tech / ai
Anthropic Built a Superhacker It Cannot Release
Claude Mythos found thousands of unpatched zero-days across every major operating system. Anthropic's decision to ration access to roughly 52 partners through Project Glasswing is the first time a frontier lab has made a weapons-proliferation-style gatekeeping call with no regulatory body holding binding authority over the outcome.
A private company has just made a weapons-proliferation decision in public, alone. On April 7, Anthropic disclosed that Claude Mythos Preview, an internal frontier model with autonomous code-auditing capability, had found thousands of previously unknown vulnerabilities in every major operating system and every major web browser, and that more than 99 percent of those flaws were unpatched at the moment of the announcement. Rather than ship the model, withhold it entirely, or hand it to a government, Anthropic chose a fourth option: Project Glasswing, a curated consortium that gives Mythos to twelve named launch partners and roughly forty additional organizations, with Anthropic underwriting up to $100 million in usage credits. That is the news. The argument is that the gatekeeping decision was made unilaterally, by one $350-billion lab, with no statutory framework, no export-control review, and no regulatory body with binding authority in the room. Anthropic discloses on the Glasswing page that it has been “in ongoing discussions with US government officials” about Mythos’s offensive and defensive cyber capabilities; consultation is not the same as statutory review, and the distinction is the whole story.
The capability is not theoretical. According to Anthropic’s own technical write-up, Mythos found and exploited a 17-year-old remote-code-execution flaw in FreeBSD’s NFS implementation that grants unauthenticated root, a 27-year-old TCP SACK bug in OpenBSD that human auditors had missed for three decades, and a 16-year-old H.264 vulnerability in FFmpeg, plus additional bugs in H.265 and AV1 codecs. The Hacker News reported that the model worked autonomously after the initial human prompt, with no human in the discovery or exploitation loop. Anthropic’s own write-up reports that the company has seen “Mythos Preview write exploits in hours that expert penetration testers said would have taken them weeks to develop,” and that engineers at Anthropic with no formal security training have asked the model to find remote code execution flaws overnight and woken up to a complete, working exploit. The Anthropic claim is a speed and accessibility claim, not a capability-supremacy claim; the speed and accessibility are the parts that matter for proliferation.
By the numbers
- Thousands of zero-day vulnerabilities identified by Mythos across every major OS and browser, with over 99% unpatched at announcement. Source: Anthropic
- 12 launch partners in Project Glasswing (AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, Nvidia, Palo Alto Networks, plus Anthropic), with over 40 additional organizations receiving access. Source: Anthropic
- Up to $100 million in Mythos Preview usage credits committed by Anthropic, plus $2.5 million to Alpha-Omega and OpenSSF and $1.5 million to the Apache Software Foundation. Source: Anthropic
- 17, 27, and 16 years: ages of the named FreeBSD, OpenBSD, and FFmpeg flaws Mythos surfaced that human auditors had missed. Source: Anthropic
- Roughly 140 participants at Asilomar 1975, which produced the NIH Recombinant DNA Advisory Committee the same day it ended the voluntary moratorium. Source: NIH NCBI Bookshelf
What Glasswing actually is
Anthropic frames Glasswing as defensive triage. The chosen partners scan their own infrastructure and key open-source dependencies; bugs get reported through coordinated disclosure; the model never reaches the open API. The accompanying Anthropic post states the eventual goal is to “enable our users to safely deploy Mythos-class models at scale” once safeguards mature, but that “we do not plan to make Claude Mythos Preview generally available.”
That sentence is doing a lot of work. It is the corporate equivalent of a controlled-goods classification, written by the goods’ manufacturer. The line between “general availability” and “Glasswing” is being drawn at Anthropic’s discretion, using Anthropic’s threat model, with eligibility decided by Anthropic and a small partner committee. There is no Bureau of Industry and Security review of the kind that would govern, for instance, a 1024-qubit quantum computer or a sub-7nm lithography tool exported to the wrong jurisdiction. There is no Commerce Department determination, no Wassenaar listing, and no congressional notification.
