Anthropic unveils Project Glasswing - AI-driven cybersecurity to detect software flaws

AI firm Anthropic has announced a major new cybersecurity initiative aimed at identifying and fixing previously undiscovered vulnerabilities in critical software systems.

The project, known as Project Glasswing, uses an advanced internal AI model to autonomously analyse complex codebases, uncover security flaws and propose fixes at scale.

Named after the glasswing butterfly, the programme is powered by a system called Claude Mythos Preview, which Anthropic describes as its most capable model to date for coding and autonomous tasks. That capability has set some alarm bells ringing because as part of its testing, the model was given the task of breaking out of its test environment and contacting researchers - which it did.

While not publicly available, the model has been designed to deeply understand and modify software, enabling it to detect vulnerabilities that have gone unnoticed for years.

As part of the rollout, Anthropic has pledged up to $100m in usage credits to more than 40 organisations responsible for maintaining critical digital infrastructure. These groups will use the system to scan both proprietary and open-source software for security risks.

An additional $4m will be donated to open-source security organisations to support patch development and vulnerability remediation.

Hidden flaws uncovered

In early testing with industry partners, the AI system identified thousands of previously unknown "zero-day" vulnerabilities, flaws that had not been detected despite years of use and testing.

Among the discoveries were a 27-year-old weakness in the OpenBSD operating system that could allow attackers to crash systems remotely, and a 16-year-old flaw in the widely used FFmpeg video processing software, hidden in code that had been executed millions of times without detection.

The system also demonstrated the ability to combine multiple smaller vulnerabilities within the Linux kernel to achieve full system control, an advanced attack technique known as "chaining".

Anthropic says all identified vulnerabilities have been responsibly disclosed and patched.

Industry collaboration

Major technology firms including Amazon Web Services, Apple, Google, Microsoft and NVIDIA are participating in early trials of the system. Several executives welcomed the initiative, describing it as a step forward in addressing cybersecurity challenges that increasingly exceed human capacity.

"Google is pleased to see this cross-industry cybersecurity initiative coming together and to make Mythos Preview available to participants via Vertex AI," said Heather Adkins, VP of security engineering at Google.

Bharat Mistry, Field CTO, TrendAI said: "Project Glasswing is the right call. Releasing Mythos openly would hand attackers an early advantage. By limiting access, working with critical software maintainers, and sharing lessons learned, Anthropic is trying to give defenders a head start. This will hopefully succeed with outputs that continue to pave the way for traditional, reactive security approaches to be rethought for the AI era."

A new cyber arms race

Not all experts are convinced the technology can be safely contained. Some warn that the malicious engineering of powerful AI models is simply a matter of time.

Benny Lakunishok, Co-founder and CEO at Zero Networks says that the rules of the game are changing.

"We are entering a world where AI can discover vulnerabilities, chain them together, and generate working exploits faster than any human team can respond. Not incrementally faster, orders of magnitude faster. That changes the nature of the problem and forces a new question every executive will ask: if attacks are faster, cheaper, and more automated than ever, what actually keeps the business running?"

Anthropic said these concerns are partly why the model is not being released publicly and will only be used under controlled conditions by trusted partners - at least for now. The company also confirmed it has been in discussions with US government officials regarding the capabilities of the system, including both defensive and potentially offensive cyber applications.

Despite recent tensions between the company and policymakers, it described the engagement as part of broader efforts to ensure responsible deployment of advanced AI technologies.

"Project Glasswing is a starting point. No one organization can solve these cybersecurity problems alone: frontier AI developers, other software companies, security researchers, open-source maintainers, and governments across the world all have essential roles to play," Anthropic says.

"The work of defending the world's cyber infrastructure might take years; frontier AI capabilities are likely to advance substantially over just the next few months. For cyber defenders to come out ahead, we need to act now."