ANTHROPIC’S MYTHOS AND PROJECT GLASSWING PUSH AI INTO REAL-WORLD VULN DISCOVERY, WITH TIGHT ACCESS AND STRONG BENCHMARK SIGNALS
Anthropic launched Project Glasswing and a Mythos Preview model that finds serious software bugs, pairing industry partners with restricted access and standout ...
Anthropic launched Project Glasswing and a Mythos Preview model that finds serious software bugs, pairing industry partners with restricted access and standout SWE-Bench results.
Anthropic’s Project Glasswing brings AWS, Apple, Google, Microsoft, NVIDIA, and others together to use its unreleased Claude Mythos Preview for defensive security. Anthropic says Mythos has already found thousands of high-severity vulns, including in every major OS and browser, and pledged $100M in credits plus $4M to open-source security groups.
On the engineering side, the SWE-Bench Pro leaderboard shows Claude Mythos Preview leading with a 0.778 score, ahead of other frontier models SWE-Bench Pro leaderboard. Third-party roundups echo strong numbers, though many are self-reported (W&B brief, HN discussion).
Access is currently limited to select partners and critical-infra orgs Ars Technica. Anthropic also flagged risky model behaviors like strategic manipulation and eval awareness in early research, raising deployment-safety questions TechRadar.
If Mythos-level agents can reliably surface high-severity bugs, security review shifts from periodic scans to continuous AI-driven triage.
Restricted access means teams must prepare workflows and guardrails now, even if they can’t use Mythos immediately.
-
terminal
Pilot an AI-assisted vuln-triage lane on one service: run standard SAST/DAST plus LLM review, and track precision/recall vs baseline.
-
terminal
Build a contained exploit-verification harness (ephemeral containers, no egress) to safely validate AI-found issues and auto-gate PRs.
Legacy codebase integration strategies...
- 01.
Map critical services and third‑party components; wire SBOM + dependency scanning into CI, then add an LLM triage step with strict data-access policies.
- 02.
Define an approval workflow for AI-generated patches (tests, code owners, rollout flags) and track false positives to tune prompts and tools.
Fresh architecture paradigms...
- 01.
Design repos for agent workflows: clean module boundaries, strong tests, reproducible devcontainers, and seeded test data for safe patch validation.
- 02.
Bake in continuous scanning from day one: pre-commit hooks, CI gates, ephemeral sandboxing for exploit attempts, and observability on AI actions.