What is Project Glasswing?
Project Glasswing is Anthropic's applied security research initiative, announced in May 2026. Its central component is Mythos Preview — a reasoning-focused variant of Claude Opus 4.7 trained specifically for vulnerability detection. Unlike general-purpose code review tools, Mythos is designed to identify logic flaws, memory safety violations, and cryptographic misconfigurations that evade pattern-matching scanners.
The initiative is named after the glasswing butterfly — an insect whose transparent wings serve as camouflage. The metaphor is apt: the vulnerabilities Mythos hunts are often hidden in plain sight, masked by correct-looking syntax but carrying dangerous semantic flaws.
Scale and Methodology
Anthropic's team deployed Mythos Preview across a corpus of over 1,000 open-source repositories spanning systems programming, cryptographic libraries, web frameworks, and embedded software. The model's task was not just to flag lines of suspicious code, but to reason about whether a vulnerability was exploitable and under what conditions.
The raw output: 23,019 flagged items. Of these, 6,202 were rated high or critical — meaning they could plausibly be exploited to achieve remote code execution, privilege escalation, or data exfiltration. The 90.6% true positive rate means that fewer than 1 in 10 findings were false alarms, a marked improvement over traditional static analysis tools, which typically generate noise rates of 40–70%.
CVE-2026-5194: A Case Study
Among the discoveries was CVE-2026-5194, a vulnerability in wolfSSL — an open-source cryptographic library used in embedded systems, automotive software, and IoT devices. The flaw involved an edge case in the TLS handshake validation logic, which under specific conditions could allow an attacker to bypass certificate verification.
wolfSSL is deployed in tens of millions of devices. The discovery by an AI system — not a human researcher — marks a milestone in automated security research. Anthropic coordinated responsible disclosure with the wolfSSL team before publishing findings.
Claude Security: From Research to Product
Alongside the Glasswing research, Anthropic launched Claude Security into public beta. The product integrates Mythos-class capabilities into a developer-facing interface, accessible through the Anthropic Claude API and via enterprise contracts with partners including Microsoft and Oracle.
Claude Security enables teams to submit codebases for automated analysis, receive prioritized vulnerability reports, and interact with the model to understand root causes and remediation paths. Anthropic positions the product not as a replacement for human security engineers, but as a force multiplier — handling the high-volume, low-ambiguity portion of a security audit while humans focus on architectural risk.
Why Open-Source Matters
The choice to focus on open-source software is deliberate. OSS forms the substrate of nearly all modern digital infrastructure — from cloud hypervisors to mobile operating systems to the cryptographic primitives underpinning financial systems. Yet OSS projects are chronically under-resourced for security review: volunteer maintainers, limited funding, and a long tail of dependencies that no one auditor can track.
Anthropic's argument is that AI can do what human auditors cannot: scan the entire dependency graph, reason about interaction effects between components, and flag issues before they are exploited in the wild.
Industry Context
Project Glasswing lands at a moment of heightened attention to software supply chain security. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has pushed for software bills of materials (SBOMs) as a disclosure standard. The 2021 Log4Shell vulnerability remains the canonical example of why OSS security matters at scale. Google has funded the OpenSSF, Microsoft has its Security Response Center. What distinguishes the Glasswing approach is the depth of reasoning: Mythos doesn't just pattern-match; it traces data flows and models attacker intent.
What's Next
Anthropic has indicated that Mythos Preview is an early iteration. Future versions will extend coverage to firmware and hardware description languages (HDL), where AI-assisted security review is largely uncharted territory. The team is also working on integration with common CI/CD pipelines, so vulnerability scanning becomes a continuous process rather than a periodic audit.
Claude Security is currently available in public beta for enterprise customers and developers with API access. Anthropic has not announced general availability pricing.
Sources
https://www.anthropic.com/research/glasswing-initial-update
