Project Glasswing, Machine-Speed Threats, and the Governance Layer Nobody Has Built Yet
Threat Intelligence Analysis: Anthropic’s Project Glasswing and Claude Mythos Preview mark a category shift in how vulnerabilities get discovered. This piece lays out what that means for enterprise security programs and the governance layer most organizations haven’t built yet.
Anthropic just did it again.
They built a new frontier model called Claude Mythos Preview, used it to scan critical infrastructure before saying a word publicly, and found thousands of zero-day vulnerabilities across every major operating system and every major browser. One bug in OpenBSD had been sitting there for 27 years undetected.
We’ll come back to the irony that this announcement came from a company that leaked their own source code twice in two weeks. First, 3,000 internal assets through a misconfigured CMS including a draft blog post about Mythos itself. Then 512,000 lines of Claude Code architecture through a forgotten .map file bundled into a routine npm update. A 27-year-old OpenBSD bug they can find. Their own release pipeline? Apparently that’s harder. File that one away.
But the announcement itself deserves serious attention. Because what Anthropic is describing isn’t just a capable model. It’s a category shift in how vulnerabilities get found, and that has direct implications for how security programs need to be built.
What Glasswing Actually Is
Anthropic stood up a restricted coalition under Project Glasswing with AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, JPMorganChase, and Palo Alto Networks as launch partners, committing $100M in usage credits and $4M in direct donations to open-source security organizations. Mythos Preview is not being released publicly. Access is restricted. The stated reason is that the same capability that finds vulnerabilities at scale can be used to exploit them at scale, and Anthropic wants defenders to have a head start before that dynamic plays out broadly.
That’s the right call. And the timing tells you something too. Anthropic just crossed $30B in annualized revenue and is reportedly eyeing an IPO. A government-adjacent cyber initiative with blue-chip partners isn’t an accident. But the underlying logic is still sound regardless of the business context. For a deeper walk-through of the announcement itself, see our earlier piece on Claude Mythos Preview and Project Glasswing.
The CVE Model Is Already Broken. Glasswing Buries It.
Here’s the problem with how most security programs handle threat intelligence right now. They receive feeds. They get CVE lists. They try to prioritize based on CVSS scores. And they work through the list at human speed, which means weeks between a vulnerability being known and being addressed.
Mythos doesn’t produce a CVE list. It chains vulnerabilities together. The OpenBSD bug wasn’t sitting in one obvious place waiting to be found. It took a model capable of connecting multiple findings across a codebase to surface it. Four unrelated weaknesses that mean nothing independently become a critical exploit path when a frontier model reasons across all of them simultaneously.
Go pull your current vulnerability backlog and ask honestly how it’s ranked. Chances are it’s ranked by CVSS score, maybe filtered by asset criticality if someone has done the work to build that mapping. Ask whether it accounts for chained exploits. Ask whether it’s updated in hours or weeks when new intelligence arrives.
I think you’ll find it wasn’t built for this.
Is your backlog ready for chained exploits?
Z Cyber can audit how your vulnerability management stack prioritizes against machine-speed intelligence.
The Governance Problem Nobody Has Solved
When Mythos-class intelligence eventually becomes available beyond the initial coalition, and it will, the organizations that can actually use it aren’t the ones with the best alert pipelines. They’re the ones whose environment model is already built.
Think about what an AI agent actually needs to take Mythos-level output and turn it into a prioritized action plan for your organization. It needs to know your asset inventory. Which systems are in scope for which regulatory frameworks. What controls are actually implemented versus documented. What your risk appetite is. Where your AI systems sit, what data they touch, and what autonomous actions they’re permitted to take.
Without that context, Mythos-class intelligence is the fastest noise that’s ever existed.
That’s the governance layer. And most programs don’t have it built in a form that’s machine-readable, continuously updated, or queryable by an AI agent in real time. If you’re trying to stand up that foundation now, our NIST AI RMF Implementation Guide and enterprise AI governance playbook are the right starting points.
Where Glance Sits in This
Glance pulls data from your existing security and monitoring tools through its library of connectors spanning your security stack, including CASB, vulnerability scanners, identity providers, AI platforms, and more. It doesn’t deploy its own agent or run its own collection. Not yet. What it does is consolidate what your tools already see into a single live environment model and build your governance posture from that.
That environment model is what matters when you think about where Glasswing goes next.
The AI Compass module inventories every AI system in your environment, scores it against EU AI Act risk tiers deterministically, and maps your governance posture to NIST AI RMF (and others as they release). The Threat Exposure Engine cross-references your live asset inventory and control coverage against external threat intelligence so prioritization reflects your actual environment, not generic severity scores. The Cyber Blueprint tracks where you are against the frameworks that matter to your specific regulatory obligations.
None of that is theoretical. It’s what’s running for clients today, built from the data your existing stack already produces.
The Glance MCP architecture is what positions us for what comes next. Glance already operates as an MCP server. Any AI agent with access can query your live governance posture, threat exposure, and control coverage in real time. When Mythos-class intelligence becomes available more broadly, it doesn’t slot into a spreadsheet or a ticket queue. It queries your environment model, contextualizes the findings against your specific stack and obligations, and surfaces what your advisor needs to act on before the attacker does.
That’s machine-speed governance. Find, contextualize, advise, act. The loop has to close that fast now.
Your competitors who don’t have the environment model built when that capability arrives will be starting from scratch. That gap compounds every month.
Glasswing confirmed the shift. The question is whether your program is architected to respond to it.
Let’s Talk About Where Your Program Actually Stands
If you want to see where your program actually stands, let’s talk.
