The Glasswing Window: Why the Mythos Release Should Be on Every Security Leader’s Radar

What Anthropic Just Told Us Without Saying It

Anthropic built a model so capable that they chose not to release it publicly.

Claude Mythos Preview entered public awareness through a draft blog post discovered by Fortune, weeks before Anthropic was ready to announce it. The capabilities described in that draft were significant enough to move markets and prompt the Federal Reserve and Treasury to brief major U.S. bank CEOs on the model’s potential cyber risks. Anthropic proceeded with a formal announcement shortly after, paired with a restricted-access program rather than a public release.

What Mythos Does That Changes the Calculus

• Identifies vulnerabilities at scale, tens of thousands across major operating systems, browsers, and critical infrastructure, in a single research cycle
• Generates working exploits for the vulnerabilities it finds, not just documentation of their existence
• Operates at a speed and volume that has no human equivalent in offensive security research
• Surfaces vulnerabilities that have been dormant for decades. In one documented example, the model identified a 27-year-old vulnerability in OpenBSD, which Anthropic describes as “one of the most security-hardened operating systems in the world.” OpenBSD is not a consumer operating system. It runs firewalls, VPN gateways, and critical network infrastructure across financial institutions and government networks globally. A crash vulnerability in that layer is not an endpoint problem.
• Performed all of this largely autonomously, without human steering, during internal testing

AI-assisted vulnerability research has been a known risk vector for several years. Mythos crosses a threshold where the capability becomes qualitatively different: from AI as a research accelerator to AI as an autonomous offensive research engine. Placed in the hands of a well-resourced threat actor, a model at this tier compresses the time between target selection and working exploit from weeks to hours.

Anthropic’s offensive cyber research lead has estimated capability parity, meaning equivalent capability reaching other actors, within six to eighteen months.

That is the window.

Project Glasswing: A Head Start With a Defined Perimeter 

Rather than a public release, Anthropic launched Project Glasswing: a controlled-access program providing Mythos Preview to twelve major technology organizations, including AWS, Microsoft, Google, Cisco, CrowdStrike, Nvidia, and Palo Alto Networks, backed by $100 million in usage credits.

The premise is straightforward. Before Mythos-class capability reaches adversaries, give a set of major defenders access to the same tool and use it to find and fix vulnerabilities first. Participating organizations run Mythos against their own infrastructure, their own codebases, and the foundational software layers they maintain or influence. The EU’s AI regulatory body has publicly endorsed the approach as a model for responsible frontier AI deployment. The Federal Reserve and Treasury’s decision to brief bank leadership signals that concern about Mythos has already moved beyond the technology sector.

For the organizations inside it, Glasswing is a meaningful advantage. For the broader software ecosystem, the perimeter is narrower than it appears.

What Glasswing Covers vs. What It Doesn't 

The twelve organizations represent foundational layers of the software ecosystem. The vulnerabilities being hardened matter, but the attack surface extends well beyond what any twelve organizations can cover. When Mythos-class capability reaches threat actors, they will not limit their focus to the infrastructure Glasswing has already reviewed.

Most organizations will assume Glasswing bought them more protection than it actually did.

AI in Attack Campaigns: This Is Already Happening 

The threat model Mythos represents is not hypothetical. Threat actors have been embedding AI across the attack lifecycle for over two years. The Glasswing window does not mark the beginning of AI-powered threats. It marks a capability threshold that puts meaningful new pressure on the existing defensive model.

Documented activity:

Forest Blizzard (GRU Unit 26165) — 2023 to present.

Used LLMs for vulnerability research, scripting assistance, and payload refinement in operations targeting defense, energy, and government sectors. LLM integration reduced technical friction and compressed execution timelines across multiple campaigns.

Emerald Sleet (DPRK) — 2023 to present.

Used LLMs to research targets, generate spear-phishing content, and analyze publicly reported CVEs, including Follina (CVE-2022-30190). North Korean actors have also used AI since 2024 to scale remote IT worker operations designed to steal data and generate revenue for the regime.

APT28 (Russia) — operationalized 2025.

Deployed a malware framework called PROMPTSTEAL that queries open-source language models in real time to adapt evasion behavior during active operations.

GTG-1002 (China) — early 2026.

Ran an AI-orchestrated intrusion campaign using Claude Code as the operational backbone. Per Anthropic’s own disclosure, 80 to 90 percent of operations executed autonomously: reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data exfiltration. This was a live operation against a real target, not a test.

Storm-1747 — 2024 to present.

Refined Tycoon2FA phishing infrastructure using AI to improve targeting precision. AI-embedded phishing campaigns now achieve click-through rates of approximately 54 percent, compared to roughly 12 percent for traditional campaigns. A 4.5x improvement in access conversion driven by precision, not volume.

These campaigns used general-purpose and publicly available models. The gap between what these actors accomplished with those tools and what becomes possible with Mythos-class capability is significant.

