Expanding Project Glasswing

Original Article ↗ Hacker News Discussion ↗

Overall view of Project Glasswing / Mythos rollout

  • Many see the limited-access expansion as a classic scarcity/urgency marketing move targeting large enterprises and governments, cementing Anthropic as “essential infrastructure.”
  • Others argue the gated rollout looks like a genuine attempt at responsible deployment, given cyber misuse risks and time needed for remediation.
  • Some think the “too powerful to release” framing echoes past AI-safety marketing (e.g., prior GPT releases).

Capabilities vs hype

  • Supportive comments cite third‑party writeups (e.g., Mozilla, Cloudflare, wolfSSL, government benchmarks) claiming Mythos finds many real, high‑severity bugs and can chain vulnerabilities into working exploits.
  • Skeptical commenters emphasize:
    • Dependence on elaborate “harnesses” and workflows rather than unique model magic.
    • Irreproducible or cherry‑picked benchmarks.
    • Other strong models (e.g., GPT‑5.5‑Cyber, open‑weights ensembles) being close in capability.
  • Some note that Mythos appears to mainly amplify skilled humans rather than autonomously outclassing top experts, contradicting some marketing language.

Practical experiences and false positives

  • Reports from organizations with access describe:
    • Large volumes of findings, many minor, inapplicable, or false positives.
    • Executives overreacting to every flagged issue, creating chaos and busywork.
    • Value mainly when used in multi‑stage pipelines with deduping, PoC generation, and human triage.
  • Others report good results from regular Claude/Opus for security and performance auditing, but still with substantial noise.

Compute constraints and business incentives

  • One camp claims Anthropic is compute‑constrained and using safety as cover, especially given Mythos’ high token cost and looming IPO.
  • Counterpoints:
    • Anthropic has recently added large new compute contracts.
    • They could, in principle, ration access via higher prices.
    • It’s unclear whether safety, capacity, pricing optics, or IPO signaling is the dominant reason for the slow rollout.

Broader security, memory safety, and OSS impacts

  • Discussion branches into:
    • Social‑engineering risks and a future where strong authentication / FIDO keys become mandatory, potentially at the cost of human‑centric support.
    • Using AI (and Rust rewrites) to improve memory safety; others worry such rewrites are unmaintainable, disrespect OSS communities, and could introduce new logic bugs.
    • Concern that LLM‑driven scanning will flood teams with alerts, shift liability expectations, and turn “AI said it’s a vuln” into management pressure, without necessarily improving real‑world security.