Homeโ€บBlogโ€บWhat Is Project Glasswing?
๐Ÿ›ก๏ธ Cybersecurityโฑ 7 min read

What Is Project Glasswing?
How AI Is Changing Cybersecurity in 2026

On 7 April 2026, Anthropic revealed that its AI model found thousands of previously unknown vulnerabilities in every major operating system and web browser. Some of those flaws had been hiding in the code for over 27 years. If AI can do this for defenders โ€” it can do it for attackers too. Here's what every business owner needs to understand.

The short version

Project Glasswing is a cybersecurity initiative launched by Anthropic on 7 April 2026. Using their most powerful AI model โ€” Claude Mythos Preview โ€” they identified thousands of previously unknown (zero-day) vulnerabilities across every major operating system, every major web browser, and dozens of other critical software packages.

Some of these flaws had existed undetected for over 27 years.

Anthropic has partnered with Apple, Microsoft, Google, AWS, CrowdStrike, Palo Alto Networks, and over 40 other organisations to fix these vulnerabilities before attackers can exploit them.

What Claude Mythos actually found

This isn't theoretical. Claude Mythos Preview โ€” an unreleased AI model that Anthropic considers too powerful for public access โ€” discovered real, exploitable flaws in the software your business uses every day:

  • A 27-year-old vulnerability in OpenBSD that enables remote system crashes
  • A 16-year-old flaw in FFmpeg (the video processing engine used in most media software) that survived over 5 million automated test runs without being caught
  • Linux kernel vulnerabilities that the AI autonomously chained together to achieve full privilege escalation โ€” meaning complete system takeover
  • Vulnerabilities in every major browser โ€” Chrome, Firefox, Safari, Edge
  • Flaws in every major operating system โ€” Windows, macOS, Linux

On the CyberGym vulnerability reproduction benchmark, Mythos Preview scored 83.1% compared to the previous best AI model's 66.6%. That's not a marginal improvement โ€” it's a generational leap.

Why this matters for your business

Here's the uncomfortable truth: your business almost certainly runs software that contains vulnerabilities discovered by Project Glasswing.

If you use Windows, macOS, Chrome, Linux servers, or any application that processes media โ€” and you haven't patched in the last week โ€” you are running known-vulnerable software right now.

But Glasswing's real significance isn't just the specific bugs found. It's what the project proves about where cybersecurity is heading:

1. AI finds vulnerabilities faster than humans

Security researchers who've spent careers finding bugs are being outpaced by AI models that can review millions of lines of code in hours. The 16-year-old FFmpeg vulnerability survived 5 million automated test runs. Claude Mythos found it in a single pass.

2. Attackers will have these capabilities too

Anthropic acknowledged this directly: "Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely." In plain language โ€” what Anthropic's AI can do defensively, a malicious AI will be able to do offensively. The window between vulnerability discovery and exploitation is shrinking from weeks to minutes.

3. Vulnerability chaining changes the game

Claude Mythos doesn't just find individual bugs. It chains multiple vulnerabilities together into attack sequences that achieve greater impact than any single flaw. Five minor vulnerabilities, chained correctly, become one critical breach path. This is the kind of creative attack logic that previously required elite human hackers.

4. Your existing security scans aren't enough

If AI is finding flaws that survived 27 years of human review and 5 million automated tests, your annual vulnerability scan is not providing the level of assurance you think it is. The bar for what constitutes adequate security testing has permanently risen.

What Anthropic is doing about it

Project Glasswing involves 12 founding partners and over 40 additional organisations:

  • Launch partners: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks
  • $100 million in usage credits for partners to use Mythos Preview for defensive security
  • $4 million donated to open-source security through the Linux Foundation and Apache Software Foundation
  • Restricted access: Mythos Preview is not publicly available โ€” Anthropic considers it too capable to release broadly

What this means for Australian businesses

Australian businesses face a compounding risk. The Australian Cyber Security Centre (ACSC) already reports that cybercrime costs Australian businesses over $33 billion annually. With AI accelerating both the discovery and exploitation of vulnerabilities, that number will grow.

The businesses most at risk are those that:

  • Haven't conducted a professional security assessment in the last 12 months
  • Rely solely on automated vulnerability scanners
  • Don't have an Essential Eight maturity baseline
  • Run unpatched or end-of-life software
  • Have no incident response plan
  • Assume they're "too small to be targeted" โ€” they're not

What you should do right now

You don't need Anthropic's $100 million budget to protect your business. But you do need to act โ€” because the threat landscape just accelerated permanently.

Step 1: Get a professional security assessment

Not an automated scan โ€” a real vulnerability assessment and penetration test (VAPT) that combines automated tools with manual testing by security professionals. This is the only way to find the kinds of chained vulnerabilities that AI attackers will exploit.

Step 2: Patch aggressively

The gap between vulnerability disclosure and exploitation is now measured in hours, not weeks. If you're not patching critical software within 48 hours of a security update, you're leaving the door open.

Step 3: Implement the Essential Eight

The Australian Signals Directorate's Essential Eight framework exists specifically to address the most common attack vectors. It's not optional โ€” it's the minimum baseline for any business that takes security seriously.

Step 4: Review your code

If your business runs custom software โ€” a web application, customer portal, or internal tool โ€” a secure code review examines it from the inside. This catches vulnerabilities that no external scan can detect.

Step 5: Plan for when, not if

AI-accelerated attacks mean breaches will happen to more businesses, more often. Having an incident response plan is no longer a nice-to-have โ€” it's a survival requirement.

Not sure where your business stands?

RabbiiCo Studio offers a free Cyber Health Check that identifies your most critical exposures in under 48 hours. No sales pitch โ€” just a clear assessment of where you're vulnerable and what to fix first.

Get your free Cyber Health Check โ†’