{"id":51545,"date":"2026-04-10T15:37:58","date_gmt":"2026-04-10T19:37:58","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=51545"},"modified":"2026-05-25T10:27:21","modified_gmt":"2026-05-25T14:27:21","slug":"mythos-and-glasswing","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2026\/04\/10\/mythos-and-glasswing\/","title":{"rendered":"Mythos and Glasswing"},"content":{"rendered":"<p><a href=\"https:\/\/tidbits.com\/2026\/04\/09\/what-anthropics-mythos-and-project-glasswing-mean-for-your-apple-devices\/\">Rich Mogull<\/a>:<\/p>\n<blockquote cite=\"https:\/\/tidbits.com\/2026\/04\/09\/what-anthropics-mythos-and-project-glasswing-mean-for-your-apple-devices\/\">\n<p>Anthropic, the company behind the Claude AI chatbot, made two security announcements that were shocking for many but seen as inevitable by those of us working in AI security. First, it announced <a href=\"https:\/\/red.anthropic.com\/2026\/mythos-preview\/\">Mythos Preview<\/a>, a new, non-public AI model that turns out to be startlingly good at finding security flaws in software. The second was <a href=\"https:\/\/www.anthropic.com\/glasswing\">Project Glasswing<\/a>, Anthropic&rsquo;s program for getting that capability into the hands of the companies best positioned to fix those flaws before anyone else can exploit them. Apple is one of those companies.<\/p>\n<p>As much as I&rsquo;d like to downplay the announcements, Mythos and Project Glasswing are very big deals on their own, and harbingers for the future of digital security. Mythos was able to find and exploit new vulnerabilities in every major operating system, including a bug in OpenBSD, an operating system famous for its security, that had been sitting there unnoticed for 27 years.<\/p>\n<p>[&#8230;]<\/p>\n<p>We are at the start of a period in which finding software flaws that affect everyday users will become dramatically easier for both attackers and defenders. [&#8230;] However, over the long run, I believe using AI to identify security vulnerabilities favors defenders, because developers can find and fix many more bugs before shipping software to the public.<\/p>\n<\/blockquote>\n\n<p>Anthropic has a habit of making wild and scary public statements that seem designed to generate headlines and funding but sort of fall apart upon scrutiny. I initially dismissed this as more of the same, but people seem to be <a href=\"https:\/\/daringfireball.net\/linked\/2026\/04\/08\/claude-mythos-exploits\">taking it seriously<\/a>.<\/p>\n\n<p><a href=\"https:\/\/tapbots.social\/@paul\/116372420608659953\">Paul Haddad<\/a>:<\/p>\n<blockquote cite=\"https:\/\/tapbots.social\/@paul\/116372420608659953\">\n<p>Our model is so good, it&rsquo;s not safe to release, yet. Has to be one of the greatest AI marketing stunts ever.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/stratechery.com\/2026\/myth-and-mythos\/\">Ben Thompson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/stratechery.com\/2026\/myth-and-mythos\/\">\n<p>There&rsquo;s reason for cynicism, given Anthropic&rsquo;s history, but <a href=\"https:\/\/stratechery.com\/2026\/anthropics-new-model-the-mythos-wolf-glasswing-and-alignment\/\">the part of the &ldquo;Boy Cries Wolf&rdquo; myth everyone forgets<\/a> is that the wolf did come in the end.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@danielpunkass\/116376377017659450\">Daniel Jalkut<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@danielpunkass\/116376377017659450\">\n<p>If Anthropic has really developed an LLM that can suss out security weaknesses better than any other AI, the US government would be foolish to continue shunning them.<\/p>\n<\/blockquote>\n\n<p>Or, rather, if the government believes the marketing, it may want to take control of the company and its technology, like how it restricted restricted civilian nuclear research.<\/p>\n\n<p><a href=\"https:\/\/stratechery.com\/2026\/anthropic-and-alignment\/\">Ben Thompson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/stratechery.com\/2026\/anthropic-and-alignment\/\">\n<p>In fact, Amodei already answered the question: if nuclear weapons were developed by a private company, and that private company sought to dictate terms to the U.S. military, the U.S. would absolutely be incentivized to destroy that company.