The Brief April 08, 2026
On April 7, 2026 — the day after RSAC closed — Anthropic announced Project Glasswing, a restricted initiative giving a small group of major technology and finance companies access to Claude Mythos Preview: an unreleased frontier model that Anthropic itself describes as capable of reshaping the cybersecurity sector and too dangerous for public release.
The partners are not a random selection. They are the organizations that collectively own the largest portion of the world’s shared attack surface:
The capabilities that triggered the restricted release are not theoretical. On the Firefox 147 benchmark, Mythos Preview developed working exploits 181 times compared to just 2 for Claude Opus 4.6 — a 90x improvement in autonomous exploit development. The model has already identified thousands of zero-day vulnerabilities across every major operating system and web browser, including a 17-year-old remote code execution flaw in FreeBSD giving root access to any unauthenticated attacker on the internet, and a multi-step vulnerability chain capable of completely hijacking a Linux machine.
Anthropic has privately warned top government officials that Mythos makes large-scale AI-driven cyberattacks significantly more likely this year. The company’s own Frontier Red Team Lead, Logan Graham, put a number on the threat window: “We need to prepare now for a world where these capabilities are broadly available in 6, 12, 24 months.” The more conservative estimate is six months. The optimistic estimate is two years. Neither is comfortable.
Anthropic has committed $100 million in usage credits to the initiative, with an additional $4 million in direct donations to open-source security organizations. Participating organizations are required to share their findings with the broader industry. The model is not available to the general public and Anthropic has no plans to change that in the near term.
The largest cybersecurity conference in the world closed March 26 with a signal that now reads as prologue to the Glasswing announcement: the entire industry has converged on agentic AI security as the defining problem of this decade, and not a single vendor on the floor could articulate a complete solution. TechTarget’s post-conference analysis was precise: “Signage blared ‘security for AI agents,’ but there was little clarity about the layers comprising a complete solution for AI agent security.”
Cisco’s Jeetu Patel drew the sharpest line in any keynote: “With chatbots, you worry about getting the wrong answer. With agents, you worry about taking the wrong action.” That distinction — output risk versus execution risk — is the conceptual divide that most enterprise security programs have not crossed. Detection, behavioral analytics, and guardrails all operate on outputs. The action is already taken. Glasswing finds the vulnerability. Nothing on that floor stops the unauthorized action at execution time.
A global survey of 300 enterprise security leaders found that 97% expect a material AI-agent-driven security or fraud incident within 12 months — nearly half within six months. Only 6% of security budgets are currently allocated to agentic AI risk. With Glasswing’s six-month threat actor timeline now on the table, the gap between expected exposure and allocated defense is not a planning problem. It is an active liability.
AI agents operate inside enterprise environments through service accounts, API tokens, and application identities that often carry significant privileges — and their activity closely resembles legitimate system behavior. This is the default operating condition of every enterprise that has deployed agents without execution-time authority controls. The insider threat of 2026 doesn’t need badge access. It already has API credentials.
The Embrace The Red “Agent Commander” research demonstrated that prompt injection into AI coding agents enables persistent remote command-and-control — converting GitHub Copilot, Claude Code, Cursor, and Devin into malware delivery platforms without modifying the tools themselves. A follow-on disclosure from no.security confirmed that Claude Code is specifically vulnerable to prompt injection via markdown files on GitHub. Standard input validation does not apply. Prompt injection bypasses traditional security controls at the semantic layer.
Every piece of content an agent ingests — repositories, issues, comments, documentation — is now a potential adversarial instruction surface. The attack surface is not the tool. It is the content environment the tool operates in. With Mythos-class capabilities approaching general availability, the sophistication of those injected instructions will not remain at current levels.
Three independent data streams converged in a single reporting week: DryRun Security found 87% of AI-generated pull requests introduce security vulnerabilities. no.security disclosed 35 AI-generated CVEs in a single week. GitGuardian documented 28.65 million new hardcoded secrets in public repositories — directly correlated with AI coding assistant adoption. The term “vibe coding” has entered threat intelligence reporting as an enumerated attack surface. Project Glasswing is Anthropic’s response to exactly this class of systemic vulnerability at scale. The question is how much enters production pipelines before it can be patched.
