On April 7, 2026, Anthropic simultaneously announced two things. First: the existence of Claude Mythos Preview, a frontier model not intended for the general public, whose vulnerability discovery capabilities exceed, according to Anthropic, "all but the most elite humans." Second: Project Glasswing, a defensive coalition of 12 founding organizations — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — with exclusive access to Mythos Preview to secure critical global software infrastructure.
Mythos Preview has already identified thousands of high-severity vulnerabilities, including in every major operating system and web browser. Among them: a 27-year-old bug in OpenBSD, exploitable by simply sending a few network packets to any OpenBSD server to crash it.
Anthropic is committing up to $100 million in usage credits for Project Glasswing participants, along with $4 million in direct grants to open-source security organizations.
This is not a communication event. It is a structural shift in the balance of power between attackers and defenders.
What Mythos Actually Changes
Claude Mythos is not an improved vulnerability scanner. It is an autonomous reasoning system capable of operating the entire offensive cycle.
Anthropic has demonstrated that Mythos can take a CVE identifier and a Git commit hash as input, then autonomously produce a complete working exploit within hours, at relatively low cost. It can chain multiple vulnerabilities and reverse-engineer closed-source binaries.
Independent evaluations confirm this breakthrough. The UK government's AI Security Institute (AISI) tested Mythos Preview on capture-the-flag scenarios and multi-step attack simulations. On expert-level tasks — which no model could accomplish before April 2025 — Mythos Preview succeeds at 73%. The AISI also built a 32-step corporate network attack simulation, covering initial reconnaissance through complete network takeover — an operation estimated at 20 hours for human experts.
The window between discovery and exploitation has collapsed. What once took weeks or months — finding a flaw, building an exploit, chaining it into an attack — can now happen in hours.
Project Glasswing: A Race Against Time
Project Glasswing is not a philanthropic initiative. It is an emergency response to a risk identified by Anthropic itself. Glasswing gives defenders a temporal advantage. But that advantage is measured in weeks, not years.
Detection Outpacing Remediation Capacity
This context sharpens a pre-existing imbalance. Available data on organizational vulnerability management maturity is unambiguous:
- Approximately 54% of organizations maintain a controlled remediation cadence.
- Approximately 31% show average management.
- Approximately 15% are in serious difficulty, with external vulnerability handling times exceeding one year across all severities.
Nearly one in two organizations cannot follow an effective remediation process — and this observation predates Mythos. Mythos does not create this problem. It reveals it with brutal clarity.
A Structural, Not Technological Problem
These gaps reveal an essential truth: the problem is not technological. It is structural, organizational, and cultural.
Between insufficient prioritization, lack of industrialization, silos between security, IT and business units, and short-term trade-offs, some organizations accumulate a vulnerability debt they can no longer absorb. Agreements on "reasonable" remediation cadences negotiated before Mythos are no longer adapted to reality: Mythos-class tools identify and exploit vulnerabilities in hours.
Time: The Central Risk Variable
A vulnerability is not a risk in itself. It becomes one when three conditions are met: it is exploitable, it is exposed, it remains open over time. This third dimension is systematically underestimated — and Mythos transforms it into a critical variable.
Reducing the attack surface is necessary. Reducing exposure time is critical.
What Presidio Brings in This New Context
This is precisely the operational challenge that Presidio addresses. Presidio is not another detection tool. It is the cyber risk governance platform that enables organizations to structure their response to this flow — transforming regulatory pressure (NIS2, DORA, GDPR) into a continuous, measurable, and auditable remediation process.
Where Mythos identifies, Presidio organizes the response. Where Project Glasswing gives large founding organizations a temporal advantage, Presidio gives mid-sized organizations the means not to remain spectators.
- Risk-based prioritization — not by raw technical severity, but by the organization's actual exposure.
- Remediation cycle industrialization — structuring workflows between security, IT, and business units.
- Integrated NIS2 and DORA compliance — audit framework and traceability for regulators.
- Real performance measurement — correction velocity, exposure time reduction, residual debt trajectory.
Conclusion: AI Eliminates the Comfort of Invisibility
Mythos and Project Glasswing do not make systems more vulnerable. They eliminate a form of comfort: the comfort of not seeing, or not knowing.
In a world where everything becomes visible — where an AI model can find a 27-year-old bug in hours — one reality imposes itself: organizations are not behind on detection. They are behind on their ability to remediate, at scale and in time.
The organizations that will navigate this transition will be those that understand that vulnerability management is not a support function. It is an operational, continuous, and vital discipline.
Valtieri helps organizations structure their response to this new paradigm. Presidio is available for organizations of 50–250 employees subject to NIS2, DORA, or ISO 27001. Get in touch.