Anthropic Built an AI That Finds Zero-Days — Then Locked It Up

The most consequential AI model of 2026 is one you cannot use. Anthropic built it, proved it works, ran it against the world's critical software, and then announced it would not be made generally available. The name is Claude Mythos, the program around it is Project Glasswing, and the reason it's locked up is the same reason it matters: a general-purpose model that finds and exploits zero-day vulnerabilities on its own, at scale, is the rare capability that is dangerous precisely because it works as advertised.

The numbers Anthropic disclosed are what make the dual-use problem concrete rather than theoretical. Running Mythos against more than 1,000 open-source projects, the company identified 23,019 issues — of which 6,202 were high- or critical-severity vulnerabilities. These aren't lint warnings. They're the class of flaw that, in the wrong hands, becomes a breach.

The OpenBSD tell

If you want one result that should make security professionals stop scrolling, it's this: Anthropic's own red team pointed Mythos at OpenBSD — an operating system that is genuinely, almost religiously, famous for its hardened security posture, the OS people invoke as the example of code written by people who care about exactly this — and Mythos found a 27-year-old vulnerability in it. It did so in fewer than a thousand autonomous runs, at a total cost under $20,000.

Sit with the economics for a second, because the economics are the threat model. Twenty thousand dollars and a few hundred autonomous attempts to surface a critical flaw that survived 27 years of expert human scrutiny in one of the most-audited codebases on earth. Anthropic says Mythos found critical vulnerabilities in every major operating system and every major web browser. The model does not need to be smarter than the best human security researcher on any single problem. It needs to be tireless, parallel, and cheap — and it is all three. That combination collapses the cost of finding exploitable bugs from "elite-team project" to "rounding error," and it collapses it for defenders and attackers symmetrically.

Why Glasswing exists

That symmetry is the entire design constraint, and Project Glasswing is Anthropic's attempt to answer it before someone else builds the same thing without the guardrails. Rather than ship Mythos as a product or bury it as a research curiosity, Anthropic stood up a restricted consortium — AWS, Apple, Google, JPMorgan Chase, Microsoft, and Nvidia, alongside more than 40 organizations that build or maintain critical software — and gave them gated, defensive access. The logic is a race premise stated plainly: if a model this capable is now buildable, the safest world is one where the defenders find and patch the vulnerabilities first, before an adversary fields a comparable system independently.

It's a coherent argument. It's also an admission. You only build a defensive consortium and withhold the model from everyone else if you believe the offensive version is not a hypothetical but a timeline — that the question isn't whether someone fields an autonomous zero-day machine, only who, and when, and whether the good guys have already swept the obvious doors.

The 99% problem

Here's the part the consortium can't fix by itself, and it's the most uncomfortable finding in the whole disclosure: more than 99% of the vulnerabilities Mythos has already found remain unpatched by their maintainers. Finding bugs turns out to be the easy half. A model that generates 6,202 critical findings faster than any human team could triage them doesn't automatically make software safer — it generates a backlog that the human and organizational machinery of patching, much of it volunteer-run open-source maintenance, has no capacity to absorb.

This is the inversion almost nobody priced in. For decades the bottleneck in security was discovery — finding the flaw was the hard, scarce, expensive part. Mythos moves the bottleneck to remediation. When discovery becomes nearly free and infinite, the scarce resource becomes the maintainer's attention, the vendor's patch cycle, the coordinated-disclosure pipeline. A thousand unpatched critical bugs sitting in a database is not obviously safer than a hundred undiscovered ones — it's a map, and maps can be read by anyone who gets a copy.

What it means

Anthropic's decision not to ship Mythos is the most interesting thing a frontier lab has done with a capability all year, because it's a lab voluntarily leaving money and prestige on the table on the grounds that the downside is too sharp to sell. Whether that restraint holds across the industry is the open question — restraint is only stable if everyone capable of building the thing agrees to it, and the field is not short on labs racing for exactly this kind of result.

Mythos proves the autonomous-vulnerability era has arrived as a technical fact. Glasswing is one lab's bet on how to survive it. The unpatched 99% is the reminder that the hard problem was never building the machine — it's the human systems on the other end, which were sized for a world where finding the bug was the expensive part. That world just ended.