Claude Mythos Preview + Project Glasswing: What Your Blue Team Can Borrow

On April 7, 2026, Anthropic announced Claude Mythos Preview — the same model whose existence leaked via a CMS misconfig on March 26 — and Project Glasswing, an invitation-only program restricting access to a list of named partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks ([Anthropic, Mythos Preview](https://red.anthropic.com/2026/mythos-preview/)). The reason they gated it: in internal testing, Mythos Preview autonomously identified and exploited a 17-year-old FreeBSD NFS remote code execution bug, now public as CVE-2026-4747 ([VulnCheck](https://www.vulncheck.com/blog/anthropic-glasswing-cves)). ## TL;DR — what an Indian CISO should take from this Mythos Preview is gated; you won't get access. But the design of Glasswing — frontier AI + curated targets + responsible disclosure pipeline — is replicable with Claude Sonnet, GPT-4o, or open-weight models. Three borrowable ideas: (1) point a capable LLM at your own code first, before attackers do; (2) treat AI-found findings the same as any pentest — triage, patch, retest; (3) keep humans on the disclosure decision, not on the discovery step. ## Why this matters now Frontier models are reaching the point where they find bugs faster than human reviewers. Anthropic's own draft blog post (leaked March 26) said Mythos is "currently far ahead of any other AI model in cyber capabilities" and warned it "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders" ([CSO Online analysis](https://www.csoonline.com/article/4159617/behind-the-mythos-hype-glasswing-has-just-one-confirmed-cve.html)). If you're a defender, you have ~12-18 months before similar capability hits the open-source side and the attackers without Glasswing access catch up. ## What Project Glasswing actually does The published Mythos Preview page describes the workflow: take a critical codebase (FreeBSD kernel, OpenSSL, ffmpeg), point Mythos at it with read-only instructions, ask "find me memory safety bugs that could result in RCE." Mythos produces findings ranked by exploitability. A human reviewer at Anthropic validates and triages. Confirmed bugs go to the maintainer through standard CVE channels. CVE-2026-4747 went through this exact pipeline. ## The Glasswing-style defensive workflow your team can build You don't need invitation-only access. You need (1) a capable model, (2) your own code, (3) a triage process, and (4) the discipline not to email a CVE to a stranger before the maintainer has a patch. ## A worked example — CVE-2026-4747 in plain English The bug Mythos found was in FreeBSD's NFS RPC GSS validation. The function svc_rpc_gss_validate() copies an attacker-controlled credential body into a 128-byte stack buffer. But the XDR (External Data Representation) layer that ships the credential allows up to 400 bytes. That's 304 bytes of overflow — directly onto the stack — triggerable by any unauthenticated user with network reachability to an NFS server. In code, the smell is roughly:

char buf[128];                          // 128-byte stack buffer
  memcpy(buf, cred->body, cred->length);  // length up to 400, no check
  

This pattern — buffer size from one source, length from another, no bounds check — is what an LLM trained on millions of code patterns spots in seconds. A human reviewer might miss it because the two sources are 200 lines apart and the bug has been there since 2009. That's the asymmetry Glasswing is built around. ## The defensive prompt — a starter you can copy Open Claude or GPT-4 with your service's source code attached. Use this:

You are a security auditor reviewing this codebase for memory safety,
  authentication, and input validation bugs that could result in:
  - Remote code execution (RCE)
  - Server-side request forgery (SSRF)
  - Authentication bypass
  - Privilege escalation
  - Information disclosure (PII, secrets, tokens)
  
  For each finding, give me:
  1. The exact file path and line numbers
  2. The vulnerability class (CWE if you can identify it)
  3. A 1-line attacker scenario showing how it would be exploited
  4. The minimum fix needed (don't refactor — just stop the bleeding)
  5. Confidence: high / medium / low
  
  Skip stylistic issues, performance, code smells. Only security.
  Prioritize findings by exploitability, not by line count.
  

Iterate. Re-prompt with the findings to expand on the highest-confidence ones. Cost for a 5,000-line service: roughly ₹500-1,500 in API tokens. ## A comparison: Glasswing vs. what you can DIY in 2026 | Capability | Project Glasswing | DIY with Claude Sonnet 4.5 | Gap | |---|---|---|---| | Model | Mythos Preview (gated) | Sonnet 4.5 (available) | ~30-40% findings depth | | Targets | OS kernels, browsers | Your own services | Comparable for SMB scope | | Triage | Anthropic team | Your security engineer | You need 1 trained person | | Disclosure pipeline | Glasswing partner channels | Email maintainer | Same standard process | | Cost | Invitation only | ~₹500-₹2,000 per service review | DIY is workable | | Time to first finding | Hours | Hours | Comparable | The honest read: Mythos Preview is materially more capable. But for an Indian SMB's threat model — finding bugs in your own services before commodity exploit kits hit them — Claude Sonnet 4.5 plus a disciplined process gets you 60-70% of the value at less than 1% of the cost. ## Borrowable design ideas — the action list