The strongest counter-argument to treating Glasswing as a governance event comes from Bruce Schneier, writing on the announcement. Schneier calls the rollout “very much a PR play by Anthropic, and it worked,” and reports that the security firm Aisle replicated the vulnerabilities Anthropic surfaced “using older, cheaper, public models.” If commodity models can find the same bugs, the gatekeeping decision matters less than Anthropic’s framing implies; the threat is already partially in the wild, and Glasswing is rationing access to a frontier-grade tool whose floor effects already exist below it. That deserves a direct response. What Mythos adds, even granting the Aisle replication, is industrial speed at scale (hours instead of weeks, untrained operators instead of penetration testers, and thousands of bugs instead of a handful), and that is the proliferation surface the Glasswing partner list is allocating. The PR critique survives; the governance critique is not displaced by it. Schneier himself accepts the underlying inevitability: “It will happen, I have no doubt about it, and sooner than we are ready for.” The question is who decides the terms.
| Governance dimension | Asilomar 1975 | Glasswing 2026 |
|---|---|---|
| Convening participants | ~140 scientists, lawyers, physicians | 12 named launch partners + ~40 additional organizations |
| Federal advisory body created | NIH Recombinant DNA Advisory Committee (Feb 27, 1975) | None; 'ongoing discussions with US government officials' |
| Binding federal guidelines within 12 months | NIH Guidelines for Research Involving Recombinant DNA, 1976 | None in existence or announced |
| Eligibility for access decided by | Conference consensus, then NIH RAC | Anthropic and a small partner committee |
Asilomar inverted
The historical parallel Anthropic’s defenders reach for is Asilomar 1975. It does not work the way they want it to. According to the NIH National Library of Medicine’s history of the conference, the recombinant DNA moratorium was always coupled to public process. Paul Berg’s 1974 letter explicitly invited federal involvement; the Asilomar program included lawyers warning that OSHA, the FDA, or Congress would write the rules if the scientists did not produce a defensible draft; and the conference summary statement was handed directly to the NIH, which created the Recombinant DNA Advisory Committee on February 27, 1975, and converted the recommendations into the binding NIH Guidelines a year later. Voluntary, yes. Negotiated outside the federal government, no.
Glasswing has none of that. Anthropic’s “ongoing discussions with US government officials,” as disclosed on the Glasswing page, are briefings, not a federal advisory committee being constituted around frontier model capability gating. The White House AI executive order architecture is busy preempting state laws, not building a Mythos-class review process. NIST’s AI Risk Management Framework is voluntary and silent on capability proliferation. The Bureau of Industry and Security has not classified offensive cyber capability in foundation models as a controlled item. So when Anthropic decides which bank, which cloud, and which security vendor gets the superhacker, that decision is final. The accountability ladder ends at Dario and Daniela Amodei.
The second-order question
Even if every Glasswing partner behaves perfectly, the precedent is the proliferation event. If Mythos’s containment is the new template, the next lab to develop equivalent capability inherits a permission structure: pick partners, fund them, publish a defensive framing, and the regulatory baseline is whatever the lab’s blog post says it is. OpenAI’s safety team, xAI’s release committee, and DeepMind’s responsibility council each get to assemble their own Glasswing if they choose, with their own eligibility lists. The Cloud Security Alliance’s containment analysis flags the obvious failure modes: insider exfiltration from a partner, model distillation through the API surface Glasswing partners do retain, and capability leakage as Mythos-grade auditing diffuses through synthetic-data pipelines. Each one is a single-point-of-failure event that no statutory regime exists to investigate.
The honest reading of April 7 is that Anthropic acted carefully and acted alone. Both clauses are load-bearing. A frontier lab has now demonstrated that it can identify a weapons-grade capability, write its own export-control regime, choose the licensees, and price the access, all in a single afternoon. That is governance, just not the kind a democracy is supposed to delegate by default. The question is not whether Glasswing’s partner list looks reasonable today. The question is who has standing to revise it tomorrow, and the answer is no one outside the company.