Two weeks ago, Anthropic announced that its newest AI model was too dangerous to release to the public. The Claude Mythos Preview reportedly found critical software vulnerabilities, including some that had gone undetected for over twenty years. In response, Anthropic launched Project Glasswing, a $100 million coalition that includes Apple, Microsoft, Google, AWS, JPMorgan Chase, CrowdStrike, the Linux Foundation, and about fifty other major industry players. Their goal is to find and fix the most serious issues before attackers do. That was the main story.
But over the weekend, a different perspective emerged.VulnCheck researcher Patrick Garrity published an analysis that was picked up by CSO Online and RedPacket Security in recent days. He pointed out that, of the CVEs publicly linked to Anthropic and its researchers so far, only one is directly credited to Project Glasswing: CVE-2026-4747, a 17-year-old FreeBSD NFS remote code execution flaw that Mythos found and exploited on its own.
Here's a pretty good (but slightly exciting) youtube on some of the future we may see:
https://www.youtube.com/watch?v=RvowJ_hmLps
Anthropic says the full story will be shared in a public report in July. At the same time, a separate report from the security firm Aisle showed that smaller, more affordable open-weight models could reproduce much of Mythos’s analysis when given the right code and support. So which is it? Is this a turning point for offensive AI, or just a well-crafted announcement with only one confirmed CVE so far?
For mid-market security leaders, the truth is that both stories are important, but neither one gives clear guidance on what to do next week. Most of our clients are not part of the Glasswing group. They include hospitals, manufacturers, universities, banks, and advisory firms that use a mix of SaaS and older on-premises systems, many of which have never been reviewed by advanced AI models.
These organizations will feel the impact of this moment no matter how the hype plays out. It will show up in how quickly their vendors release patches, in what attackers can now do more easily, and in the questions their boards will start asking next quarter. That’s the gap we’re closing on Thursday.
Thursday, April 23 | 2:00 PM CT
Unpacking Mythos: Cybersecurity AI 2026
Jim Sherlock will explain what’s real, what’s overhyped about Mythos, and give practical next steps for mid-market security leaders. The window for defenders is open right now. It will not stay open forever.→ Register hereSee you Thursday.