The recent announcement of the Claude Mythos Preview and Project Glasswing represents a step forward in AI-empowered security initiatives. The fact that the Mythos model is being withheld from public release is an implicit acknowledgment of both the capability of the technology and the consequences of the development. Freely available open-weight models are already doing damage at a lower capability threshold than Mythos, and the real risk lies in the gap between what Anthropic knows and what most security leaders have internalized.
How Fast AI Got Here—and Where It Is Going
The AI boom of the past few years has happened quickly, with new advances being pushed at every turn as AI developers and companies have developed and improved upon the capabilities of their AI tools and agents. The age of AI arrived in full force in relatively little time, creating a landscape where AI is ubiquitous in business, personal, and even cybercriminal use. The future of the AI explosion will continue to see the evolution of AI tools and agent functionality.
Claude Mythos Preview was able to find thousands of critical zero-day vulnerabilities across every major operating system and browser, many of which had been dormant for decades, largely without human guidance. This is indicative of AI’s acceleration of the vulnerability landscape, empowering both threat actors and defenders. The leap from Opus 4.6 to Mythos was measured in months, and this pattern of advancement shows no sign of decelerating in the near future. Credible timelines place open-weight models at Mythos-class exploit capability within months, not years.
The Structural Unpreparedness Most Organizations Won't Admit
The addition of AI tools in defending against modern threats is often a requirement for sufficiently detecting and stopping AI-empowered attacks, but there is still a significant gap between attackers’ and organizations’ operational capabilities. The discovery of vulnerabilities is accelerating, but the time-to-exploit window is simultaneously collapsing, decreasing from weeks to mere hours, or even shorter.
This means that while enterprises can find vulnerabilities to remediate faster than ever before, they still face severe challenges in outperforming bad actors. “Glasswing will help defenders find and fix vulnerabilities faster than any human team. That matters,” says Bradley Smith, SVP, Deputy CISO at BeyondTrust, an Atlanta, Georgia-based privilege-centric identity security provider. “But those who are presenting it as giving the good guys a head start mischaracterizes where we actually are.”
Most enterprise security operations were designed for human-paced threat volume, equipped to handle the type of malicious activity that human users can carry out alone, and therefore are not capable of absorbing dangers at an AI-driven scale. Patch cycles, disclosure policies, and incident response pipelines all predate this inflection point, creating their own problems. All of these areas require rethinking from the ground up in order to be effective against AI-powered threats.
Where Project Glasswing Falls Short
The Project Glasswing announcement signals both the readiness of industry leaders to invest in advanced AI security and the ways in which their capabilities may be insufficient to handle the task. With major industry players investing their efforts in the project, it carries significant weight as an initiative. The partner roster for Project Glasswing—including Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks—reflects enterprise and hyperscale strength.
However, the combination of these leaders and their efforts does not indicate serious capabilities in edge-environment depth, an important factor in modern security that cannot go unaddressed. In operational technology (OT) and Internet-of-Things (IoT) security, even leaders like Cisco and Palo Alto Networks lack the focused tooling for automated or autonomous patching. Generating an AI-powered playbook is a hollow victory without the operational capability to execute it at the edge.
What a Complete Defense Posture Actually Requires
In order to effectively handle the security issues that Project Glasswing is setting out to address, it is crucial to alter the approach. Success in fighting modern threats will require Glasswing to expand its coalition to include OT- and IoT-focused pioneers. “To truly harden the world's most vulnerable systems, Project Glasswing must move past the boardroom giants and collaborate with best-in-class innovators capable of taking action at the edge,” according to John Gallagher, Vice President of Viakoo Labs at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene.
Shortening the patch-to-deploy cycle and automating triage are not optional improvements that Glasswing can consider making in the future, but rather existential priorities without which it cannot succeed. Achieving true cyber resilience in the era of AI demands an architecture that is built to handle threats at AI speed, not human speed. The AI explosion is ongoing and unlikely to stop anytime soon—new evolutions and shifts in the AI landscape will continue to benefit attackers and defenders alike.
The Urgency Leadership Cannot Afford to Misread
The development of Claude Mythos Preview and Project Glasswing send a clear message that industry and market leaders should internalize to inform future decisions. It is important to see Mythos and Glasswing not as reassurance that the industry is getting ahead of the problem, but as a signal that the industry is in a race it did not know had already started. Organizations that treat this moment as an inflection point, rather than just a headline, are the ones that will be left standing when open-weight models reach this threshold.
