Project Glasswing and the Future of Collaborative AI Defense

When Anthropic announced that Claude Mythos Preview had found thousands of zero-day vulnerabilities across every major operating system and browser, they faced a decision that every organization building powerful AI capabilities will eventually confront.

Release the model and let everyone benefit from its defensive capabilities, while also enabling attackers. Or restrict access and create a managed pathway for defensive use.

They chose the second option and called it Project Glasswing.

It is a consortium of technology companies formed to use Mythos for defensive security before equivalent capabilities become widely available. The founding partners include AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and Palo Alto Networks, with approximately 40 additional organizations that build or maintain critical software infrastructure.

Anthropic is backing the initiative with up to $100 million in usage credits and $4 million in direct donations to open source security organizations.

As someone who built identity infrastructure serving over a billion users across multiple enterprise environments, I have a specific perspective on what Glasswing gets right, what it gets wrong, and what it tells us about the future of cybersecurity.

Why Collaborative Defense Is No Longer Optional

The AI threat landscape has a structural property that makes isolated defense insufficient.

Software vulnerabilities are not unique to individual organizations. A zero-day in Linux affects every Linux deployment worldwide. A flaw in OpenSSL affects every application that links against it. A bug in Chrome's V8 engine affects every Chromium-based browser.

This creates an asymmetry that favors attackers:

• An attacker needs to find a vulnerability once. Every deployment of that software is then vulnerable.
• A defender working in isolation needs to independently discover the same vulnerability, develop the same mitigations, and deploy the same patches.

When vulnerability discovery required months of specialized human effort, this asymmetry was manageable. Organizations could rely on the security community's collective research, vendor patch cycles, and industry threat intelligence to stay informed.

AI changed the economics. When vulnerability discovery takes hours instead of months, the window between "vulnerability exists" and "exploit is in the wild" shrinks to near zero. The defender who discovers a bug Tuesday might find that an attacker independently discovered the same bug on Monday.

Collaborative defense addresses this by pooling discovery capability: find the bugs once, fix them for everyone.

What Glasswing Gets Right

1. Responsible Capability Deployment

The most significant decision Anthropic made was not to release Mythos publicly.

This runs counter to the prevailing ethos in both the AI and security communities, where open access is generally considered a positive force. And for most capabilities, it is. But Mythos sits at a unique intersection: its defensive value depends on finding bugs before attackers do, and its offensive value is proportional to how many bugs remain unfound.

By restricting access to organizations committed to defensive use, Anthropic creates a window for the ecosystem to absorb the findings. Vulnerabilities get patched. Defensive tools get updated. Security teams get time to prepare.

This window is finite. Independent research has already shown that smaller, open models can replicate much of Mythos's analysis. The capability will proliferate regardless of what Anthropic does with their specific model. But the window matters. Every vulnerability patched before equivalent offensive capabilities become widespread is a permanent defensive gain.

2. Serious Economic Commitment

$100 million in usage credits is not a symbolic gesture. At current AI compute costs, this represents millions of hours of vulnerability scanning across critical software infrastructure.

The $4 million in direct donations to open source security organizations addresses a real gap. Many critical open source projects are maintained by small teams or individual developers who lack the resources for comprehensive security review. Direct funding helps these projects absorb the impact of AI-discovered vulnerabilities: processing disclosures, developing patches, and coordinating releases.

For context on what AI compute costs look like at these scales, my AI tokens and pricing guide breaks down the economics.

3. Open Source Focus

The decision to include organizations that maintain critical open source infrastructure is strategically important.

Modern software depends on open source components at every layer. A typical enterprise application includes hundreds of third-party libraries, many of which have their own deep dependency trees. A critical vulnerability in any of these components affects every application that uses them.

By scanning open source infrastructure with Mythos, Glasswing addresses the dependency risk that individual organizations cannot solve alone. No single company can audit every library in its dependency tree. But a consortium with AI-powered scanning can cover the most critical shared infrastructure.

The Linux Foundation, whose software runs most of the world's servers, is among the organizations with access. When Mythos finds bugs in Linux kernel networking code, the fixes benefit every cloud provider, every container platform, and every enterprise running Linux. That is the kind of multiplier effect that justifies consortium-level investment.

4. Competitive Collaboration

Having Apple, Google, and Microsoft in the same defensive consortium is notable. These companies compete intensely across consumer devices, cloud services, AI models, and enterprise software. But security threats affect all of them equally, and vulnerabilities in shared infrastructure (browser engines, cryptographic libraries, operating system kernels) create shared risk.

The precedent is important. If competitors can collaborate on defensive security through a structured consortium, the model can be replicated for other categories of shared risk: supply chain security, AI safety, infrastructure resilience.

What Glasswing Misses

From my perspective building identity systems at billion-user scale, there are significant gaps in the current approach.

Gap 1: No Machine Identity Standards

Glasswing focuses on finding vulnerabilities in code. This is necessary but not sufficient.

The fastest-growing attack surface in enterprise environments is not code vulnerabilities. It is machine identity weaknesses: static API keys, ungoverned service accounts, AI agent credentials with excessive permissions, and orphaned identities from decommissioned projects.