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2026\/04\/02\/ios-18-7-7-and-ipados-18-7-7\/\">iOS 18.7.7 and iPadOS 18.7.7<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2026\/02\/06\/llms-and-software-development-roundup\/\">LLMs and Software Development Roundup<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2026\/01\/27\/curl-removes-bug-bounties\/\">curl Removes Bug Bounties<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/07\/04\/common-vulnerabilities-and-exposures-cve-funding\/\">Common Vulnerabilities and Exposures (CVE) Funding<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/05\/08\/curl-takes-action-against-ai-bug-reports\/\">curl Takes Action Against AI Bug Reports<\/a><\/li>\n<\/ul>\n\n<p id=\"mythos-and-glasswing-update-2026-04-13\">Update (<a href=\"#mythos-and-glasswing-update-2026-04-13\">2026-04-13<\/a>): <a href=\"https:\/\/martinalderson.com\/posts\/has-mythos-just-broken-the-deal-that-kept-the-internet-safe\/\">Martin Alderson<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=47724957\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/martinalderson.com\/posts\/has-mythos-just-broken-the-deal-that-kept-the-internet-safe\/\">\n<p>For nearly 20 years the deal has been simple: you click a link, arbitrary code runs on your device, and a stack of sandboxes keeps that code from doing anything nasty. Browser sandboxes for untrusted JavaScript, VM sandboxes for multi-tenant cloud, ad iframes so banner creatives can't take over your phone or laptop - the modern internet is built on the assumption that those sandboxes hold. Anthropic just shipped a research preview that generates working exploits for one of them 72.4% of the time, up from under 1% a few months ago. That deal might be breaking.<\/p>\n<p>[&#8230;]<\/p>\n<p>If an LLM can find exploits in sandboxes - which are some of the most <em>well secured<\/em> pieces of software on the planet - then suddenly every website you aimlessly browse through could contain malicious code which can 'escape' the sandbox and theoretically take control of your device - and all the data on your phone could be sent to someone nasty.<\/p>\n<p>[&#8230;]<\/p>\n<p>Equally, sandboxes (and virtualisation) are fundamental to allowing cloud computing to operate at scale.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/www.tomshardware.com\/tech-industry\/artificial-intelligence\/anthropics-claude-mythos-isnt-a-sentient-super-hacker-its-a-sales-pitch-claims-of-thousands-of-severe-zero-days-rely-on-just-198-manual-reviews\">Jon Martindale<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.tomshardware.com\/tech-industry\/artificial-intelligence\/anthropics-claude-mythos-isnt-a-sentient-super-hacker-its-a-sales-pitch-claims-of-thousands-of-severe-zero-days-rely-on-just-198-manual-reviews\">\n<p>That&rsquo;s the pitch in Anthropic&rsquo;s blog and <a href=\"https:\/\/www-cdn.anthropic.com\/8b8380204f74670be75e81c820ca8dda846ab289.pdf\">verbose 250-page report<\/a> on the model &mdash; which includes over 20 pages of Anthropic staff waxing lyrically about their novel impressions of the new model and its &ldquo;fondness for particular philosophers.&rdquo;<\/p>\n<p>Alongside the repeated suggestions from Anthropic and its staff that we should be concerned, nay, terrified, of what AI like Claude Mythos can do, they repeatedly suggest they&rsquo;re unsure if this new AI is conscious.<\/p>\n<p>For the record, it is not. It might be good at finding vulnerabilities in software, but many of them aren&rsquo;t as potentially damaging as Anthropic wants us all to believe.<\/p>\n<p>[&#8230;]<\/p>\n<p>Under the subheading, &ldquo;and several thousand more,&rdquo; Anthropic also states that it can&rsquo;t actually confirm that all of the thousands of bugs Mythos claims to have found are actually critical security vulnerabilities. It&rsquo;s just extrapolated that number from having found in around 90% of the &ldquo;198 manually reviewed vulnerability reports, [Anthropic&rsquo;s] expert contractors agreed with Claude&rsquo;s severity assessment exactly.&rdquo;<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/www.colincornaby.me\/2026\/04\/anthropics-mythos-implies-llm-scaling-has-hit-a-wall\/\">Colin Cornaby<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.colincornaby.me\/2026\/04\/anthropics-mythos-implies-llm-scaling-has-hit-a-wall\/\">\n<p>When I read about Mythos one thing stood out to me: It didn&rsquo;t matter if the modal was aligned or safe. You couldn&rsquo;t afford to run it anyway, and they can&rsquo;t afford to serve it to you. And that&rsquo;s a better explanation for why they&rsquo;ve limited access to Mythos.<\/p>\n<p>[&#8230;]<\/p>\n<p>If Mythos is only affordable by the very largest companies &#x2013; I think cybersecurity is a very shrewd focus by Anthropic. But for reasons that concern me.<\/p>\n<p>[&#8230;]<\/p>\n<p>I think this is Anthropic&rsquo;s next big play. Scare everyone with some security theater. And sell big tech some tiger rocks. And everyone will be too terrified to ever stop paying for Mythos. Big tech might even be willing to pay billions for multiple models.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/stratechery.com\/2026\/mythos-muse-and-the-opportunity-cost-of-compute\/\">Ben Thompson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/stratechery.com\/2026\/mythos-muse-and-the-opportunity-cost-of-compute\/\">\n<p>In other words, Anthropic isn&rsquo;t facing a marginal cost problem, but an opportunity cost problem: where to allocate its compute.