• Stand up an internal "Glasswing-lite" workflow: one model, one code review prompt, one engineer who triages findings weekly.
• Start with your highest-risk service first — authentication, payment, file upload, anywhere external input reaches privileged code.
• Track LLM findings in the same tracker as pentest findings. Same SLA, same retest discipline.
• Set a budget: ₹10,000-₹30,000/month for API tokens, scaled to your service count. That's less than one engineer-day.
• Subscribe to the GitHub Advisory Database, CISA KEV, and the FreeBSD/Linux security mailing lists relevant to your stack. Cross-reference LLM findings against known classes.
• Train your team on coordinated disclosure: never email a vuln to a maintainer without giving them 90 days, and never publicly post until they've shipped a fix or that 90 days has passed.
• Re-run reviews after every major refactor. Bugs are introduced fastest when code is changing fastest.

## Counter-example: when defensive AI is the wrong tool If you have no working SAST/DAST pipeline, no vulnerability management process, and no security engineer to triage findings — adding an LLM to the mix produces more alerts you'll ignore. Fix the fundamentals first: dependency scanning (Dependabot, Snyk free tier), code review on every PR, and a documented incident response runbook. Then add LLM-based review on top. ## Real example — what we built for a Chennai healthtech client A 60-person healthtech firm — they handle prescription data, ABDM-adjacent — asked us to run a Glasswing-style review on their patient portal API after the Mythos news. We pointed Claude Sonnet 4.5 at their 18,000-line Node.js codebase over a weekend (4 review sessions, ₹2,400 in API cost). Findings: 11 high-confidence issues, 7 medium, 14 low/informational. After triage: 4 real issues (one SSRF in their image-fetch endpoint, two IDOR in patient lookup, one verbose error leaking SQL fragments). Patch effort: 3 days. The SSRF would have let an attacker pivot to their internal medication-pricing service. Zero attackers (that we know of) found it first. For our founder's take on the offence-defence economics of frontier AI in security, see [Vivek Singh's writing on AI for blue teams](https://viveksinra.com/blog). ## FAQ ### Can I apply to Project Glasswing? Probably not directly. Anthropic launched with 11 named partners — large platform vendors and a few financial institutions. There's no public application form as of April 2026. The named partner list reads as "vendors whose products run on most of the world's critical infrastructure." Indian SMBs aren't in scope yet; some may get downstream access via CrowdStrike or Cisco's commercial products in 2026-2027. ### Why is Anthropic gating Mythos Preview at all? Because the same capability that finds bugs faster than defenders can patch them also helps attackers find bugs faster than vendors can fix them. Anthropic's bet: if frontier offensive capability is going to exist, defenders should have it first. Schneier and Simon Willison both wrote that the restriction "sounds necessary" — even if uncomfortable ([Schneier on Security](https://www.schneier.com/blog/archives/2026/04/on-anthropics-mythos-preview-and-project-glasswing.html)). ### Is one confirmed CVE proof Glasswing works? It's evidence, not proof. Skeptics (CSO Online, The Register) point out that as of mid-April only CVE-2026-4747 is publicly attributed to Glasswing. Anthropic says more findings are in disclosure pipelines and will surface over weeks. The honest answer: too early to judge the program's full output, but the one published case is a real, high-severity, 17-year-old bug — not a marketing exercise. ### How much does a DIY defensive AI review cost in INR? For a 5,000-15,000-line service: ₹500-₹3,000 in API tokens per review pass, plus 4-12 hours of a security engineer's time for triage. We charge ₹40,000-₹85,000 for a full engagement including patching guidance and a retest. Compare against a traditional pentest (₹1.5-4 lakh) — different value: pentest goes broader, LLM review goes deeper on memory/logic bugs. ### What models are best for security code review in 2026? Claude Sonnet 4.5 and Claude Opus for breadth and reasoning about call chains. GPT-4o for pattern matching against known CVE classes. Gemini 2.5 Pro for handling very large codebases in one context. Open-weight Llama 3.1-70B if you must keep code on-prem. Run the same prompt across two models and compare — the overlap is your high-confidence set. ### Are LLM-found bugs eligible for bounty programs? It depends on the program. Most major bug bounty programs (HackerOne, Bugcrowd) explicitly allow LLM-assisted research now, but require human verification and a working PoC before submission. Don't just paste an LLM's output into a report — programs will (correctly) reject it as low-effort spam. Treat the LLM as a junior researcher whose work you sign off on. ### What's the connection between the Mythos leak (March 26) and the Mythos Preview launch (April 7)? Same model. The CMS leak revealed the existence and capabilities of Mythos in draft material that wasn't supposed to be public yet. Anthropic moved up the official announcement and the Glasswing program launch by reportedly two-to-three weeks to control the narrative. The April 7 announcement was always coming — the March 26 leak just shortened the runway.