Project Glasswing: An Initial Update

https://www.anthropic.com/research/glasswing-initial-update

48•louiereederson•46m ago

Comments

OsrsNeedsf2P•40m ago

The vulnerabilities found continues to impress, and make legacy media, Twitter and Youtube go nuts. But we still have no data to prove this wasn't doable with the same initiative backed by Opus 4.7, and there is no GA for Mythos access.

bobbycastorama•31m ago

I've seen a blog post by a security researcher saying that he was able to find the same vulnerabilities (for Firefox IIRC) with a ~30B params LLM...

So yeah, huge marketing as always.

wiwiwq•23m ago

To me it’s clear what’s going on.

The American firms are focused on marketing now to convince people to not even consider open sourced models / open weight models as they are inferior (that’s what they want you to believe).

rhubarbtree•21m ago

IPO is coming is what is going on

wiwiwq•18m ago

That’s implicit in my post.

If people actually believe the narrative then the bankers will over price Anthropic and get away with it.

Brystephor•16m ago

Did the security researcher point the LLM at the blob of information and say "Find vulnerabilities" or was the LLM told to "determine if vulnerability X is present in this blob"? Confirmation of suspected vulnerabilities is a different problem from finding vulnerabilities.

krisbolton•6m ago

This is different though right? He found one (? we don't know who you're referring to - post sources for a higher quality discussion) vulnerability, he already knew it was there, etc. Anthropic didn't claim no other model can find vulnerabilities, nor that it's impossible with smaller models. They're claiming Mythos is a step-change in ability for end-to-end vulnerability discover and exploit creation. And that other frontier models are close behind.

boston_clone•29m ago

you would likely be quite interested in the more quantitative writeup from a real research team ! it’s linked about midway in to the article - similar functionally can be reached, yes, but not always and never with fewer tokens than what mythos requires.

https://xbow.com/blog/mythos-offensive-security-xbow-evaluat...

OsrsNeedsf2P•21m ago

Ok this is actually a pretty good article and justifies the step function marketing in security they talked about

pertymcpert•29m ago

> Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview—over ten times more than they found in Firefox 148 with Claude Opus 4.6

4.6 but close.

OsrsNeedsf2P•24m ago

Right, but were they using the same methodology and harness? I'm skeptical that they're doing something with the harness - i.e. with Mythos, they pass each file in one at a time, whereas on 4.6 they let Claude Code run loose to find bugs. This would have a larger impact difference than the model itself.

parker-3461•28m ago

Makes me wonder if Anthropic is really having issues with allocating compute (see recent deals with xAI and SpaceX). From available benchmarks, it seems like similar results should be possible with GPT 5.5 Pro or Opus 4.7 (with specific cybersecurity trained models).

wiwiwq•19m ago

Who knows but from a valuation stand point it’s better to signal that demand is higher than existing capacity..

smoe•17m ago

At least according to this, GPT-5.5 Cyber is on par with Mythic, as the only two models that were able to finish their 32-step corporate network attack simulation.

https://www.aisi.gov.uk/blog/our-evaluation-of-openais-gpt-5...

energy123•26m ago

. Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview—over ten times more than they found in Firefox 148 with Claude Opus 4.6;

applfanboysbgon•12m ago

Did they allocate the same number of tokens to looking with Claude 4.6? Or did they find more because they looked more, owing to a special initative by Anthropic?

properbrew•5m ago

> over ten times more than they found in Firefox 148 with Claude Opus 4.6

And how much with Opus 4.7? 5x?

dawnerd•5m ago

And of those 271, how many were very minor, really not an issue, kinda of fixes? And how many of the fixes will end up opening up being new vulnerabilities?

enlightenedfool•15m ago

Is this the God model that no one else can build? Unbelievable.

krisbolton•12m ago

There is independent research out there on frontier model capability. AI Security Institute (UK) put out their paper comparing Mythos to other frontier models in early April. They've been tracking frontier model security capability since early 2023, so it's a decent dataset. https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos...

amusingimpala75•30m ago

Is this suspected vulns or actual vulns? If I recall correctly, it produced 5 for curl but only 1 was legit

RamRodification•27m ago

This is marketing. So probably suspected. Or somewhere in between.

Smaug123•24m ago

> So far, Mythos Preview has found what it estimates are 6,202 high- or critical-severity vulnerabilities in these projects (out of 23,019 in total, including those it estimates as medium- or low-severity).

> 1,752 of those high- or critical-rated vulnerabilities have now been carefully assessed by one of six independent security research firms, or in a small number of cases by ourselves. Of these, 90.6% (1,587) have proved to be valid true positives, and 62.4% (1,094) were confirmed as either high- or critical-severity. That means that even if Mythos Preview finds no further vulnerabilities, at our current post-triage true-positive rates, it’s on track to have surfaced nearly 3,900 high- or critical-severity vulnerabilities in open-source code

rbranson•18m ago

I don't know why you're getting downvoted. This is exactly what was reported by curl's creator under the section "Five findings became one": https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...

wiwiwq•17m ago

Certain people don’t want anything negative posted about firms they have ownership interest in.

Smaug123•13m ago

I think it's more that the requested information is prominently featured in the article, and indeed is the content of the only graphic in the article below the intro banner.

extr•9m ago

Did you RTFA?

InsideOutSanta•9m ago

I wonder if it coincidentally becomes safe to release when compute capacity bought from SpaceX will provide enough headroom to let a lot more people run it.

LimeWire re-emerges in rush to share pulled 60 Minutes segment

The Bicameral Mind, the Voice of God, & the Terrifying Origin of Consciousness

Agentic-Agile: Why Agent Development Needs Agile (Not Just Prompts)

Why Tech Companies Are Quietly Cancelling AI Data Centers [video]

Sample Profile Guided Optimization in MSVC

Gemini CLI's Short Life and Google's Antigravity Bait‑and‑Switch

Notes on AI, Labor, and China

Manus Weighs Raising $1B to Unwind Meta Takeover

On AI

Who Died When Elon Musk Killed Usaid?

I built a free, open-source learning app – Brainy

Maybe AI Bots Are (Mostly) Harmless

ASK HN: AI was always a probability problem?

NASA Announces Realignment

Plain: A bias-free news site with no ads, no tracking, and no clutter

Ask HN: How to get involved and meet people in AI in SF?

Mythos for Offensive Security: XBOW's Evaluation

Why Do Our Fingers Get Wrinkly in Water? An Evolutionary Biologist Explains

Npmjs.com has Cloudflare captcha on their suggestion API

Marketer claimed it could tap devices for ad targeting will pay $880K settlement

Audit website content against canonical brand messaging and GEO target prompts

Show HN: Mcpaudit – static security scanner for MCP servers

Anker PowerConf C200: a case study in webcam security theatre

GitHub introduces staged publishing and new install-time controls for NPM

A real-time severe-weather command center built on free public APIs

DjVu file format, alternative to PDF

Nicotine biosynthesis is completed by cryptic activating glucosylation

C Programming Language Quiz

Who will benefit most from SpaceX IPO? Mostly Elon – and his inner circle

Routine vaccines may cut dementia risk–experts have startling hypothesis on how