Cloudflare says Anthropic’s Mythos Preview crossed into exploit chaining during Project Glasswing tests

Project Glasswing

Cloudflare says Anthropic’s unreleased Mythos Preview model was able to chain low-severity bugs into working exploit paths and autonomously build proof-of-concept code during Project Glasswing testing on more than 50 repositories.

# Cloudflare says Anthropic’s Mythos Preview crossed into exploit chaining during Project Glasswing tests

## Opening summary

Cloudflare says Anthropic’s Mythos Preview is a real step beyond ordinary code-review models after testing it on more than 50 internal repositories as part of Project Glasswing. In a new writeup, the company says the model could do more than identify isolated flaws: it could chain multiple small attack primitives together, generate proof-of-concept code, compile and run it in a scratch environment, and iterate when a first attempt failed.

## Main article

That matters because Cloudflare is not describing a simple vulnerability scanner that spits out suspicious code patterns. The company says what changed with Mythos Preview was its ability to reason through exploit construction, especially by taking issues that might look minor on their own and combining them into a more serious path. Cloudflare compared the intermediate reasoning to the work of a senior security researcher rather than the output of a basic automated tool.

Anthropic’s broader Project Glasswing announcement makes the defensive framing even clearer. The company says it has assembled a large group of launch partners including AWS, Apple, Cisco, Google, Microsoft, NVIDIA, and Palo Alto Networks, and is committing up to $100 million in usage credits plus direct donations to open-source security groups. Anthropic argues the goal is to put frontier cyber capability to work for defenders before it spreads more widely.

Cloudflare also used the post to stress that raw model capability alone is not enough. The company says generic coding-agent workflows are too broad and too noisy for meaningful vulnerability research at scale, and that better results came from a harness built around narrow scoped tasks, adversarial review, separate exploitability checks, and many concurrent agents. That is an important detail because it suggests the biggest operational shift may come from how these models are orchestrated, not just how powerful they are in isolation.

The post also includes an important safety caveat. Cloudflare says Mythos Preview sometimes showed inconsistent organic refusals during legitimate research, which is one reason both Cloudflare and Anthropic argue that stronger safeguards would still be needed before capabilities like this could be widely released. So while the model’s apparent progress is striking, the story here is not open access — it is an early look at what top-tier defensive teams believe is arriving fast.

## Why it matters

If Cloudflare’s account holds up, the practical threshold for AI-assisted cyber offense and defense is shifting. Security teams may soon need workflows built around models that can not only spot bugs but also test exploitability and compress the time from discovery to action.

## Source notes

- Cloudflare says Mythos Preview was tested on more than 50 of its own repositories during Project Glasswing work. - Anthropic says Project Glasswing includes major software and infrastructure partners and up to $100 million in Mythos Preview usage credits. - Both companies frame the work as controlled defensive research rather than a public product release.