<\/p>\n<p>[&#8230;]<\/p>\n<p>The key to handling those costs will be to charge more for Claude going forward; that, by extension, means maintaining pricing power, which leads to a second benefit of not releasing Mythos broadly. Anthropic certainly faces competition from OpenAI; for both frontier labs, however, the real competition in the long run are open source models.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/x.com\/i0n1c\/status\/2043561242233630863\">Stefan Esser<\/a>:<\/p>\n<blockquote cite=\"https:\/\/x.com\/i0n1c\/status\/2043561242233630863\">\n<p>One thing I have not seen discussed about #Mythos. Will \n@apple\n really give Claude and therefore potentially the whole world access to their private source code?<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/www.schneier.com\/blog\/archives\/2026\/04\/on-anthropics-mythos-preview-and-project-glasswing.html\">Bruce Schneier<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.schneier.com\/blog\/archives\/2026\/04\/on-anthropics-mythos-preview-and-project-glasswing.html\">\n<p>This is very much a PR play by Anthropic&mdash;and it worked.<\/p>\n<p>[&#8230;]<\/p>\n<p>These models do demonstrate an increased sophistication in their cyberattack capabilities. They write effective exploits&mdash;taking the vulnerabilities they find and operationalizing them&mdash;without human involvement.<\/p>\n<p>[&#8230;]<\/p>\n<p>The security company Aisle was able to <a href=\"https:\/\/aisle.com\/blog\/ai-cybersecurity-after-mythos-the-jagged-frontier\">replicate<\/a> the vulnerabilities that Anthropic found, using older, cheaper, public models. But there is a difference between finding a vulnerability and turning it into an attack.  This points to a current advantage to the defender.<\/p>\n<p>[&#8230;]<\/p>\n<p>A couple of weeks ago, I <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2026\/04\/cybersecurity-in-the-age-of-instant-software.html\">wrote about<\/a> security in what I called &ldquo;the age of instant software,&rdquo; where AIs are superhumanly good at finding, exploiting, and patching vulnerabilities. I stand by everything I wrote there. The urgency is now greater than ever.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/07\/23\/through-the-blast-door\/\">Through the Blast Door<\/a><\/li>\n<\/ul>\n\n<p id=\"mythos-and-glasswing-update-2026-04-17\">Update (<a href=\"#mythos-and-glasswing-update-2026-04-17\">2026-04-17<\/a>): <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2026\/04\/mythos-and-cybersecurity.html\">Bruce Schneier<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.schneier.com\/blog\/archives\/2026\/04\/mythos-and-cybersecurity.html\">\n<p>This is, in many respects, exactly the kind of responsible disclosure that security researchers have long urged. And yet the public has been given remarkably little with which to evaluate Anthropic&rsquo;s decision. We have been shown a highlight reel of spectacular successes. However, we can&rsquo;t tell if we have a blockbuster until they let us see the whole movie.<\/p>\n<p>For example, we don&rsquo;t know how many times Mythos mistakenly flagged code as vulnerable. Anthropic said security contractors agreed with the AI&rsquo;s severity rating 198 times, with an 89 per cent severity agreement. That&rsquo;s impressive, but incomplete. Independent researchers examining similar models have found that AI that detects nearly every real bug also hallucinates plausible-sounding vulnerabilities in patched, correct code.<\/p>\n<p>This matters. A model that autonomously finds and exploits hundreds of vulnerabilities with inhuman precision is a game changer, but a model that generates thousands of false alarms and non-working attacks still needs skilled and knowledgeable humans. <\/p>\n<\/blockquote>\n\n<p id=\"mythos-and-glasswing-update-2026-04-27\">Update (<a href=\"#mythos-and-glasswing-update-2026-04-27\">2026-04-27<\/a>): <a href=\"https:\/\/daringfireball.net\/linked\/2026\/04\/23\/discord-group-has-claude-mythos-access\">John Gruber<\/a>:<\/p>\n<blockquote cite=\"https:\/\/daringfireball.net\/linked\/2026\/04\/23\/discord-group-has-claude-mythos-access\">\n<p>So on the one hand, Anthropic itself is the one describing Mythos as a dangerous national security threat. On the other hand, their own security is so sloppy that rando hooligans on Discord have had access to Mythos since the day it was announced, and regularly access other unreleased Claude  models. This, just weeks after Anthropic screwed up and <a href=\"https:\/\/daringfireball.net\/linked\/2026\/04\/06\/anthropic-claude-code-leak\">accidentally exposed the entire source code to Claude Code<\/a>.