure security. NIST AI RMF 1.0 already provides a governance structure for AI risk management. The SEC’s cybersecurity disclosure rules require enterprises to report on material cyber risks and their management approach. Glasswing’s framework isn’t just good practice; it’s a preview of the documentation that regulators are building toward requiring.

Global information security spending is projected at $244.2 billion in 2026, a 13.3% year-over-year increase (Gartner, July 2025). The AI security market sits at $49 billion in 2025 on a trajectory toward $160 billion by 2029. The investment reflects the directional shift. The governance frameworks to manage it are still catching up.

For growth-stage companies building AI into operational workflows, the right move is documentation before the regulatory requirement lands. Define which AI tools your security team uses, for what scope, under what human oversight conditions. Teams already applying AI workflow automation for enterprise operations should extend those governance patterns into security workflows explicitly. The companies best positioned for the coming regulatory environment are treating AI governance as an operational discipline now, not a compliance checkbox later.

Frequently Asked Questions

What is Project Glasswing?

Project Glasswing is an Anthropic initiative launched April 7, 2026, to deploy Claude Mythos 5 for AI-assisted vulnerability discovery across systemically important software. By June 2026, it had expanded to 150+ organizations across 15 countries, including AWS, Cisco, Microsoft, NVIDIA, and NATO. The program found 10,000+ high/critical vulnerabilities in partner software within its first month.

Is Claude Mythos 5 available for cybersecurity outside of Glasswing?

Yes. Claude Mythos 5 is available via the standard Anthropic API at $10 per million input tokens and $50 per million output tokens. Enterprise teams can apply the same document-grounded vulnerability analysis methodology that Glasswing uses without joining the program. Glasswing provides access governance structure and partner coordination; it does not gate the underlying model capability.

How accurate is Claude Mythos 5 at finding vulnerabilities?

In Glasswing Phase 1, Mythos 5 achieved a 90.6% true positive rate on manually validated findings: 1,587 confirmed vulnerabilities out of the 6,202 high/critical issues it flagged. On the CyberGym benchmark, Mythos 5 scored 83.1%, compared to 66.6% for Claude Opus 4.6. It is also the first AI model to complete expert-level Capture the Flag tasks, achieving a 73% completion rate.

What types of vulnerabilities does Project Glasswing focus on?

Project Glasswing targets code-level vulnerabilities in open-source and critical infrastructure software, including authentication flaws, injection attack surfaces, hardcoded credentials, and logic errors in high-stakes codebases. Focus sectors include power, water, healthcare, communications, hardware, identity management, and financial infrastructure. Glasswing does not conduct live network exploitation.

Does using Claude Mythos 5 for security replace a penetration test?

No. Mythos 5 performs automated code-level vulnerability analysis, which is a first-pass analytical layer. It does not conduct live exploitation in your environment, does not satisfy SOC 2 or ISO 27001 penetration testing requirements, and does not provide the governance audit trail that compliance frameworks require. Use it to prioritize your security team’s attention, then validate findings with a qualified penetration tester.

Work with Espressio

Deploying Mythos 5 for security analysis or building the AI governance documentation that regulators are moving toward requires more than a model; it requires a structured implementation plan. Espressio helps growth-stage technical teams build AI workflows that deliver measurable outcomes without creating new compliance exposure.

If you want us to build this for your team, let’s chat.