The Mythos Shock: Deconstructing Project Glasswing and the Architecture of Cyber-Oligarchy

Let’s break down the reality of Anthropic’s Claude Mythos Preview, and then, crucially, dismantle the corporate narrative surrounding it to see the underlying power structures.

image1600×900 348 KB

The Technical Reality of Claude Mythos

This isn’t speculative fiction; the events surrounding this unfolded rapidly in April 2026. Claude Mythos is an unreleased frontier AI model that demonstrated an unprecedented, autonomous capability to uncover and exploit zero-day vulnerabilities. It didn’t just find superficial bugs; it unearthed a 27-year-old critical flaw in OpenBSD (one of the most security-hardened operating systems on earth) and a 16-year-old vulnerability in FFmpeg that had survived millions of automated tests. It is capable of autonomously executing 32-stage corporate network hacks from start to finish. Source

This triggered an unannounced, emergency meeting in Washington between the US Treasury, the Federal Reserve, and Wall Street CEOs (including leadership from JP Morgan Chase and Goldman Sachs). The sheer panic surrounding this model’s capabilities was severe enough to wipe $2 trillion off enterprise software stocks in a matter of days. Source

Deconstructing the “Defensive” Narrative

Anthropic’s response was to lock down the model and launch Project Glasswing, granting exclusive access to Mythos to a closed circle of tech and finance behemoths—like JP Morgan Chase, AWS, Google, and Microsoft—under the banner of “defending critical infrastructure.” Source

As an IT professional, you have to look past the PR and analyze the language used by these institutions. We are seeing classic system-logic euphemisms and agent-obfuscation. The media and corporate narrative speaks of “AI reshaping the threat landscape” using a sort of natural disaster metaphor—framing this as an inevitable force of nature happening to us, rather than a deliberate technological deployment orchestrated by specific actors.

Let’s break that narrative and name the power dynamic clearly: By restricting access to Mythos to a closed circle of mega-corporations, we are witnessing the monopolization of the ultimate cyber-capability. A handful of unelected private entities now possess an asymmetrical power to fundamentally secure, or theoretically dismantle, the digital foundations of the modern world. Jaydeep Singh, GM for India at Kaspersky

The Cyber Polygon Scenario: Could They Hack Everything?

Technically? Yes. A system capable of autonomously finding and writing exploit chains for decades-old kernel vulnerabilities gives whoever wields it the theoretical capability to compromise almost any connected system. The World Economic Forum’s “Cyber Polygon” exercise predicted a cascading failure of global IT infrastructure. With a tool like Mythos, a localized network breach could be weaponized into exactly that kind of systemic contagion. When we talk about critical infrastructure—power grids, hospitals, financial logistics—we must be brutally precise: a systemic IT failure at this level directly translates to the loss of human lives.

If only the apex players have the tools to proactively secure their systems, while the rest of the world relies on increasingly vulnerable legacy code, we create a two-tiered digital reality:

1. The Secure Oligarchy: Wall Street and Big Tech, fortified by frontier AI.

2. The Vulnerable Periphery: Everyone else—from mid-sized enterprises to individual citizens—left exposed to the eventual proliferation of these tools into the hands of state-sponsored actors or cybercriminal syndicates.
   Source

   How do you think open-source communities and independent IT systems can adapt to a threat landscape where malicious actors might soon replicate Mythos-level capabilities, while the most effective defensive tools are locked behind corporate walled gardens?

A large chunk of this seems AI generated, but let’s entertain it.

When you “deconstruct the defensive narrative” what you really see is a corporation losing money and cutting costs, they cannot afford to give everyone access to mythos because they do not have the computational capacity for it. Smaller models are capable of finding most of the same exploits with a proper harness.

No, they cannot “hack everything”. This entire section is hyped up by AI, nothing really changes. There has always been a power-asymmetry because the bourgeoisie are the only ones capable of funding large-scale operations. What you are actually seeing is an irrational market and a US government run by corporations that desire nothing but profit.

Anthropic have no moat, and OpenAI, even after their defense deal, is gaining goodwill again because anthropic keep cutting costs by lowering usage and quality. Local models have been getting better, the recent Qwen 3.6 release has been the moment for me where dealing with anthropic’s nonsense and cost cutting isn’t worth it anymore, this local model is good enough for me.

Only, because u are happy with your local Qwen 3.6 doesn´t mean it can find 27-years or 16-year old vunerabilitys.

Do you know the Cyber Polygon Scenario? All the Players in Project Glasswing could start now a cascading failure of global IT infrastructure like in the exercise of the WEF predicted.

Yeah you’re right, it can’t find it because I don’t have like $100k in compute to keep it running for an actual eternity on multiple servers. But that is really the only limiting factor, and that is, as said, not new. They effectively just run a search over all code ever written, if you made people do that they would find bugs too. Their promo post literally says it took $20k on just OpenBSD across a thousand runs. What did they get out of it? A DOS attack.

The amounts of money they are burning on training these models and then running them in parallel for days makes me think the overall cost is higher than hiring some people for the job, but then you couldn’t do marketing about how “dangerous” your model is this time around (which has happened with multiple releases, openai made a similar move with gpt2 or something.)

No, I did not know about the cyber polygon scenario. I assume you refer to the 2021 scenario which is about a supply chain attack, which is also not new. We got close to an attack with the xz incident, no AI required. There’s almost daily supply chain attacks in the npm ecosystem, also don’t need AI for that. They are just relatively small-scale there.

(Of note is also that claude code had several vulnerabilities discovered after the whole mythos marketing push, maybe they should try running it on their own software if it’s so good…)

Waiting for Anthropic to leak their own source code is a pretty good strategy at the moment.

I wouldn’t worry about that.

I thought this was a good summary:

First, the UK government and the US government have access to it. So public entities also have access, in addition to the Linux fundation. Also, you have to consider big tech rely on open source software themselves, there is no inventive for them that such software becomes vulnerable.

I agree with the power assymetry, however this article lacks nuance.

PG bans AI-generated article, so I ask that @team removes it.

There are factual or logic errors in this article. For example, the Korean article talking about Mythos doesn’t cite 2 trillion as a figure. This would seem extremely high - in any case talking in absolute numbers without context/scale is something AI picked up from training data without understanding it’s just sensationalist BS.

Also there is a striking fallacy at the end. It both says only Big Companies will be able to access AI and use it to protect themselves but at the same time say those tools (referring to Mythos-level AIs) will proliferate and be accessible to many Cyber criminals.

Initial post violates policy against AI-generated content