Anthropic's announcement this week isn't just a product launch. It's a public acknowledgment that the rules of cybersecurity have fundamentally changed — and the window to respond is narrow.
On April 7th, Anthropic announced Project Glasswing, an initiative to give select organizations early access to their most capable model yet, Claude Mythos Preview, specifically for defensive security work. The partners list reads like a who’s who of critical infrastructure: AWS, Apple, Google, Microsoft, Cisco, CrowdStrike, NVIDIA, and others. The reason Anthropic is doing this is worth reading carefully.
In the past few weeks alone, Mythos Preview found thousands of previously unknown, high-severity vulnerabilities across every major operating system and every major browser. Some had gone undetected for decades. A 27-year-old bug in OpenBSD was found by sending a few packets to any server running it. Anthropic has privately briefed government officials that Mythos-class capabilities make large-scale cyberattacks significantly more likely this year.
They’re not releasing the model publicly. Instead, they’re giving defenders a head start. That’s the plan. And while we think it’s the right move, we also think it’s important to be honest about what it implies.
The capability threshold has been crossed
For years, AI in cybersecurity has been a story about automation, tools that ran faster, correlated logs more efficiently, or flagged anomalies with less noise. Useful, but incremental. Project Glasswing is Anthropic acknowledging something different: their model doesn’t just automate existing work. It performs vulnerability research at a level that surpasses all but the most skilled human experts. More importantly, it chains vulnerabilities together — finding two or three weaknesses that are individually low-value and combining them into a sophisticated exploit path that no single finding would have suggested.
That is not automation. That is a qualitative change in what the technology can do.
The window between a vulnerability being discovered and being exploited has collapsed. What once took months now happens in minutes. That’s not a future problem — it’s already the reality defenders are operating in.
What this means for attackers
Mythos Preview is currently restricted to vetted partners. But Anthropic was explicit: capabilities like this will proliferate. The question isn’t whether threat actors will eventually have access to AI with these capabilities, it’s when, and whether defenders will have used their head start wisely. Commodity attack tools have always followed behind elite capabilities. This cycle is simply moving faster than it ever has before.
The implication is that attackers who previously needed deep expertise to chain exploits or discover novel vulnerabilities in complex codebases will increasingly be able to operate at a level that was previously out of reach. The barrier between an unsophisticated actor and a sophisticated one is narrowing.
What this means for defenders
The same capability that makes this alarming on the offensive side is genuinely powerful for defense. Mythos-class AI running continuously against your codebase, your infrastructure, and your configurations is a different order of magnitude than a point-in-time assessment conducted once a year. For organizations maintaining critical software, the message from Glasswing is clear: start now, because the free lunch of “we haven’t been breached yet” has a shorter shelf life than it did last week.
For security teams, this also changes the conversation around vulnerability management. The assumption that legacy systems are obscure enough to be safe, or that low-severity findings can be deprioritized indefinitely, deserves a hard second look.
What this means for penetration testing
We want to be direct about this, because we think the industry deserves an honest conversation rather than a defensive one.
AI will compress the commodity layer of penetration testing. Automated vulnerability discovery, reachability analysis, and basic exploit chaining, these are tasks that AI will increasingly perform faster and more comprehensively than humans running tools. Organizations and consultancies that have built their value primarily around tooling execution will feel that pressure acutely over the next three to five years.
But here’s what that framing misses: the most important question in a penetration test was never “what vulnerabilities exist?” It was always “what could actually hurt this organization, given how it operates, what it protects, and what its people do under pressure?”
Those are not the same question. And only one of them requires understanding the business.
The judgment that AI can’t replace
For fifteen years, Secure Ideas has operated from a belief that good penetration testing is fundamentally a business exercise, not just a technical one. When our consultants find something exploitable, the first question isn’t “how do we document this?” It’s “does this actually matter to this client?” A vulnerability that looks severe in isolation may be irrelevant given how a system is actually used, and a finding that looks minor on paper may represent a catastrophic risk given what sits behind it.
That judgment — knowing what would actually hurt a specific organization — can’t be extracted from a codebase. It comes from understanding the client’s industry, their regulatory environment, their incident response maturity, and what a real adversary would actually target. It comes from conversations that happen before a single tool is run. It shapes what gets tested, how findings get prioritized, and what remediation guidance is worth acting on versus what gets filed and forgotten.
An AI can find the vulnerability. It takes a human consultant who understands your business to tell you whether it’s the one that keeps you up at night.
Project Glasswing actually reinforces this point. Anthropic didn’t hand Mythos Preview to the open market, they specifically partnered with organizations that could apply its output with judgment and context. The model’s power is in what it surfaces. The value is in what humans decide to do with that.
We think the penetration testing firms that thrive in this environment will be the ones that lean harder into that role: fewer reports that describe what a scanner found, more engagements that honestly answer whether an organization could detect, respond to, and survive a real attack. That’s always been the standard we’ve held ourselves to. It’s about to become the only standard that matters.
The question your organization should be asking
Not “can AI replace our security assessments?” that’s the wrong frame. The right question is: given that Mythos-class capabilities will eventually reach adversaries, is our current posture built for that reality? Are we still operating under assumptions about attacker sophistication that no longer hold? Are we treating compliance as a proxy for security? Are we getting assessments that challenge us, or ones that confirm what we already believed?
Project Glasswing is a signal. The organizations that use the next two to three years to close gaps that have existed for decades will be in a meaningfully different position than those who treated this as another news cycle.
We’d rather help our clients end up on the right side of that line.
A final note: this piece reflects our understanding of the situation as of April 2026. The AI landscape is moving faster than any single publication cycle can capture, and what we’ve described here will continue to evolve, potentially significantly, in the weeks and months ahead. We don’t think that uncertainty is a reason to wait. If anything, it’s the opposite. The organizations building adaptive, judgment-driven security practices now will be far better positioned to respond as this situation develops than those waiting for the picture to stabilize. It won’t. We’ll continue to share our thinking as it does.
If you’re wondering what Glasswing-era threats mean for your specific environment, we’re ready to have that conversation. Our consultants work with organizations across industries to assess what would actually hurt you — not just what a scanner finds.