Google Mandiant documented the final closure of the human response window. The median time from initial access to secondary threat handoff has collapsed from eight hours in 2022 to 22 seconds in 2025. Google Cloud’s president of security said plainly: “It’s not possible to mount a human-only defense against an AI attack. The old models of having a human-in-the-loop defense have really got to change.” The agentic SOC is not a roadmap item. It is the minimum viable defense posture for 2026. Microsoft’s RSAC analysis reinforced the operational implication directly: organizations that cannot answer basic inventory questions about their agent environment cannot defend it.
RSAC 2026 closed on March 26 with perfect consensus on the problem and total incoherence on the solution. Twelve days later, Anthropic answered the implicit question that hung over the entire conference floor — not with a product, but with a warning dressed as a program.
Project Glasswing is simultaneously the most important defensive initiative announced this year and a concession that the threat timeline is shorter than most enterprise security programs have planned for. When Anthropic’s own Frontier Red Team Lead says “six months” is the conservative estimate for Mythos-class capabilities reaching threat actors, that number resets every planning assumption built around an 18-to-24-month window. The enterprises currently running agent governance programs on a two-year roadmap are operating on a timeline that Anthropic just cut by two thirds.
The six stories in this issue now form a single coherent argument. Glasswing names the capability horizon. RSAC confirms the solution layer is vacant. The Arkose survey quantifies how many CISOs already know the incident is coming. The promptware research shows the current attack surface. The vibe coding data shows the velocity of vulnerable code entering production. And M-Trends shows that human-speed response cannot close the gap regardless of budget.
Every one of these data points converges on the same architectural requirement: an agent operating in your environment must not be permitted to take action without cryptographic validation that the directive it received originated from a legitimate, authorized principal. Glasswing will find vulnerabilities in code. It will not govern what acts on that code at runtime. Those are different problems requiring different solutions — and only one of them has a vendor on the floor at RSAC.
The authority gap is not a future problem. Project Glasswing just confirmed the timeline is now.
RSAC 2026 closed on March 26 with the industry’s most honest public admission in years: everyone knows what’s broken and nobody brought the fix. I wrote about it last week. The floor named the gap. The booths couldn’t close it. Security leaders left San Francisco with a problem they understood better than when they arrived and a solution layer that was still empty.
Then Anthropic dropped Project Glasswing.
I want to be careful about how I frame this, because Glasswing is genuinely important and the instinct to be cynical about big tech announcements is usually justified. This one is different. Not because of the $100 million in credits or the list of partners — though both matter. It is different because of what Anthropic chose to say publicly alongside the announcement.
That is Logan Graham, Anthropic’s Frontier Red Team Lead. That is not marketing language. That is a technical leader at the organization that built the model telling you, in public, that the conservative estimate for Mythos-class offensive capabilities reaching threat actors is six months. Not a research paper. Not a conference slide. A public statement attached to a restricted model deployment that Anthropic itself called too dangerous to release.
The enterprise security industry has been operating on an 18-to-24-month planning horizon for agentic AI governance. Glasswing just cut that by two thirds on the short end. The organizations in the partner list — Cisco, CrowdStrike, Palo Alto, Microsoft — got a head start. Everyone else got a warning.
Here is what I want CISO readers to understand about the relationship between Glasswing and the authority gap. Glasswing is an extraordinary program for what it does: finding vulnerabilities in code before adversaries can exploit them. It is a pre-deployment defensive capability. It operates on the surface of the software stack — the code, the libraries, the operating system primitives.
It does not operate at the moment an agent decides to act.
When a Mythos-class model in adversarial hands injects a fraudulent directive into an enterprise agent operating with valid credentials — that is not a code vulnerability. The code is clean. The credentials are legitimate. The directive is unauthorized. Glasswing cannot catch it. Behavioral analytics will flag it after the action. The 22-second handoff window means the lateral movement has already propagated before the flag reaches a human.
The only control that operates at the required speed, at the required layer, is cryptographic validation of agent authority at execution time. A mechanism that proves, before the action is taken, that the directive authorizing it originated from a legitimate principal in an unbroken chain back to a human with the actual authority to issue it.
That is what is missing from Glasswing. It is what was missing from every booth at RSAC. It is what every story in this brief points toward.
Six months is the conservative estimate. The clock is running.