Late one Tuesday, a security engineer at Cloudflare leaned back and reread an email that could change how companies share AI-driven cyber findings. He’d documented chains of low-severity bugs turned into a single exploit by Claude Mythos Preview. By the time he clicked send, the rules about who could speak were already shifting.
I follow these moves because they matter to you—whether you run a security team, build software, or buy cloud services. Anthropic’s tight circle around Claude Mythos Preview is loosening, and that shift will reshape how threat intelligence travels across the industry.
Cloudflare published real-world test results after probing Mythos Preview
Grant Bourzikas, Cloudflare’s chief security officer, put his findings on a blog and didn’t tuck them behind an NDA.
That post reads like a field report: Mythos Preview behaves like other LLM-based bug finders, but it chains small issues into far more dangerous exploits. When I read it, the line that stuck with me was simple and chilling—minor bugs that once collected dust are now arrows that can be strung together into a single lethal volley. This is one of two metaphors I’m using: Mythos acts like a magnifying glass that turns scattered embers into a roaring fire.
Bourzikas even invited peers to compare notes, providing an email for collaboration. That little invitation signals a larger change: security teams want to trade intelligence fast, and secrecy contracts that forbid sharing are becoming a practical problem.
Can companies share findings from Claude Mythos Preview?
Short answer: they can more easily than before. According to the Wall Street Journal, Anthropic originally required Mythos Preview users to sign confidentiality agreements that limited who could be warned. Representative Josh Gottheimer pushed back, arguing no party should be barred from informing trusted stakeholders about urgent cyber risks.
Anthropic says those partner-requested protections were added early, but Project Glasswing has “matured,” and agreements now let participants share key information beyond the original cohort. For you, that means vulnerability reports that might once have been siloed could now reach engineering teams and incident responders faster.
Project Glasswing started secret and exclusive, then began to open
Project Glasswing reportedly began as a private experiment with roughly 50 partners.
I watched this unfold like a quiet beta for the world’s most feared security model. At first, exclusivity created mystique—only a few could test Mythos Preview, and those testers were contractually constrained. Now Anthropic says the program has matured. They’ve softened language so that companies can coordinate mitigations and alert stakeholders without legal roadblocks.
What is Project Glasswing?
Project Glasswing is Anthropic’s invite-only program for vetting Mythos Preview, the company’s advanced cybersecurity model. Think of it as a limited circle of testers mapping an unknown coastline; the debate has been whether those maps should be locked in a vault or shared with sailors and port authorities.
OpenAI launched Daybreak in public while Anthropic quietly revised rules
OpenAI announced Daybreak last week and opened sign-ups to a broad audience.
The contrast matters. Sam Altman publicly invited companies to submit codebases for scanning, encouraging as many participants as possible. Anthropic’s earlier secrecy now looks like a deliberate experiment in control that had to bend to reality. Competition from OpenAI’s more public approach likely pushed Anthropic to let findings flow beyond Glasswing’s original walls.
How does Anthropic’s approach compare to OpenAI’s Daybreak?
OpenAI took a wide-open approach with Daybreak; Anthropic started closed and is loosening. For defenders, openness accelerates patching. For vendors, openness risks exposing model limits and fueling sensational headlines. You should be watching both programs if your stack intersects with LLM-assisted security tooling.
Congress, customers, and security officers forced a policy rethink
Representative Josh Gottheimer’s letter made the stakes political.
When lawmakers, enterprise CISOs, and public-facing security teams object to secrecy, a company has to answer. Anthropic said partners originally requested confidentiality protections, but pressure from elected officials and public posts from firms like Cloudflare nudged the company to change course. That second metaphor: secrecy was a pond covered by morning fog—clear enough to walk on, until the water stirred and the fog lifted.
I want you to note one practical result: faster coordination between vendors and customers often means faster mitigations and fewer victims.
What this will mean for the industry and for you
Security intelligence spreads differently when gates are removed.
If you manage risk, expect more public write-ups, coordinated disclosures, and cross-company comparisons tied to Claude Mythos Preview and Daybreak. If you build LLM-powered tools, expect scrutiny from rivals, journalists, and congressional inquiries. The mystique that once insulated Mythos will fade as real-world examples and technical write-ups proliferate—good for defenders, noisy for PR teams, and fertile ground for researchers at places like Cloudflare, Anthropic, and OpenAI.
I’ll keep watching the documents, the blog posts, and the congressional notes. How will you change your threat-intelligence playbook now that the silence around Mythos is breaking?