Project Glasswing: Mythos Preview chained bugs into working exploits during live scans

Project Glasswing ran security‑focused large language models against live production code and invited Anthropic’s Mythos Preview to scan more than fifty internal repositories. The team found Mythos Preview could not only detect vulnerabilities but also chain small primitives into full exploits and generate executable proofs of concept — a shift that compresses the time between discovery and real‑world attack and alters how defenders must prioritize fixes and mitigations.

The team observed two concrete technical advances in Mythos Preview. First, the model could construct multi‑step exploit chains by combining small primitives: for example, transforming a use‑after‑free into arbitrary read/write, then hijacking control flow and assembling return‑oriented programming sequences. Second, Mythos Preview generated working proofs by writing code to trigger a suspected bug, compiling and executing that code in a scratch environment, reading failures, refining its hypothesis, and repeating until a proof succeeded.

When the Project Glasswing harness ran other frontier models, many of those models identified the same underlying bugs and sometimes produced strong reasoning about root causes. However, those models typically stopped short of stitching primitives into a full exploit. Mythos Preview’s ability to complete exploit chains therefore represents a qualitative change in what automated tools can produce. The specific Mythos Preview instance used in Project Glasswing lacked the additional safeguards present in generally available models such as Opus 4.7 or GPT‑5.5, a distinction the authors highlight when comparing behaviors.

That capability has immediate operational implications. Issues rated low severity in triage queues can be compounded into high‑severity attacks if an automated model can chain and prove exploits, and automated proof generation shortens the time between discovery and exploitation. The write‑up emphasizes urgent needs around triage, faster patching timetables, and runtime controls to limit automated proof testing against production surfaces. The team also reported inconsistent, emergent refusal behavior. Mythos Preview sometimes pushed back on legitimate vulnerability‑research tasks even without extra safety layers, and the same request framed differently could produce different responses. Those inconsistencies complicate reproducible research and make tooling that depends on predictable model behavior harder to trust for defensive workflows.

Project Glasswing’s conclusion is operational: using frontier security models at scale demands changes to architecture and process. The authors recommend sandboxed execution, reproducible harnesses, comprehensive audit logging, and consistent guardrails around what models are permitted to compile and run-controls they argue should be in place before similar models are broadly used for vulnerability hunting or red‑team automation.