A prior Claude model found roughly 20 vulnerabilities in Firefox during internal testing. Claude Mythos found nearly 300 — autonomously, in a fraction of the time. It also found and exploited a 17-year-old remote code execution flaw in FreeBSD, and a 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems ever built. When a model starts breaking open code that has survived a quarter-century of human review, the category of "AI-assisted security tooling" no longer describes what's happening.

Anthropic CEO Dario Amodei didn't frame this as a product announcement. He framed it as a warning. There is, in his estimate, a 6-to-12-month window before adversaries — including Chinese state-backed AI programs — develop comparable offensive capability. That window is the argument for acting now, and it's the reason Anthropic is not releasing Mythos publicly. Instead, they've formed Project Glasswing, a defensive coalition with AWS, Apple, Microsoft, Google, CrowdStrike, and Palo Alto Networks to use Mythos to find and fix vulnerabilities before attackers get there first. The UK's AI Safety Institute independently evaluated Mythos Preview and confirmed the cyber capability claims.

For enterprise security leaders, this changes the threat model. Not incrementally. Structurally.

The Asymmetry That AI Introduces Into Vulnerability Research

The traditional dynamic in cybersecurity is a slow asymmetry: defenders have more surface area to protect, attackers only need to find one way in. AI-powered vulnerability discovery doesn't just shift that equation — it multiplies the attacker's throughput by orders of magnitude.

Scope expands beyond any human team's capacity. The tens of thousands of zero-days Mythos identified span every major operating system and browser. A human red team working full-time couldn't surface that volume in years. When AI can generate, test, and iterate on exploit hypotheses at machine speed, the discovery bottleneck that has always constrained adversaries disappears.

Age of code is no longer a proxy for safety. The 27-year-old OpenBSD flaw is the data point that should end the comfortable assumption that legacy code "has been reviewed enough times to be trustworthy." If AI can find exploits in software that has been publicly available and professionally scrutinized for nearly three decades, organizations that have deferred patching because their old code "hasn't caused problems" are operating on borrowed time.

Third-party validation matters here. The UK AISI's independent evaluation of Mythos Preview adds something important: this isn't a self-reported capability claim from a company with an incentive to exaggerate. The same capabilities that make Mythos dangerous make it potentially decisive for defense — which is exactly the logic behind Project Glasswing.

What Project Glasswing Actually Changes — and What It Doesn't

The coalition Anthropic has assembled is genuinely significant. Having AWS, Apple, Microsoft, and Google collectively using a frontier offensive-capability AI to proactively patch their own and their customers' infrastructure means the defensive side of this race is well-resourced. But the Glasswing participants do not cover everything.

Coverage is skewed toward large platform vendors. The organizations in Project Glasswing control enormous amounts of shared infrastructure — cloud platforms, browsers, operating systems. But the tail of enterprise software, custom internal applications, legacy ERP deployments, and on-premise systems that most large organizations still run is not covered by any coalition. The vulnerabilities Mythos will find and fix for Glasswing members are a subset of what it could find in any given enterprise environment.

The defensive window is asymmetric. The 6-to-12 months Amodei describes is the window before peer competitors develop equivalent offensive tools. It is not a window that resets. Organizations that use this period to audit and remediate high-risk exposures will be in a materially different position than those that don't. The patch backlog problem is a chronic condition in enterprise IT; Mythos makes it an acute risk.

Regulated environments face compounded exposure. Healthcare, financial services, and critical infrastructure organizations that operate under compliance frameworks were already managing vulnerability disclosure requirements with limited security staffing. An AI that discovers vulnerabilities at this scale, even in the hands of defenders, means disclosure timelines and remediation SLAs that were designed for human-paced discovery may need revision.

What Security Teams Should Do in the Next 90 Days

The Mythos news shouldn't produce paralysis — it should produce prioritization. The threat is real, the window is defined, and the steps are knowable.

Audit your most exposed surfaces first. Browser-facing applications, internet-accessible endpoints, and any system running software that hasn't been patched in the last 18 months are the highest-priority attack surface. Mythos-class tools will find the same kind of vulnerabilities that Mythos found in Firefox — the question is whether a defender or an adversary finds them in your environment first.

Stop treating legacy code as inert. The 27-year-old OpenBSD result is the signal. Inventory your legacy software dependencies and get visibility into their patch status. If a critical system relies on unmaintained code, the Mythos finding is the business case for remediation that has been deferred too long.

Engage with your cloud vendor's AI security program. If you're running workloads on AWS, Azure, or Google Cloud, these providers are actively participating in defensive AI security research. Understand what that means for your shared-responsibility model — specifically, what vulnerabilities will be patched at the platform layer and what remains your responsibility.

Run a realistic breach scenario with AI-scale attack assumptions. Most tabletop exercises are calibrated for human-paced attack chains. Redesign your incident response planning to account for the possibility that an adversary using AI tooling can move from initial access to lateral movement to data exfiltration in minutes rather than days. The dwell-time assumptions that underlie most detection and response programs may no longer hold.

The Stakes Beyond the Security Department

The Claude Mythos news is primarily a cybersecurity story, but its second-order effects reach further into how organizations think about AI governance and competitive risk.

Organizations that treat AI safety as a compliance checkbox are not prepared for a world in which AI is a first-class offensive tool. The same capabilities that Anthropic is attempting to harness for defense can be directed at any organization's infrastructure by any adversary with access to comparable models — and that access window is narrowing.

The Glasswing coalition is a meaningful defensive effort. But it is not a firewall around the enterprise. The organizations that will come through this period in the best shape are those that treat the next six months as an implementation window — not a monitoring window. Monitoring what Anthropic and the Glasswing partners do is not a substitute for acting on your own exposure. The vulnerability is in your stack. The time is now.