AI Found the Bug Before the Hacker Did

Decades-old bugs, buried in some of the world's most scrutinized code, are being surfaced in minutes. Not by a team of elite researchers working overnight — by an AI model that wasn't even built for the job.

What Just Happened

Anthropic formally unveiled Claude Mythos Preview this week, following leaks at the end of March that had already set the security community buzzing. The announcement came packaged with something arguably more significant than the model itself: Project Glasswing, an industry consortium of more than 50 organizations — including Microsoft, Apple, Google, Amazon Web Services, Cisco, Nvidia, Broadcom, and the Linux Foundation — convened specifically to grapple with what advanced AI means for cybersecurity.

Mythos Preview is not being released to the public. Instead, consortium partners get private access to run the model against their own systems, identifying and patching vulnerabilities before the model's capabilities become more widely available. The logic is borrowed from a well-established practice in security: coordinated vulnerability disclosure, where researchers give developers a head start before going public with a flaw.

The model's capabilities are broad. According to Anthropic's frontier red team lead Logan Graham, Mythos Preview can discover vulnerabilities and generate attack chains and proofs of concept, carry out advanced exploit development, conduct penetration testing, assess endpoint security, hunt for system misconfigurations, and analyze compiled software binaries without access to source code. It has already flagged thousands of critical vulnerabilities, including bugs that had been missed across repeated audits over decades.

The Twist: It Wasn't Built for This

Here's what makes this more than a product launch. Anthropic CEO Dario Amodei was direct in the Project Glasswing launch video: "We haven't trained it specifically to be good at cyber. We trained it to be good at code, but as a side effect of being good at code, it's also good at cyber."

That distinction matters. Mythos Preview didn't become a powerful security tool because Anthropic set out to build one. It became one because deep coding ability and vulnerability discovery are, at a fundamental level, the same skill. The implication is uncomfortable: every future model that gets better at programming will, almost automatically, get better at hacking.

Graham put it plainly: "We've seen Mythos Preview accomplish things that a senior security researcher would be able to accomplish. Done not carefully, this could be a meaningful accelerant for attackers."

Why Competitors Are Sitting at the Same Table

Sponsored

Advertise with Us

[email protected]

Sponsored

One of the more striking features of Project Glasswing is who signed up. Google and Microsoft are direct competitors to Anthropic in the AI model market. Yet both joined the consortium without apparent hesitation.

Google's VP of Security Engineering, Heather Adkins, called it a welcome "cross-industry cybersecurity initiative." Microsoft's global CISO, Igor Tsyganskiy, framed participation as a chance to "identify and mitigate risk early" and better protect customers.

The competitive détente reflects a shared calculation: if AI-powered attack tools are going to proliferate regardless — and Amodei said explicitly that "more powerful models are going to come from us and from others" — then defenders need to be ahead of the curve, together. The alternative is a fragmented response that leaves gaps attackers can exploit.

That said, Graham acknowledged the limits of what Project Glasswing can achieve in its current form. "It will fail if it's just a handful of companies using a model," he said. "It has to grow into something even larger."

The Deeper Shift: Security's Foundational Assumptions Are Cracking

The consortium's ambitions go beyond stress-testing individual systems. Anthropic is making a broader argument: that the foundational assumptions underpinning modern cybersecurity — assumptions about the cost and complexity of attacks, about what human-scale effort can and can't accomplish — are about to break.

"Many of the assumptions that we've built the modern security paradigms on might break," Graham told WIRED.

Consider what this means practically. Much of current security architecture is built on the premise that sophisticated attacks require sophisticated, expensive human expertise. That friction — cost, time, skill — is itself a form of defense. If an AI model can compress months of expert work into hours, the threat model for everything from financial infrastructure to healthcare systems to election security changes fundamentally.

The cat-and-mouse dynamic that has defined cybersecurity for decades doesn't disappear. It just runs faster, and the mice get smarter.

Three Ways to Read This

The optimist's view: For the first time, defenders have a tool that can match the scale and speed of automated attacks. Organizations that couldn't afford a large security team can now augment their defenses with AI. Mythos Preview finding thousands of critical vulnerabilities before they're exploited is, straightforwardly, a good thing.

The skeptic's view: Consortiums are only as effective as their slowest member. 50 companies sounds impressive until you consider how many critical systems sit outside that circle — municipal governments, hospitals, mid-size financial institutions, defense contractors in allied nations. The vulnerabilities Mythos Preview is finding in well-resourced tech giants almost certainly exist in less-watched infrastructure too.

The regulator's view:Project Glasswing is a voluntary, industry-led initiative. There are no binding commitments, no enforcement mechanisms, and no clear answer to what happens when a model with these capabilities falls into hands that aren't in the consortium. Policymakers in Washington, Brussels, and beyond are watching — but watching is not the same as acting.