<\/p>\n<\/blockquote>\n\n<p id=\"mythos-and-glasswing-update-2026-04-29\">Update (<a href=\"#mythos-and-glasswing-update-2026-04-29\">2026-04-29<\/a>): <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2026\/04\/what-anthropics-mythos-means-for-the-future-of-cybersecurity.html\">Bruce Schneier<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.schneier.com\/blog\/archives\/2026\/04\/what-anthropics-mythos-means-for-the-future-of-cybersecurity.html\">\n<p>We see Mythos as a real but incremental step, one in a long line of incremental steps. But even incremental steps can be important when we look at the big picture.<\/p>\n<p>[&#8230;]<\/p>\n<p>So we must separate the patchable from the unpatchable, and the easy to verify from the hard to verify. This taxonomy also provides us guidance for how to protect such systems in an era of powerful AI vulnerability-finding tools.<\/p>\n<p>[&#8230;]<\/p>\n<p>This also raises the salience of best practices in software engineering. Automated, thorough, and continuous testing was always important. Now we can take this practice a step further and use defensive <a href=\"https:\/\/spectrum.ieee.org\/tag\/agentic-ai\">AI agents<\/a> to <a href=\"https:\/\/www.secwest.net\/ai-triage\">test exploits<\/a> against a real stack, over and over, until the false positives have been weeded out and the real vulnerabilities and fixes are confirmed. This kind of <a href=\"https:\/\/www.csoonline.com\/article\/4069075\/autonomous-ai-hacking-and-the-future-of-cybersecurity.html\">VulnOps<\/a> is likely to become a standard part of the development process.<\/p>\n<\/blockquote>\n\n<p id=\"mythos-and-glasswing-update-2026-05-18\">Update (<a href=\"#mythos-and-glasswing-update-2026-05-18\">2026-05-18<\/a>): <a href=\"https:\/\/techcrunch.com\/2026\/04\/30\/after-dissing-anthropic-for-limiting-mythos-openai-restricts-access-to-cyber-too\/\">Julie Bort<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=47973108\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/techcrunch.com\/2026\/04\/30\/after-dissing-anthropic-for-limiting-mythos-openai-restricts-access-to-cyber-too\/\">\n<p id=\"speakable-summary\" class=\"wp-block-paragraph\">After Sam Altman <a href=\"https:\/\/techcrunch.com\/2026\/04\/21\/sam-altman-throws-shade-at-anthropics-cyber-model-mythos-fear-based-marketing\/\">trash-talked Anthropic for gatekeeping<\/a> its cybersecurity tool Mythos by only releasing it to select users, he confirmed that OpenAI would be doing the same with its competing tool, Cyber.<\/p>\n<\/blockquote>\n\n<p id=\"mythos-and-glasswing-update-2026-05-25\">Update (<a href=\"#mythos-and-glasswing-update-2026-05-25\">2026-05-25<\/a>): <a href=\"https:\/\/www.anthropic.com\/research\/glasswing-initial-update\">Anthropic<\/a> (<a href=\"https:\/\/news.ycombinator.com\/item?id=48240419\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.anthropic.com\/research\/glasswing-initial-update\">\n<p>Since then, we and our approximately 50 partners have used Claude Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities across the most systemically important software in the world. Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it&rsquo;s limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Rich Mogull: Anthropic, the company behind the Claude AI chatbot, made two security announcements that were shocking for many but seen as inevitable by those of us working in AI security. First, it announced Mythos Preview, a new, non-public AI model that turns out to be startlingly good at finding security flaws in software. The [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2026-04-10T19:38:04Z","apple_news_api_id":"597d5214-9a8e-45eb-ad91-31347ceb4d3b","apple_news_api_modified_at":"2026-05-25T14:27:27Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAACA==","apple_news_api_share_url":"https:\/\/apple.news\/AWX1SFJqOReutkTE0fOtNOw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2615,1351,2682,31,2741,30,2742,663,2915,991,2359,48],"class_list":["post-51545","post","type-post","status-publish","format-standard","hentry","category-technology","tag-anthropic","tag-artificial-intelligence","tag-claude","tag-ios","tag-ios-26","tag-mac","tag-macos-tahoe-26","tag-marketing","tag-mythos","tag-open-source-software","tag-openbsd","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=51545"}],"version-history":[{"count":10,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51545\/revisions"}],"predecessor-version":[{"id":51995,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51545\/revisions\/51995"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=51545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=51545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=51545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}