The AI That’s Hunting Hackers Before They Strike: Inside Project Glasswing

For years, cybersecurity has been a game of catch-up. Hackers find a vulnerability, they exploit it, and defenders scramble to patch it after the damage is done. The technical term for this is “detect and respond.” It is exhausting, expensive, and increasingly losing proposition as attacks grow faster and more sophisticated.

This week, something changed. A coalition of the world’s most powerful technology companies announced a coordinated effort to flip that equation — using artificial intelligence not just to respond to threats, but to find and fix them before attackers ever get the chance.

The initiative is called Project Glasswing, and the results it has already produced are, depending on your perspective, either remarkable or alarming — and possibly both at once.

What Is Project Glasswing?
Project Glasswing is an initiative to secure the world’s most critical software for the AI era, bringing together Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks as launch partners. 

At the center of the project is an AI model called Claude Mythos Preview, developed by Anthropic.  Anthropic said it does not plan to make Mythos Preview generally available, instead sharing it exclusively with selected partners for defensive security work. The reason for that caution is directly tied to what the model is capable of.

A Tool So Powerful They Won’t Release It Publicly
Over the past several weeks, Anthropic used Claude Mythos Preview to identify thousands of zero-day vulnerabilities — that is, flaws that were previously unknown to the software’s developers — in every major operating system and every major web browser.

Zero-day vulnerabilities are the crown jewels of the hacking world. They are security holes that nobody knows about yet, which means nobody has patched them. A single critical zero-day can sell for millions of dollars on the criminal underground. Mythos Preview found thousands of them — and it found them in software that billions of people use every day.

Among the discoveries: a 27-year-old flaw in OpenBSD, one of the most security-hardened operating systems in the world, found and patched before the public announcement. A 16-year-old bug in FFmpeg that automated scanning tools had missed after running across the same code five million times.

What makes the model especially potent is not just that it finds individual flaws — it is that it understands how to combine them. Anthropic researcher Nicolas Carlini explained that Mythos Preview “has the ability to chain together vulnerabilities — you find two vulnerabilities, either of which doesn’t really get you very much independently, but this model is able to create exploits out of three, four, sometimes five vulnerabilities that in sequence give you some kind of very sophisticated end outcome.”

That capability is exactly why Anthropic is not releasing it to the general public. Anthropic has privately warned top government officials that Mythos makes large-scale cyberattacks significantly more likely — and the company has acknowledged that the same capabilities that can bolster cyber defenses can also be weaponized by attackers. 

Fighting Fire With Fire
The logic behind Project Glasswing is straightforward: if AI tools this powerful are eventually going to proliferate — and they are — then defenders need to get ahead of them now, before attackers do.

Cisco’s Chief Security Officer Anthony Grieco put it plainly: “AI allows us to scan and secure vast codebases at a scale previously unimaginable. However, it also lowers the threshold for attackers, empowering less-skilled actors to launch complex, high-impact campaigns. The question is simply who gets ahead of it and how fast.”

Anthropic is backing the initiative with up to $100 million in usage credits for Mythos Preview across participating organizations, as well as $4 million in direct donations to open-source security organizations.  Access has also been extended to more than 40 additional organizations that build or maintain critical software infrastructure — the kind of open-source code that powers everything from hospital systems to power grids.

Why This Matters to You
You may not run a tech company, but this development affects every device you own and every online service you use. The software vulnerabilities that Project Glasswing is hunting are in the operating systems on your phone and laptop, in the browsers you use to bank and shop, and in the infrastructure that processes your medical records and financial data.

Cisco’s Gary DePreta described the shift this way: “We’re going from an age of detect-and-respond — to predict-and-prevent threats.”  That transition, if it succeeds, means fewer of the massive data breaches, ransomware attacks on hospitals, and infrastructure disruptions that Dr. Tom has covered in this column over the past year.
The initiative is named for the glasswing butterfly — Greta oto — a creature whose transparent wings allow it to hide in plain sight, much like the hidden vulnerabilities the project aims to find. As Anthropic wrote: “No one organization can solve these cybersecurity problems alone. The work of defending the world’s cyber infrastructure might take years; frontier AI capabilities are likely to advance substantially over just the next few months. For cyber defenders to come out ahead, we need to act now.”

For the first time in a long time, the defenders may have a genuine head start. The race is on.

Stay safe out there, and I’ll see you next week!

Feeling lost in the digital world? Dr. Tom is here to help!