Anthropic’s Claude Mythos Preview Finds 27-Year-Old OpenBSD Bug, Launches $100M Cybersecurity Coalition

Anthropic’s Claude Mythos Preview Finds 27-Year-Old OpenBSD Bug, Launches $100M Cybersecurity Coalition

Anthropic announced something on April 10, 2026 that caught everyone’s attention. Project Glasswing, built around an unreleased model called Claude Mythos Preview, found a security flaw in OpenBSD that had been hiding for 27 years. That bug, older than some engineers reviewing the code, survived millions of automated scans. Then Mythos Preview just… found it. The announcement changes how the industry thinks about AI security.

The Model’s Capabilities

Here’s what the model actually did. It identified that 27-year-old OpenBSD vulnerability. It also caught a 16-year-old bug in FFmpeg that automated tools had examined five million times without detecting. The model then chained multiple Linux kernel vulnerabilities together, escalating from ordinary user access to full machine control. All without human steering.

The numbers tell the story. Mythos Preview scored 83.1% on CyberGym vulnerability reproduction tests. The previous model, Claude Opus 4.6, managed 66.6%. On SWE-bench Verified, the new model hit 93.9% accuracy versus Opus’s 80.8%. These aren’t incremental improvements. They’re leaps.

The Industry Coalition

The partner list includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Twelve organizations. Getting Apple, Google, and Microsoft in the same room on anything is unusual. Getting them to share vulnerability data through a competitor’s AI model? That’s unprecedented.

Anthropic committed serious money here: $100 million in usage credits plus $4 million in direct donations to open-source security organizations. The company plans to release a public report within 90 days, detailing vulnerabilities discovered, systems secured, and recommendations for security practices. CrowdStrike CTO Elia Zaitsev put it bluntly: the gap between vulnerability discovery and exploitation has collapsed from months to minutes.

Strategic Context

The timing is worth noting. Just days before this announcement, Anthropic cut off Claude subscription access for third-party tools like OpenClaw. The open-source community wasn’t thrilled. Then there was March. Turbulent doesn’t quite cover it. The company accidentally exposed thousands of internal files and over 512,000 lines of Claude Code source code. Now they’re launching a $100 million cybersecurity initiative while cleaning up their own security mess. It’s either visionary or ironic. Probably both.

Anthropic won’t make Mythos Preview generally available. Instead, they’re developing safeguards for an upcoming Claude Opus release. The bet is clear: give defenders a head start before attackers get access to similar capabilities.

The Core Question

If AI models can find critical flaws faster than the entire security industry combined, the question isn’t whether to use AI for defense. It’s whether defenders can organize fast enough to keep up with attackers who will have the same tools soon enough.

Project Glasswing illustrates the dual-use problem. The same model that discovers vulnerabilities for defense can exploit them offensively. Restricting access to vetted partners instead of releasing publicly is Anthropic’s attempt to manage that risk while still enabling defensive work.

The 90-day report will be the first real test. Metrics to watch: number of vulnerabilities discovered, speed of fixes, practical applicability of recommendations. Success would validate Anthropic’s collaborative approach. Failure? That would look like an expensive press release.

What’s Next

AI capabilities keep advancing, and the window for defensive action keeps narrowing. That 27-year OpenBSD bug survived decades of human review and automated scanning. If AI models can now find such vulnerabilities in hours instead of decades, the security industry has to restructure everything. Timelines, practices, expectations.

Project Glasswing might be the first serious attempt to build the infrastructure and coordination mechanisms this new reality demands. Whether it works is an open question. What’s clear is that the old way of doing security won’t work anymore.