Mythos and Glasswing: Reality Check and Path Forward
4–13–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, April 13, 2026. For those who may run into this show in the archive, the War in Iran saw failed negotiations over the weekend and now the US is imposing a blockade of all ships attempting to transit the Strait of Hormuz.
But, despite the fact that we’ve covered the War week-over-week here, that’s not the bit we’re going to focus on. Instead, we’re talking Mythos, Glasswing, and the potential of an AI-driven cybersecurity paradigm shift.
Mythos and Glasswing: Reality Check and Path Forward
We talked about Anthropic last week in the context of their data leak, but we’re talking about them this week in the context of a product launch - namely a new model called Mythos, which was launched in preview to a very select number of customers (40, or so, if you believe the press release on Project Glasswing).
Why a small group? Well, Anthropic claims this new model is so powerful at finding and exploiting cyber security bugs that it can’t be released to the wild until the large players have had a chance to patch what it finds in their operating systems.
Anthropic claims that of the manually verified findings, 98% were validate and aligned with severity levels.
They’re pretty clear, too, that this is actually fully automated, noting that they “mean that no human was involved in either the discovery or exploitation of this vulnerability after the initial request to find the bug.”
The more skeptical in my network think the timing of this announcement is too convenient in relationship to last week’s oopsie, and it’s just PR to cover for their leak, but I think there’s actually something real here, and so do many leaders at these organizations.
In fact, Bloomberg reports that the Treasury Secretary and Federal Reserve Chair here in the US summoned leaders from Wall Street last week to an urgent in-person meeting to emphasize just how serious of a risk this is.
Project Glasswing, a related effort, was announced as a partnership between Anthropic and the largest tech players in the world - backed by both $100M in usage credits (read: tokens) and $4M in direct donations to open-source organizations.
And by largest tech companies, we’re not messing around: Amazon, Apple, Broadcom, Cisco, Crowdstrike, Google, Microsoft, Nvidia, Palo Alto, JPMorgan Chase, and more.
Anthropic also had a good list of suggestions for defenders today, which I’m more than happy to pass along.
They include:
“Use generally-available frontier models to strengthen defenses.” I think this is good advice in general - if you’re not making the most of the tools available to you today, do that now and don’t get distracted by the shiny thing.
“Think beyond vulnerability finding.” How do to you triage bug reports, how do you patch them, how do you support your engineers and operations teams, what are the implications for legacy systems or cloud infrastructure, etc.?
“Shorten Patch Cycles.” Good advice generally, of course, but if you know that new vulnerabilities are going to be discovered at a rapid pace, best get ready to patch at as rapid of a pace as you can muster. And start building those workflows now.
“Automate your technical incident response pipeline.” This one is easier said than done, but again - if you’re going to need to match the pace of this Mythos model as an organization, automation is your only hope. Start accelerating that now.
They note a hard truth at the end, reminding us “ultimately, it’s about to become very difficult for the security community.” And maybe that’s true, but maybe also we’ll raise the awareness and why these issues matter, the ability to patch ones we find, and work to introduce fewer vulnerabilities into the code we push out.
Not to be outdone, OpenAI has - of course - has its own “Trusted Access for Cyber” pilot program and is reportedly working on some security specific models, but details remain sparse.
The truth about all of these bugs and vulnerabilities is that they were already present, we’re just now finding out about them. Let’s try to take the silver lining here, and hope that the same tools that help rapidly identify these issues can also help us rapidly address them.
Fundraising
From a fundraising perspective, following-up on last week’s nearly $40B week with another strong showing of nearly $27B in newly committed capital, led by:
Blackstone raised $10b for its fifth opportunistic credit fund; and
ArcLight, a Boston-based energy and infrastructure PE firm, raised $3.9b for its eighth fund.
At this rate, we’re headed towards a $100B month for April, and the mechanics of all this still boggle my mind.
Lots of bets being placed in lots of places, and it’s still not clear to me which ones are going to pay off.
That’s why I’ll stay focused on building resilience in our client organizations so that they can stay in the game.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://red.anthropic.com/2026/mythos-preview/
https://www.anthropic.com/glasswing
https://www.ft.com/content/397bf755-54cf-4018-a01d-8f714d8667c5
https://www.axios.com/2026/04/09/openai-new-model-cyber-mythos-anthopi