AI firm Anthropic has launched Project Glasswing, an initiative which uses AI to identify and remediate undiscovered cybersecurity vulnerabilities in critical software.
Project Glasswing, named after the glasswing butterfly, is based on Claude Mythos Preview, a powerful, not publicly available, version of Anthropic’s Large Language Model (LLM).
The company described the model as the “most capable yet for coding and agentic tasks” and that it can “deeply understand and modify complex software,” allowing Claude Mythos Preview to autonomously find and fix cybersecurity vulnerabilities at scale.
Anthropic did not train it specifically for cybersecurity, rather it said the capabilities are the result of its “strong agentic coding and reasoning skills.”
Announced publicly on April 7, the capabilities of Claude Mythos Preview have already been tested by Anthrophic’s launch partners for Project Glasswing. These include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
In testing, the model discovered thousands of zero-day vulnerabilities which had not previously been identified. These included:
- A 27-year-old vulnerability in OpenBSD, a security-hardened UNIX-like operating system used to run firewalls and other critical infrastructure. The vulnerability allowed an attacker to remotely crash any machine running the operating system just by connecting to it
- A 16-year-old vulnerability in FFmpeg, which is commonly used in software to encode and decode video. The vulnerability was discovered in a line of code that automated testing tools had hit five million times without it previously identified
- The model autonomously found and chained several vulnerabilities in the Linux kernel, the software which is used to run most of the world’s servers, to allow an attacker to escalate from ordinary user access to complete control of the machine
Anthropic said that it had reported the vulnerabilities it discovered to the maintainers of the relevant software. The publicly identified vulnerabilities have already been patched.
“Our eventual goal is to enable our users to safely deploy Mythos-class models at scale,” the AI firm said.
Open-Source Security Support
As part of Project Glasswing, Anthropic has committed up to $100m in usage credits to over 40 additional organizations that build or maintain critical software infrastructure so they can use the model to scan and secure both first-party and open-source systems.
The company will also provide $4m in donations to open-source security organizations to support the work and to develop patches, if necessary.
Anthropic said it does not plan to make Claude Mythos Preview publicly available. It is intended for use by cybersecurity defenders and with appropriate guardrails in place.
However, threat actors have managed to jailbreak, abuse or even develop their own malicious versions of AI models to help commit AI-powered cybercrime at scale and some industry insiders have voiced concern over the potential for attackers to get hold of Mythos.
“It’s highly questionable that Anthropic will be able to limit the malicious uses of this model,” said Jeff Williams, founder of OWASP and Co-Founder and CTO of Contrast Security.
Senior cybersecurity personnel at several of Anthropic’s partners welcomed the development being made with Claude Mythos Preview and Project Glasswing.
“Google is pleased to see this cross-industry cybersecurity initiative coming together and to make Mythos Preview available to participants via Vertex AI. It’s always been critical that the industry work together on emerging security issues, whether it’s post-quantum cryptography, responsible zero-day disclosure, secure open source software, or defense against AI-based attacks,” said Heather Adkins, VP of security engineering at Google.
Igor Tsyganskiy, EVP of cybersecurity and research at Microsoft, said: “As we enter a phase where cybersecurity is no longer bound by purely human capacity, the opportunity to use AI responsibly to improve security and reduce risk at scale is unprecedented. Joining Project Glasswing, with access to Claude Mythos Preview, allows us to identify and mitigate risk early and augment our security and development solutions so we can better protect customers and Microsoft.”