Glance is built for exactly the environment Glasswing just described. Live visibility from your existing tools, AI governance mapped to EU AI Act and NIST AI RMF, threat prioritization grounded in your actual stack, and an advisor who knows the difference between a CVSS score and a real risk to your organization.
We’re not selling software. We’re building programs. And right now, the window to get ahead of machine-speed threats before they become your board’s problem is still open.
Book a demo at ztekcyber.com/glance and talk to a Z Cyber advisor today.
We’ll show you exactly where your governance posture stands, what the gaps are, and what it looks like to close them before Mythos-class intelligence is no longer restricted to a coalition of twelve.
Book a Demo →The environment model doesn’t build itself. Let’s build yours.
Frequently Asked Questions
What is Project Glasswing?
Project Glasswing is an Anthropic-led restricted coalition that uses Claude Mythos Preview to find vulnerabilities in critical infrastructure before disclosing them publicly. Launch partners include AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, JPMorganChase, and Palo Alto Networks. Anthropic committed $100M in usage credits and $4M in donations to open-source security organizations. Access is deliberately restricted because the same capability that discovers vulnerabilities at scale can be used to exploit them at scale.
Why does Project Glasswing break the traditional CVE model?
Traditional vulnerability management prioritizes findings from CVE feeds using CVSS scores and asset criticality. Claude Mythos doesn’t produce a CVE list. It chains multiple weaknesses together across a codebase to surface critical exploit paths, including a 27-year-old OpenBSD bug composed of four unrelated findings that mean nothing individually. Backlogs ranked by CVSS don’t account for chained exploits, and they can’t be updated fast enough when new intelligence arrives in hours instead of weeks.
What is the governance layer for machine-speed threats?
The governance layer is a live, machine-readable model of your environment that an AI agent can query in real time. It includes your asset inventory, the regulatory frameworks in scope, the controls actually implemented versus documented, your risk appetite, and where AI systems sit in your stack. Without this context, machine-speed threat intelligence is just the fastest noise ever produced.
How does Glance prepare organizations for Glasswing-class intelligence?
Glance operates as an MCP (Model Context Protocol) server that consolidates data from existing security tools (CASB, vulnerability scanners, identity providers, AI platforms) into a single live environment model. Its AI Compass module scores AI systems against EU AI Act risk tiers and maps governance posture to NIST AI RMF. The Threat Exposure Engine cross-references live asset inventory and control coverage against external threat intelligence. Any AI agent with access can query this environment model in real time, which is exactly what machine-speed threat intelligence requires to be actionable.
What should CISOs do right now to prepare?
Three priorities. First, audit whether your vulnerability backlog accounts for chained exploits or just CVSS scores. Second, build a machine-readable inventory of AI systems, controls, and regulatory obligations that an AI agent could query in under a second. Third, make sure threat intelligence flows into that environment model instead of into spreadsheets and ticket queues. The window to build this before Mythos-class intelligence becomes broadly available is still open, but it’s closing.
Related Resources
- Claude Mythos Preview and Project Glasswing: What AI-Driven Vulnerability Discovery Means for Cybersecurity
- NIST AI RMF Implementation: A Practitioner’s Guide
- How to Build an Enterprise AI Governance Program from Scratch
- AI Governance Frameworks: HITRUST, OWASP, and EU AI Act
- Shadow AI: Enterprise Discovery and Risk Governance
- Glance: Live Security and Governance Platform
Frequently Asked Questions
What is Project Glasswing?
Project Glasswing is an Anthropic-led restricted coalition that uses Claude Mythos Preview to find vulnerabilities in critical infrastructure before disclosing them publicly. Launch partners include AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, JPMorganChase, and Palo Alto Networks. Anthropic committed $100M in usage credits and $4M in donations to open-source security organizations. Access is deliberately restricted because the same capability that discovers vulnerabilities at scale can be used to exploit them at scale.
Why does Project Glasswing break the traditional CVE model?
Traditional vulnerability management prioritizes findings from CVE feeds using CVSS scores and asset criticality. Claude Mythos doesn’t produce a CVE list. It chains multiple weaknesses together across a codebase to surface critical exploit paths, including a 27-year-old OpenBSD bug composed of four unrelated findings that mean nothing individually. Backlogs ranked by CVSS don’t account for chained exploits, and they can’t be updated fast enough when new intelligence arrives in hours instead of weeks.
What is the governance layer for machine-speed threats?
The governance layer is a live, machine-readable model of your environment that an AI agent can query in real time. It includes your asset inventory, the regulatory frameworks in scope, the controls actually implemented versus documented, your risk appetite, and where AI systems sit in your stack. Without this context, machine-speed threat intelligence is just the fastest noise ever produced. Organizations that have this layer built will be able to contextualize Mythos-class output the moment it becomes available more broadly.
How does Glance prepare organizations for Glasswing-class intelligence?
Glance operates as an MCP (Model Context Protocol) server that consolidates data from existing security tools (CASB, vulnerability scanners, identity providers, AI platforms) into a single live environment model. Its AI Compass module scores AI systems against EU AI Act risk tiers and maps governance posture to NIST AI RMF. The Threat Exposure Engine cross-references live asset inventory and control coverage against external threat intelligence. Any AI agent with access can query this environment model in real time, which is exactly what machine-speed threat intelligence requires to be actionable.
What should CISOs do right now to prepare?
Three priorities. First, audit whether your vulnerability backlog accounts for chained exploits or just CVSS scores. Second, build a machine-readable inventory of AI systems, controls, and regulatory obligations that an AI agent could query in under a second. Third, make sure threat intelligence flows into that environment model instead of into spreadsheets and ticket queues. The window to build this before Mythos-class intelligence becomes broadly available is still open, but it’s closing.
Subscribe for Updates
Get cybersecurity insights delivered to your inbox.
