Anthropic has announced Project Glasswing, a controlled cybersecurity initiative built around a new model called Claude Mythos Preview. The company says the model is unusually strong at finding and exploiting vulnerabilities, so access is limited to a closed group of partners focused on defense-first work. According to Anthropic, Mythos has already surfaced thousands of high-severity vulnerabilities across major operating systems and web browsers, which is why they are not releasing it broadly yet. (Source: https://www.anthropic.com/glasswing)
This matters even if you never use Anthropic’s models directly.
What Anthropic is saying the model can do
In their public write-up, Anthropic describes Mythos Preview as a step-change in vulnerability discovery. They highlight examples like:
- A 27-year-old vulnerability in OpenBSD that could remotely crash systems.
- A 16-year-old FFmpeg issue that survived millions of automated tests.
- A chained Linux kernel vulnerability path that escalated from user-level access to full control.
The key idea is not that these are new classes of bugs. It is that the cost of finding them is dropping, and the pace is speeding up.
Why this changes the baseline
For most teams, the risk is not “someone uses AI to hack us.” The more realistic risk is accelerated discovery of issues that used to sit undetected for months. That compresses the time-to-fix window and makes weak operational hygiene visible much faster.
If frontier models can find vulnerabilities at scale, then the definition of “good enough” security moves upward. The baseline becomes:
- continuous detection instead of periodic audits
- prioritization that focuses on the issues that create real risk
- faster verification loops after each fix
What this means for SaaS teams
You do not need a new AI team to respond. You need a tighter loop around the parts of your surface that drift most:
- security headers and policy gaps
- cookie and tracking control mismatches
- hidden SEO/indexing issues that expose abandoned endpoints
- uptime and SSL integrity
The takeaway is boring, but true: the teams that win are the ones who operationalize repeatable checks.
How Scavo fits (briefly)
Scavo is not a general penetration-testing tool. It is a reliable, automated baseline that catches the issues that drift most often and makes the fixes easy to assign and verify.
That baseline is what keeps you safe when discovery gets faster.
What to do next in Scavo
- Run a fresh scan on your main domain.
- Open the matching help guide in /help, assign an owner, and ship the smallest safe fix.
- Re-scan after deployment and confirm the trend is moving in the right direction.
Final takeaway
Anthropic is treating Mythos Preview as a cybersecurity risk as much as a technical breakthrough. Whether or not you use Claude, the implication is the same: the floor has moved. If your security posture depends on infrequent manual reviews, it will not keep up.
If you want an automated baseline that catches drift before it becomes a real incident, Scavo does that continuously.
