AI found bugs hiding for 27 years. Now what?

What Project Glasswing is

Anthropic built an unreleased model called Claude Mythos Preview. It is a general-purpose AI with unusually strong code analysis skills. The company then invited AWS, Apple, Google, Microsoft, CrowdStrike, Cisco, Palo Alto Networks, Broadcom, JPMorganChase, NVIDIA, and the Linux Foundation to use it defensively.

Anthropic is committing up to $100 million in usage credits for the project. It has also donated $4 million to open-source security organisations, including the Linux Foundation and the Apache Software Foundation. Over 40 additional organisations that build or maintain critical software infrastructure have received access.

The model will not be made generally available. Anthropic plans to develop safeguards first, then release those safeguards with a future Claude Opus model.

What the model actually found

Mythos Preview identified thousands of zero-day vulnerabilities. These are flaws that the software's own developers did not know existed. It found them across every major operating system and every major web browser.

Three examples stand out.

It found a 27-year-old vulnerability in OpenBSD. OpenBSD is widely regarded as one of the most security-hardened operating systems in the world. The flaw allowed an attacker to remotely crash any machine running it, simply by connecting to it. Twenty-seven years of human review missed it.

It found a 16-year-old vulnerability in FFmpeg, the video encoding library used by countless applications. Automated testing tools had executed the relevant line of code five million times without catching the problem.

It also found and chained together several vulnerabilities in the Linux kernel. Linux runs most of the world's servers. The exploit chain allowed an attacker to escalate from ordinary user access to full control of the machine.

All three have now been patched. For many other discovered vulnerabilities, Anthropic has published cryptographic hashes of the details and will disclose specifics after fixes are in place.

Why UK SMEs should care

Your business runs on this software. Your email server, your accounting platform, your CRM, your website hosting; all of it sits on operating systems, browsers, and libraries that contained exactly these kinds of flaws.

The technical story here is real. AI models can now find vulnerabilities faster and cheaper than human experts. That capability will spread. Anthropic itself acknowledges it will not be long before similar models reach actors who are less careful about how they deploy them.

Global cybercrime costs an estimated $500 billion a year. SMEs are disproportionately affected because they tend to patch slowly and invest less in security infrastructure.

But the technology is only 20% of the problem. The other 80% is people and process. Most SMEs do not have a named person responsible for applying security updates. They do not have a documented patching schedule. When a critical update lands, there is no playbook for who acts, how fast, or what gets tested first.

That gap is where the real risk sits. A vulnerability discovered today can be weaponised within hours. If your update process takes weeks, or relies on someone remembering, you are exposed.

What you can do now

You do not need Mythos Preview to act on this. Four things will make a measurable difference this week.

Security is not a one-off purchase. It is a recurring cost and an ongoing habit. Budget for it the same way you budget for insurance.

What this means for AI adoption

If your business is exploring AI, this announcement is a reminder that security needs to be part of the conversation from day one. AI tools process your data, connect to your systems, and interact with your customers. Every integration point is a potential vulnerability if the underlying software is not kept current.

At gecco, we build AI adoption plans that treat security, governance, and people as first-order concerns. The technology is the smaller part. The culture, processes, and habits around it are what determine whether AI adoption succeeds or creates new risk.

If you want a clear read on where your business stands, take the AI readiness assessment.