On April 16, 2026, Anthropic launched Claude Mythos Preview alongside Project Glasswing — a coordinated initiative to use the model’s unprecedented vulnerability-discovery capabilities defensively, patching critical software before attackers could exploit what Mythos found.
The partner list reads like an enterprise technology directory: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and over 40 additional organizations. Anthropic is committing $100M in usage credits to the effort, plus $4M in direct donations to open-source security organizations.
If your organization isn’t on that list — and most aren’t — here’s what you need to understand about what this means for your security and compliance posture over the next 12 months.
What Project Glasswing Is Actually Doing
Mythos Preview can find and exploit zero-day vulnerabilities at a scale and speed that has no precedent. In the weeks before the public announcement, Anthropic used it to identify thousands of previously unknown critical vulnerabilities across every major operating system, every major web browser, and a range of widely used software libraries. Some of these vulnerabilities had been sitting undetected for decades — including a 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw that automated fuzzing tools had tested five million times without catching.
Project Glasswing’s defensive theory is straightforward: if an AI system this capable exists, it’s better to use it to find and fix vulnerabilities before adversaries can find and exploit them. The launch partners are scanning their own systems and contributing to open-source security work.
The Access Gap Is Real and It’s Regulatory
Within a week of Mythos’s announcement, the White House, Treasury, and the Federal Reserve had convened the CEOs of the largest AI, cloud, and banking firms. That meeting wasn’t about Glasswing’s open-source contributions — it was about who has access to an offensive capability of this magnitude and what the implications are for critical infrastructure.
Operational technology providers — the companies that build and maintain the software running power grids, water systems, hospital networks, and financial market infrastructure — have reportedly expressed significant frustration at being excluded from the initial Mythos rollout. That exclusion isn’t punitive; Anthropic is moving cautiously. But the effect is that the organizations managing some of the highest-consequence systems in the economy are currently on the sideline while Glasswing partners scan and patch their systems.
For regulated industries specifically, this creates a compliance and risk asymmetry: your regulators and largest counterparties may have access to vulnerability intelligence that you don’t, and the gap between when a zero-day is found and when it’s publicly disclosed — even under responsible disclosure norms — is a window of exposure you can’t defend against if you don’t know it exists.
What Healthcare and Financial Services Organizations Need to Do
Inventory your dependencies on Glasswing-partner software. If your environment runs on Microsoft, Google, Apple, or Cisco infrastructure — and it almost certainly does — Mythos is actively scanning those codebases. When patches emerge from that work, they will not always arrive with detailed public CVE write-ups explaining why they’re critical. Your patch management process needs to treat Glasswing-originated patches as high-priority regardless of public severity labeling.
Establish a relationship with your software vendors’ security disclosure channels. Most major vendors have security notification programs that provide earlier and more detailed disclosure to registered customers. Enrollment is typically free. If your organization doesn’t have someone actively subscribed to the security advisories of every major platform you run, that’s a gap to close now.
Understand your BAA and vendor contract exposure to zero-day liability. In healthcare, Business Associate Agreements define security obligations between covered entities and their vendors. A zero-day vulnerability in a BAA counterparty’s software — even one the vendor was in the process of patching — can create breach notification obligations depending on your state and federal requirements. Your legal and compliance teams should understand what your BAA portfolio requires in the event of a Glasswing-style disclosure.
Don’t wait for Mythos access to assess your own attack surface. The waiting list for Mythos access is long and priority is going to critical infrastructure and major platform vendors. In the meantime, established penetration testing programs, attack surface management tools, and red team engagements remain available. The right response to Mythos is not to pause your existing security program while waiting for AI-powered tools — it’s to accelerate it.
What’s Coming Regulatorily
The White House convening of AI and banking CEOs is an early indicator that Mythos’s capabilities are being treated as a national security and systemic risk matter, not just a cybersecurity product launch. Expect regulatory guidance — from HHS for HIPAA-covered entities, from the OCC and Federal Reserve for financial institutions — that addresses AI-generated vulnerability discovery, responsible disclosure timelines, and incident notification in the context of AI-accelerated threats.
The question is not whether that guidance is coming. It’s whether your organization will have the internal capability to respond to it quickly when it arrives.
The honest read
Project Glasswing is a genuine attempt to use a dangerous capability defensively. But the access structure means most organizations — including most regulated enterprises — are downstream of the discovery process, not part of it. That asymmetry has direct implications for patch management, vendor oversight, and compliance readiness.
If you want help mapping your exposure to Glasswing-era vulnerability disclosure, reviewing your vendor security obligations, or assessing your patch management process against AI-accelerated threat timelines, request a consultation.