Anthropic Launches Project Glasswing to Use AI to Find and Fix Critical Software Vulnerabilities
Anthropic has launched Project Glasswing, an initiative using its Claude Mythos Preview LLM to autonomously discover and patch zero-day vulnerabilities in critical software, including a 27-year-old flaw in OpenBSD.
Anthropic has unveiled Project Glasswing, a new initiative that leverages its powerful Claude Mythos Preview large language model (LLM) to autonomously identify and remediate undiscovered cybersecurity vulnerabilities in critical software. The project, named after the glasswing butterfly, aims to scale vulnerability discovery and patching beyond human capacity.
Claude Mythos Preview, described by Anthropic as its "most capable yet for coding and agentic tasks," can deeply understand and modify complex software. The model was not specifically trained for cybersecurity; its capabilities emerge from strong agentic coding and reasoning skills. In testing, the model discovered thousands of zero-day vulnerabilities that had previously gone unnoticed.
Notable findings include a 27-year-old remote crash vulnerability in OpenBSD, a security-hardened UNIX-like OS used in firewalls and critical infrastructure. The flaw allowed an attacker to crash any machine running the OS simply by connecting to it. Additionally, the model found a 16-year-old vulnerability in FFmpeg, a widely used video encoding library, in a line of code that automated testing tools had hit five million times without detection. The model also autonomously chained several Linux kernel vulnerabilities to escalate from ordinary user access to full system control.
Anthropic has reported all discovered vulnerabilities to the respective software maintainers, and the publicly identified flaws have already been patched. The company has committed up to $100 million in usage credits to over 40 organizations that build or maintain critical software infrastructure, enabling them to use the model for security scanning. An additional $4 million in donations will support open-source security organizations and patch development.
Launch partners for Project Glasswing include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. These organizations will have access to Claude Mythos Preview, which Anthropic does not plan to make publicly available, intending it for cybersecurity defenders with appropriate guardrails.
However, concerns have been raised about potential misuse. Jeff Williams, founder of OWASP and CTO of Contrast Security, stated, "It's highly questionable that Anthropic will be able to limit the malicious uses of this model." Threat actors have previously jailbroken or developed malicious versions of AI models for cybercrime. Despite these concerns, industry leaders have welcomed the initiative. Heather Adkins, VP of security engineering at Google, emphasized the importance of cross-industry collaboration on emerging security issues, while Igor Tsyganskiy, EVP of cybersecurity at Microsoft, noted the unprecedented opportunity to use AI responsibly to improve security at scale.