Project Glasswing expands to protect critical software | Keryc
Project Glasswing has moved from a closed experiment to a larger initiative to protect the software that moves the world.
In April, Anthropic opened access to Claude Mythos Preview for about 50 organizations, and those early tests already revealed more than 10,000 high- or critical-severity vulnerabilities in code that many companies and governments use every day. Now the initiative is expanding: roughly 150 more organizations across more than 15 countries enter the next phase, after meeting security requirements before receiving access.
What is Project Glasswing and why it matters
Project Glasswing is a collaborative effort to use AI models to detect and fix flaws in critical software. It's not just about finding bugs: it's about working with companies, open-source maintainers and governments so discoveries turn into patches applied in production.
Why does this matter to you? Many of the new organizations operate in sectors like energy, water, health, communications and hardware. For several partners, a major attack could impact more than 100 million people. We're not talking minor inconveniences: we're talking national security and essential services.
What they're using and how it helps in practice
Claude Mythos Preview has been used at scale to scan codebases and prioritize findings.
Anthropic also provides internal tools to trusted security teams and has launched Claude Security, a product that uses models like Claude Opus 4.8 to scan code and suggest patches.
Models are not a cure-all, but they speed up repetitive and costly tasks: generating patches, running automated penetration tests, spotting threats and even rewriting legacy code into safer languages. Several partners already use these models to write and validate fixes before deployment.
The bottleneck: verifying, disclosing and patching
Finding vulnerabilities with AI is only the first step. The real challenge is validating findings, notifying maintainers responsibly and deploying patches at scale. Anthropic is talking with third parties about how to amplify review and patching in open source projects, and shares practices to make reports easier to process.
Risks and limits: why it's not just excitement
What if these models fall into the wrong hands? That's the question everyone asks. Anthropic warns that in 6 to 12 months many other companies could have Mythos-class models and some might release them without sufficient safeguards. That would increase the frequency and sophistication of cyberattacks.
That's why Project Glasswing prioritizes controlled access: they want robust protection systems before opening these capabilities to everyone. The goal is to tip the scales in favor of defenders, not attackers.
What's next: expansion and verification
Anthropic plans to keep expanding the project, prioritizing providers of essential infrastructure, maintainers of critical software and security testing teams. They also want to scale a cyber verification program that would allow granting Mythos-class capabilities to more organizations for concrete defensive tasks.
If you work with software, what can you do today?
Adopt AI-assisted scanning technologies and create fast internal processes to validate and patch.
Encourage collaboration with open source maintainers: a clear, actionable report speeds up fixes.
Prepare a response plan that includes triage, testing and patch deployment.
This is not about panicking, but about adjusting practices: AI changes the scale and speed of risks, and that demands new operational habits.
Project Glasswing doesn't solve everything, but it points a clear direction: use AI to make software safer, not to increase attack capability. If done right, this expansion can turn a temporary edge into a sustained defensive practice.
