Anthropic — Mythos Glasswing Expands: Verizon Joins, Findings-Sharing Policy Revised

AI relevance: Claude Mythos Preview is an autonomous vulnerability discovery model that finds and exploits zero-days without human steering — directly impacting how AI security research and defensive operations will scale.

• Reuters reports that Anthropic revised its Project Glasswing policy on May 18, allowing participating organizations to share Mythos cybersecurity findings with external parties — a significant shift from the original closed-disclosure model.
• Verizon joined Project Glasswing as the first telecommunications company in the consortium, gaining access to Mythos Preview for infrastructure security testing.
• Cloudflare published its Glasswing experience: tested Mythos Preview against 50+ of its own repositories, highlighting the model's unique exploit-chain construction and proof generation capabilities that go beyond traditional bug-finding.
• Cloudflare noted Mythos Preview can chain multiple small attack primitives into working exploits and iteratively prove exploitability by writing, compiling, and running test code — a capability described as "senior researcher" quality reasoning.
• ArmorCode published a playbook for security teams responding to Mythos-scale vulnerability discovery, noting the median time from discovery to weaponized exploit is projected to fall under one hour by end of 2026.
• Anthropic estimates comparable autonomous capabilities will emerge from other AI labs within 12–18 months, raising the urgency of defensive preparation.

Why it matters

The policy revision to allow external sharing of findings marks a critical inflection point: Glasswing's closed model was designed to contain risk, but the scale of vulnerability discovery (thousands of findings across critical software) demands coordinated disclosure at a pace no single consortium can manage. Verizon's entry signals that telecom and critical infrastructure operators now view autonomous AI vulnerability discovery as an operational priority, not a research curiosity.

What to do

• Review your vulnerability management SLAs — the discovery-to-exploit timeline is compressing to hours, not weeks.
• Assess whether your critical dependencies are in the Glasswing participant list or similar defensive AI programs.
• Prepare incident response playbooks for AI-discovered zero-days in your software supply chain.

Sources:

• Reuters — Anthropic to let partners share Mythos findings
• Telecoms.com — Verizon joins Anthropic's Project Glasswing
• Cloudflare Blog — Project Glasswing: what Mythos showed us
• ArmorCode — The Claude Mythos Security Playbook
• Anthropic — Project Glasswing