Machine identities outnumber human identities by 45:1 or more in typical enterprises. They are largely ungoverned. And they represent a fundamentally different kind of weakness than code bugs.

Glasswing has no workstream for developing machine identity governance standards, no framework for AI agent authentication, and no initiative to address the architectural mismatch between human-designed IAM systems and AI agent requirements.

When I built CIAM infrastructure, I learned that identity is the layer that connects everything. If the identity layer is broken, patching every other layer does not make you secure. The same principle applies at the machine identity level.

For a technical deep dive into why traditional identity architectures fail for AI agents and what the alternative looks like, see my analysis of MCP, RAG, and ACP protocols and the identity implications of these AI agent communication frameworks.

Gap 2: The Two-Tier Security Reality

40+ organizations benefit from Mythos scanning. Millions of other organizations do not.

The patches will flow downstream eventually. When Mythos finds a bug in Linux, the Linux security team patches it, and every Linux distribution ships the fix. But there is a gap between when consortium members know about the vulnerability and when the patch reaches general availability.

During that gap:

• Consortium members can deploy mitigations immediately
• Non-consortium organizations remain exposed
• Attackers may independently discover the same vulnerability
• The window of asymmetric risk favors the consortium and disadvantages everyone else

This is not a criticism of Glasswing specifically. It is a structural consequence of any restricted-access approach. But it creates a world where security capability correlates with organizational size and resources even more than it already does.

Small and medium enterprises, which lack the resources for comprehensive security programs, are most at risk from AI-powered attacks and least likely to benefit from consortium-level defensive capabilities.

Gap 3: No AI Agent Governance Framework

As AI agents become more autonomous and more integrated into critical systems, the security community needs standards for how agents operate securely:

• How should AI agents authenticate to services they access?
• What authorization models are appropriate for autonomous agents?
• How should agent behavior be monitored and audited?
• What governance frameworks apply to agents that make decisions affecting security?
• How should agent-to-agent communication be authenticated and authorized?

Glasswing addresses none of these questions. The consortium is focused on finding bugs in existing software, not on establishing governance for the AI agents that increasingly operate on and with that software.

This is a significant gap because the intersection of code vulnerabilities and ungoverned AI agents is where the most dangerous attack scenarios emerge. An AI-powered attacker exploiting a code vulnerability through an ungoverned agent credential is the compound threat that enterprises should be most worried about.

Gap 4: Sustainability Questions

$100 million in usage credits is substantial but finite. At the scanning volume needed to cover critical infrastructure comprehensively, these credits will be consumed within 12-18 months.

What happens then?

• Does Anthropic commit additional credits?
• Do consortium members fund their own scanning?
• Does the model become available to a broader set of organizations?
• Is there a sustainable funding model for ongoing AI-powered defensive scanning?

The current announcement does not address long-term sustainability. For Glasswing to fulfill its potential, it needs a funding model that extends beyond the initial credit allocation.

Lessons from Historical Precedents

Glasswing is not the first attempt at collaborative cybersecurity defense. Understanding what worked and what did not in previous efforts provides useful context.

OSS-Fuzz (2016-present)

Google's OSS-Fuzz program provides free, continuous fuzzing for critical open source projects. As of 2026, it covers over 1,000 projects and has found over 10,000 vulnerabilities.

What worked: Sustained investment, broad coverage, automated infrastructure, low barrier to entry for projects.

What did not: Fuzzing only finds certain vulnerability classes (crashes and hangs). It misses logic bugs, authentication flaws, and the compositional vulnerabilities that AI now finds. The vulnerability categories OSS-Fuzz catches and the categories Mythos catches have limited overlap.

Lesson for Glasswing: Sustained investment over years is essential. The impact compounds over time as coverage expands and institutional knowledge accumulates.

DARPA Cyber Grand Challenge (2016)

The first competition for fully autonomous systems to find, patch, and exploit vulnerabilities in real-time.

What worked: Demonstrated that automated vulnerability discovery was feasible. Catalyzed research in program analysis, symbolic execution, and automated patching.

What did not: The competition format did not produce tools that deployed broadly in production. The technology remained in specialized research environments.

Lesson for Glasswing: Demonstrating capability is not enough. The findings need to flow into production patch cycles and become part of standard development workflows.

Coordinated Vulnerability Disclosure (1990s-present)

The practice of reporting vulnerabilities to vendors before public disclosure, giving them time to develop patches.

What worked: Created a norm of responsible disclosure that benefits the entire ecosystem. Established vendor security response teams. Created processes for coordinated patch releases.

What did not: Disclosure timelines remain contentious. Some vendors take months to patch. The 90-day disclosure deadline (Google Project Zero's norm) is a compromise, not a solution.

Lesson for Glasswing: Disclosure coordination will be the primary bottleneck. When AI finds thousands of vulnerabilities simultaneously, vendor security teams will be overwhelmed. The consortium needs processes for prioritizing disclosures and managing vendor capacity.