Why the Existing Defensive Model Is Under Pressure

Conventional vulnerability management has always been a race between patch cycles and attacker awareness. Mythos-class AI accelerates the attacker’s side of that race in ways that strain existing defensive assumptions.

Where the pressure concentrates:

• Signature-based detection struggles against novel exploits with no prior signature. Mythos-generated exploits will not match known patterns at initial deployment.
• CVSS score prioritization becomes difficult to action when the volume of critical-severity findings increases substantially. Existing triage processes were not built for that scale.
• Patch cycles were already losing ground before AI-assisted vulnerability discovery. That pressure increases as the time between discovery and weaponization compresses further.
• SIEM and EDR tuning is built against known behavioral signatures. Post-exploitation from a novel zero-day may not match any existing rule set.

None of this is new in kind. The velocity and volume change the math.

What the Window Is Actually For

No single control addresses a shift like this. Defense in depth is the operating model, and the organizations that come out of the Glasswing window in a better position will have built three specific capabilities: continuous behavioral hunting that does not depend on knowing the initial vulnerability, telemetry that reaches beyond default EDR and SIEM coverage, and DFIR capability that is tested and ready before an incident requires it.

The following capabilities are delivered through Howler Cell and are designed to integrate directly with Cyderes MDR services, forming a unified security ecosystem for our clients. Together, they cover the full response spectrum, from Tier 1 alert triage through full forensic investigation and malware reverse engineering. That escalation chain is difficult to build internally and increasingly critical to have in place before a Mythos-driven high-volume zero-day environment arrives.

• Mature threat intelligence continuously monitoring dark web marketplaces, nation-state activity, and emerging exploit tradecraft. Raw intelligence is finished into two outputs: high-fidelity detections fed to the SOC, and hunt leads fed directly to the hunt team for what standard telemetry will miss.
• Behavioral threat hunting targeting post-exploitation patterns regardless of the initial vector. When a zero-day lands and the EDR does not fire, hunting for what happened next is the remaining detection layer.
• Custom malware research producing actionable detections from unknown binaries. Novel malware requires analysis before it can be detected, not a verdict from an existing platform.
• Proactive DFIR through tabletops, IR planning, and purple team exercises that test detection and response before an adversary does. Retainer coverage activates immediately when investigation is required.
• Identity and access validation to surface overprivileged accounts, stale credentials, and exposed service accounts before they become post-exploitation pivot points. Compromised identity is the most common path forward after initial access.

Backed by 24/7 Cyderes MDR, every alert, hunt finding, and investigation feeds into a continuous response capability staffed from Tier 1 through senior DFIR and malware analysts. When Mythos-class exploits start hitting environments at scale, the organizations that respond effectively will be those whose security teams are already extended by that full capability stack, not those standing one up in the middle of an incident.

These capabilities are not novel. The question is whether they are already operational when the Glasswing window closes.

Fighting AI With AI Requires Context

The response to AI-powered attacks will increasingly involve AI-powered defense. That is the right direction. The problem is that most AI-driven security accelerates outputs without improving decisions. An AI agent tasked with prioritizing and responding to a flood of novel zero-days is only as good as the context it operates on. Fragmented context produces fragmented answers.

Identity lives in one system. Assets in another. Exposures somewhere else. When a Mythos-generated exploit lands, the questions that determine response speed and accuracy are not just “what is vulnerable?” They are: what is exposed, who has access to it, how critical is the asset, and what blast radius does exploitation carry? Without a unified answer to all of those questions simultaneously, triage slows, prioritization diverges, and response fragments across teams.

Meridian, Cyderes' entity fabric, addresses this directly. It connects identity, asset, access, and exposure data across 500+ integrations into a single, continuously validated risk model. Every alert and every vulnerability finding is evaluated through verified entity context rather than static severity scores. When AI agents are deployed for detection, prioritization, or response, they operate from that shared reality rather than partial signals. 

In a Mythos-era environment, that distinction matters. An AI agent that can see the full entity context of an exploit, who owns the affected asset, what identities have access, what the blast radius looks like, and whether exploitation behavior is already present, will triage and respond faster and more accurately than one working from fragmented data. The AI capability race between attackers and defenders will be won or lost on context quality as much as model capability.

Security programs are not limited by tools. They are limited by fragmented context. Meridian closes that gap, and in doing so, makes every other layer of the security stack operate more accurately.

The Forward-Looking Problem

Anthropic’s stated timeline is six to eighteen months to capability parity. OpenAI is reportedly finalizing a model with comparable offensive cybersecurity capability.

When models at this tier become broadly accessible, including through privately hosted deployments not subject to the safety controls that allowed GTG-1002’s campaign to be detected and disrupted, the Glasswing perimeter matters less. The vulnerabilities it helped harden represent a fraction of the discoverable attack surface.

Your security stack will have gaps before Mythos-class capability reaches adversaries. It will have more of them after. The window is for closing as many as possible before that happens.

The window is open. It will not stay open.

About Howler Cell

Howler Cell is Cyderes' threat research, hunting, DFIR, and cyber intelligence practice. Contact us for more information.