Anthropic has entered a new phase of the AI arms race, this time on the defensive side of cybersecurity. The company this week announced Claude Mythos Preview, an advanced AI model that can identify and exploit security flaws in software at a level that rivals highly skilled human security researchers. Anthropic is not making this model broadly available to the public, instead offering it through a tightly controlled cybersecurity initiative called Project Glasswing, which is designed to help large organizations test and harden their own code before attackers can. For any publicly traded company, the long-term implication is clear: AI is no longer just a productivity tool, it is becoming a core part of the security stack, and boards and executives will need to treat access to these models as a strategic decision.
Anthropic describes Claude Mythos Preview as a “frontier” model, meaning it pushes the boundaries of what current AI systems can do in terms of coding, reasoning, and problem-solving. In internal tests, the model has located thousands of zero-day vulnerabilities and has even uncovered bugs in widely used open-source operating systems and web browsers that had gone unnoticed for years. The company has committed up to $100 million in usage credits for the model across Project Glasswing participants, effectively removing the immediate cost barrier for large-scale defensive security work. Alongside those credits, Anthropic has pledged up to $4 million in direct donations to open-source security groups, including the Open Source Security Foundation through the Linux Foundation and the Apache Software Foundation, in recognition that much of the world’s critical infrastructure runs on software maintained by volunteers with limited security budgets.
The program is built around a consortium of major technology and security firms. Microsoft (NASDAQ: MSFT) is one of the companies that will be testing Mythos Preview through its Azure security stack and other cloud-level hardening tools. Amazon (NASDAQ: AMZN) is incorporating the model into Amazon Web Services environments, where it can scan cloud workloads, infrastructure code, and platform-level services for subtle flaws. Apple (NASDAQ: AAPL) is expected to use the model to scrutinize its own operating systems and developer toolchains, while security-focused vendors like CrowdStrike (NASDAQ: CRWD) and Palo Alto Networks (NYSE: PANW) are applying it to endpoint telemetry, threat-intelligence pipelines, and internal research workflows. Around 40 other organizations, including financial services and cloud providers, are also in the early-testing group, with access managed through a restricted API and dedicated cloud platforms such as Amazon Bedrock and Microsoft Foundry.
For a CTO or CISO, the most practical takeaway is that AI-assisted security testing is shifting from niche experiments toward routine operations. Anthropic’s research shows that Claude Mythos Preview can, in some cases, uncover multiple vulnerabilities in a single codebase where earlier-generation models and human reviews might have found only a few, or none at all. This means that security teams cannot simply bolt on an AI model as a one-off scanner; they need to treat it as a repeatable pipeline component, integrated into continuous-integration and continuous-deployment workflows, with clear rules for triage, patching, and follow-up investigation. Teams that wait for “perfect” AI tools may find themselves outpaced by attackers who adopt similar capabilities more aggressively, so the current priority is to build robust feedback loops around AI-generated findings rather than to avoid the technology on principle.
Another important consequence is that AI-driven security testing will likely increase the volume of reported vulnerabilities, at least in the short term. One study cited by security analysts notes that fewer than 1% of the vulnerabilities found by Mythos were patched within the initial testing window, suggesting that many organizations already struggle to keep up with existing security backlogs. For finance and IT leaders, this reinforces the need to treat security-budget decisions as directly tied to AI-tooling investments; if AI can surface hundreds or thousands of new issues, teams must also have the headcount, automation, and remediation infrastructure to prioritize and close them. Over time, the expectation is that the same kind of AI-assisted scanning that Anthropic is rolling out through Project Glasswing will become standard, not just for large enterprises, but for any company that depends on software it cannot afford to see fail.
What is happening with Anthropic and its partners is less about a single product launch and more about a broader shift in how software risk is managed. The model itself is not a magic fix, but it is a signal that the industry is starting to treat AI-assisted security testing as a necessary adaptation, not an optional experiment. For business readers, the practical implication is that AI-driven security tools will likely become one of the more visible line items in corporate governance, cybersecurity budgets, and risk-disclosure language over the next few years. For CTOs and CISOs, the real question is no longer whether to use AI in security testing, but how to structure their teams, processes, and vendor relationships so that the increase in detection power actually translates into a more durable, patched, and continuously monitored software environment.
