Developing News
Does Project Glasswing Expose P&C Industry’s Glass Jaw?
n early April, Anthropic made headlines with reports that its latest AI model, Mythos Preview, “has already found thousands of high-severity [cyber] vulnerabilities, including some in every major operating system and web browser.”1 The model identified and crafted exploits for vulnerabilities unscathed by decades of security research. Anthropic subsequently launched Project Glasswing in collaboration with over 50 companies, such as Amazon, Apple, and Google, to help fortify their defensive postures using the Mythos Preview. Mythos may be a warning sign for a market defined by “sustained softening,”2 but opinions remain divided regarding whether it represents a true step change in offensive capability.
Some security experts say much of Mythos’s discovery capability was already available through savvy orchestration3 of existing models for months if not a full year. Offensive security platform XBOW, which was invited by Anthropic to evaluate Mythos, found that it significantly outperforms predecessors in discovering “validated, actionable vulnerabilities in live website environments.”4 Figure 1 displays the estimated chance of discovery based on XBOW’s report at various output token budgets.5
At higher budgets, the models begin to converge, especially between Mythos and its direct predecessor, Opus 4.6.
Mythos’ exploitation capabilities appear to be more novel than its discovery capabilities. AI Security Institute (AISI) found that Mythos succeeded in 73% of expert-level6 identification and exploitation tasks — tasks that no model could complete before April 2025. Mythos succeeded three out of 10 times and completed an average of 22 out of 32 steps of The Last Ones (TLO) corporate network attack simulation. Figure 2 compares Mythos’s performance to that of other models at different token consumption.7
While no other model completed TLO at any budget, Mythos’ successful completion required multiple tries and extensive computational resources. Other models achieved results similar to that of Mythos in lower budget ranges. AISI credited Mythos for its strong autonomous attacking capability against weakly defended systems but “cannot say for sure whether Mythos Preview would be able to attack well-defended systems.” Project Glasswing itself illustrates a growing viewpoint that AI may empower defense8 more than offense.
What this means for actuaries:
Actuaries may consider revisiting frequency assumptions both generally and within catastrophe models, particularly where upstream points of failure, such as Amazon Web Services or Microsoft Azure, have contributed to recent near-miss cyber aggregation events.13 Vulnerability and resilience covariates14 may also assume greater importance in pricing and exposure models.
- https://www.anthropic.com/glasswing.
- https://www.reinsurancene.ws/cyber-insurance-market-enters-critical-phase-amid-softening-rates-and-rising-exposure-dual/.
- https://www.cnbc.com/2026/05/08/anthropic-mythos-ai-cybersecurity-banks.html.
- https://xbow.com/blog/mythos-offensive-security-xbow-evaluation. XBOW defines actionable as a validated way to act on the vulnerability after a series of 80 actions.
- The author started with XBOW’s graph “finding web vulnerabilities in OSS with fixed token budget,” extracted points, converted the y-axis from odds to likelihood, and interpolated as needed to produce this graph.
- https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities. The author started with AISI’s graph “completed steps on The Last Ones per spent tokens,” extracted points, and interpolated as needed to produce this graph.
- https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities. The author started with AISI’s graph “completed steps on The Last Ones per spent tokens,” extracted points, and interpolated as needed to produce this graph.
- https://www.belfercenter.org/sites/default/files/2026-03/ISEC.a.398.pdf.
- https://ar.casact.org/ai-generates-single-point-of-failure-rethink/.
- https://beinsure.com/ransomware-evolution/.
- https://digital.casact.org/issue/may-june-2026/the-stem-hero-at-the-front-lines-of-the-ai-revolution/.
- https://insights.cybcube.com/en/cyber-insurance-in-the-age-of-claude-mythos.
- https://ar.casact.org/amazon-aws-and-microsoft-afd-outages-pcs-latest-cyber-kitty-cat-events/.
- https://www.insurancebusinessmag.com/uk/news/cyber/cyber-insurance-improves-but-gaps-remain-575275.aspx.