Anthropic launched Project Glasswing on May 8, providing a small group of vetted organizations with restricted access to Claude Mythos Preview — the same capability evaluation that drove the Trump administration to reverse course on AI oversight last week. In Anthropic's internal testing, Mythos identified thousands of zero-day vulnerabilities across major operating systems and web browsers. The company stated there are no plans for public release, citing dual-use cybersecurity risk.
The careful reading: "thousands of zero-days" is Anthropic's own characterization, not independently verified. The claim covers identification of potentially exploitable conditions, not necessarily working exploits — those are different bars, and most coverage is not distinguishing them. The Glasswing vetting framework is voluntary and operates under Anthropic's internal policy rather than any federal certification regime — which is the same gap that triggered last week's draft administration response. Two operational questions matter for security teams: which organizations get access (the "select" pool is undisclosed), and what visibility do affected vendors get into the vulnerabilities Mythos identifies. The second question determines whether this becomes a coordinated-disclosure pipeline or a separate stockpile of unfixed vulnerabilities.
If you run a security operations team, treat any model-discovered vulnerability disclosure cycle as a parallel pipeline to your existing vendor-disclosure tracking. The cadence and confidentiality terms are different, and your incident-response runbook should account for both.