What Comes Next: The Evolving Model

Based on historical patterns and the current AI capability trajectory, here is what I expect the collaborative defense model to look like over the next 2-3 years:

Phase 1 (2026): Consortium-led scanning. The current Glasswing model. Restricted access to frontier AI scanning capabilities, with patches flowing downstream to the broader ecosystem. The primary bottleneck is vendor capacity to process disclosures.

Phase 2 (2027): Democratized scanning, consortium-led coordination. As AI vulnerability discovery capabilities become widely available through open models, the consortium's value shifts from providing the scanning capability to coordinating the response. Managing the CVE flood, prioritizing disclosures, and helping vendors process the volume.

Phase 3 (2028+): Integrated AI defense in development workflows. AI-powered vulnerability scanning becomes a standard part of every CI/CD pipeline, similar to how linting and unit testing are standard today. The consortium's role evolves to maintaining shared standards, benchmarks, and governance frameworks.

The organizations that invest in AI-powered defense now, rather than waiting for standardized tools, will have 18-24 months of compound advantage over those who wait for Phase 3 to arrive.

What Individual Organizations Should Do

You do not need to be in the Glasswing consortium to benefit from the shift to collaborative defense.

1. Accelerate your patch pipeline. When Glasswing disclosures start flowing, you need to absorb them quickly. If your critical patch SLA is over 72 hours, fix the bottlenecks now.

2. Monitor Glasswing-related CVE disclosures. Track security advisories from consortium members and the open source projects in scope. These will increase in volume and severity over the next 6-12 months.

3. Implement your own AI-powered scanning. You do not need access to Mythos. Smaller, open-weight models with vulnerability discovery capabilities are already available. Deploy them against your own codebase and first-party applications. For understanding how browser security architectures create specific vulnerability patterns, that context helps you prioritize what to scan first.

4. Contribute to open source security. If you depend on open source components (and you do), contribute to their security. Report vulnerabilities you find. Fund security audits. Support maintainer capacity.

5. Address machine identity governance independently. Glasswing will not solve this for you. Inventory your machine identities, implement credential rotation, and deploy behavioral monitoring. This is the gap that the consortium is not addressing and that AI-powered attackers will exploit.

6. Build collaborative relationships proactively. Join industry ISACs (Information Sharing and Analysis Centers). Participate in vendor security partnership programs. Share threat intelligence with peers. The organizations with the strongest collaborative networks will respond fastest when new threats emerge.

For building authentication systems that resist the kind of sophisticated attacks AI-powered adversaries construct, my FIDO2 implementation guide provides the technical foundation. And for hands-on security testing, hashing tools offers utilities your team can use immediately.

The Bigger Picture

Project Glasswing is an important first step, but it is a first step in what needs to be a much larger transformation of how the cybersecurity industry operates.

The AI threat landscape requires:

• Collective defense that scales beyond any single consortium
• Machine identity governance that matches the speed and scale of AI agent deployment
• Standardized frameworks for AI-powered security operations
• Sustainable funding for continuous AI-powered scanning of critical infrastructure
• Inclusive access that does not leave smaller organizations exposed

No single organization, no single consortium, and no single model can provide all of this. But Glasswing demonstrates that the technology works, the collaboration model is viable, and the investment is justified.

The organizations that act now, deploying AI-powered defense, implementing machine identity governance, and building collaborative relationships, will define the security landscape for the next decade. The organizations that wait for the perfect framework to arrive will find themselves defending against threats they are not equipped to handle.

The shift has happened. The question is what you do next.

For tracking how AI capabilities continue evolving across the industry, my analysis of AI's future trajectory provides ongoing coverage of where these technologies are heading.

Frequently Asked Questions

What is Project Glasswing?

Project Glasswing is Anthropic's consortium initiative providing select technology companies access to Claude Mythos Preview for defensive security. Backed by $100M in credits and $4M in open source donations, it includes AWS, Apple, Google, Microsoft, CrowdStrike, and 40+ additional organizations.

Why isn't Anthropic releasing Mythos publicly?

Because the same capabilities that help defenders find vulnerabilities help attackers exploit them. Restricted access buys time for the ecosystem to patch critical bugs before equivalent offensive capabilities become widely available.

Who are the Project Glasswing founding partners?

AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and Palo Alto Networks, plus approximately 40 additional organizations that build or maintain critical software infrastructure.

Does Project Glasswing help small and medium enterprises?

Indirectly. Patches for vulnerabilities found by consortium members flow downstream through standard vendor update channels. But small organizations do not get direct access to Mythos scanning and may face a gap between when consortium members learn of vulnerabilities and when patches become publicly available.

What does Project Glasswing not address?

Machine identity governance, AI agent authentication standards, sustainable long-term funding beyond the initial $100M credit allocation, and inclusive access for organizations outside the consortium.

How can organizations benefit from collaborative defense without consortium access?

Accelerate patch pipelines, monitor Glasswing-related CVE disclosures, deploy open-weight AI models for self-scanning, contribute to open source security, address machine identity governance independently, and build collaborative relationships through ISACs and vendor partnerships.