Anthropic announces Claude Mythos Preview, a model that accidentally became excellent at cybersecurity while training on code. The company claims it performs "by and large as good as a professional human at identifying bugs" and can chain multiple vulnerabilities into sophisticated exploits. In testing, it found a 27-year-old crash bug in OpenBSD and privilege escalation vulnerabilities in Linux. Rather than releasing publicly, Anthropic is launching Project Glasswing — partnering with organizations that maintain critical infrastructure code.
This represents the classic dual-use AI dilemma crystallizing in real-time. Models getting dramatically better at code means they're also getting dramatically better at breaking code. What's notable here isn't just the capability jump, but Anthropic's response: controlled access rather than open release. "We found more bugs in the last couple of weeks than I found in the rest of my life combined," one researcher says — that's either remarkable progress or concerning depending on who gets access first.
The video doesn't address the obvious tension in Anthropic's approach. They're essentially creating a temporary security advantage for select partners while potentially accelerating an AI security arms race. How long before similar capabilities emerge from other labs? What happens when state actors develop equivalent models? The "defenders first" strategy assumes coordination that rarely exists in practice. For developers, this signals that AI-assisted security research is moving from experimental to essential — but the tools that could protect your code might not be available to you anytime soon.