>_TheQuery
← All Articles

Anthropic Gave Its Dangerous Model to Defenders

By Addy · April 8, 2026

In the last week of March 2026, Claude subscribers started hitting their usage limits faster than usual. A Max 5x user paying $100 a month reported burning through their session in one hour of work. Another said they got twelve usable days out of thirty. Reddit threads filled with the same complaint: something had quietly changed, and nobody at Anthropic had said anything.

On March 26, Anthropic confirmed it. An engineer named Thariq Shihipar posted on social media that the company was "adjusting" five-hour session limits during peak hours - 5 AM to 11 AM Pacific - to manage growing demand. Weekly limits remained unchanged. The rate at which sessions burned through did not. Around 7 percent of users, Shihipar said, would hit limits they had not hit before. He acknowledged it was frustrating. He did not explain what the demand was actually coming from.

On April 7, eleven days later, Anthropic announced Project Glasswing.

The two events are connected. Understanding how requires understanding what Anthropic has been running in the background while its subscribers waited for their session windows to reset.

What Project Glasswing Is

Project Glasswing is a controlled-release cybersecurity initiative built around Claude Mythos Preview - the model that first became public knowledge when Anthropic accidentally exposed internal documents in March, and which was described in those documents as "by far the most powerful AI model" the company had ever built, "currently far ahead of any other AI model in cyber capabilities."

Anthropic has not made Mythos Preview publicly available. The company does not plan to. The reason stated is direct: the model's cybersecurity capabilities are considered too dangerous to release without restriction.

Instead, Anthropic assembled a coalition. Launch partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. An additional 40 organizations that build or maintain critical software infrastructure have been granted access. Anthropic is committing up to $100 million in usage credits for Mythos Preview across the effort, plus $4 million in direct donations to open-source security organizations.

The mission: use Mythos Preview to find and fix vulnerabilities in the world's most critical software before adversaries find and use them first.

What the Model Has Already Done

This is not a pilot program or a proof of concept. Mythos Preview has already been working.

Anthropic reports that it used the model to identify thousands of zero-day vulnerabilities - meaning flaws previously unknown to the software's developers - across every major operating system and every major web browser, along with other critical software. Confirmed findings include vulnerabilities in OpenBSD code dating back 27 years and FFmpeg code 16 years old. Technical details for a subset of vulnerabilities that have already been patched have been published on Anthropic's Frontier Red Team blog.

The capability that makes this significant, and dangerous, is the model's ability to chain vulnerabilities. Nicholas Carlini, a researcher at Anthropic, described it directly: the model can take two independent vulnerabilities, neither of which accomplishes much on its own, and chain them into an exploit that achieves something neither could alone. This is the kind of reasoning that separates a capable security researcher from an automated scanner. Mythos Preview, according to Anthropic, does it at scale.

On CyberGym vulnerability reproduction testing, Mythos Preview scored 83.1% versus Claude Opus 4.6's 66.6%. The gap is significant enough to qualify as a different class of capability, not an incremental improvement.

This is also why the model is not available to the public. The same capability that finds a chained exploit in a browser stack to report and patch it can find a chained exploit to use it. Anthropic has concluded that releasing that capability broadly, before the software industry has had time to patch the vulnerabilities it can find, would cause more harm than the access would create benefit. So the model goes to defenders first.

The Resource Cost Nobody Mentioned

There is a cost to running a frontier model that can chain vulnerabilities across major operating systems at scale. That cost does not appear in Anthropic's public communications about Project Glasswing. It appeared instead in the experience of subscribers trying to use Claude in the last week of March.

The compute infrastructure required to run Mythos Preview - for the Glasswing coalition, for Anthropic's own security research, for the scanning that produced thousands of zero-day findings - draws from the same pool that serves Claude's subscribers. Inference at this scale is expensive. GPUs cannot be added overnight. When demand exceeds supply, something has to give.

What gave was session limits for regular users.

Anthropic's public explanation was demand growth. That is accurate as far as it goes: Claude hit number one on the US App Store for the first time, web traffic jumped over 30 percent month-over-month, and a promotion that doubled off-peak usage limits ended on March 28. All of those factors are real. None of them explains the full picture.

The fuller picture is that Anthropic was simultaneously running a frontier model through thousands of vulnerability scans across critical global infrastructure, committing $100 million in usage credits to a cybersecurity coalition, and serving a record number of subscribers on flat-rate plans - all on the same infrastructure. A Max subscriber who burned through their session in an hour was not just competing with other subscribers. They were, unknowingly, competing with an AI security operation scanning the Linux kernel.

This is not a criticism of Anthropic's decision. It is an accurate description of the trade-off the company made. When a company trains or deploys something at the frontier, the cost lands somewhere. In this case, it landed on the people paying $100 and $200 a month.

Why Open Source Is the Real Stakes

Project Glasswing's most consequential aspect is not the coalition of technology giants. Those companies have security teams. Some of them have the largest security teams in the world. Apple and Microsoft and Google do not need Anthropic to find their vulnerabilities - they need it to find them faster than hostile actors can.

The more structurally important part of Glasswing is the open-source component.

As the Linux Foundation's CEO Jim Zemlin put it, open-source maintainers have historically been left to figure out security on their own. Open-source software constitutes the vast majority of code in modern systems - including the systems that AI agents now use to write new software. A vulnerability in a foundational open-source library does not affect one company's systems. It affects every system built on top of it, which in 2026 means most of the infrastructure the internet runs on.

Anthropic is giving over 40 organizations that maintain critical open-source software access to Mythos Preview, and has donated $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation. Open-source maintainers who want access can apply through Anthropic's Claude for Open Source program.

The argument is that the same asymmetry that has always plagued open-source security - sophisticated attackers versus under-resourced defenders - can be partially corrected by giving those defenders access to the most capable security tooling in existence. Not as a service they pay for. As a resource they apply to use.

That is a meaningful structural change, if it holds. The question is whether it scales and whether it outlasts the research preview period.

The Uncomfortable Parallel

Project Glasswing was announced the same day Anthropic disclosed its revenue milestone and a major compute deal with Broadcom and Google that will give the company access to approximately 3.5 gigawatts of computing capacity. The timing is not incidental.

Anthropic has a model it describes as the most capable it has ever built, with cybersecurity abilities it considers too dangerous to release broadly. It has a revenue story it needs to tell ahead of a potential IPO. It has a subscriber base that just experienced unexplained session throttling. And it has a piece of critical global infrastructure - the open-source software ecosystem - that has been chronically under-resourced for decades.

Project Glasswing addresses all of these simultaneously. It channels Mythos Preview's capabilities toward a defensible public good. It positions Anthropic as a responsible actor managing powerful technology carefully rather than racing to release it. It builds relationships with the largest technology companies in the world. And it funds open-source security organizations that have historically lacked resources.

Whether the model actually stays out of the wrong hands is a different question. Anthropic itself said it plainly: "Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely." The company is not claiming Glasswing prevents that. It is claiming Glasswing buys defenders a head start.

A head start measured, in part, in session limits that Claude's paying subscribers did not know they were contributing to.

What Comes Next

Mythos Preview will not remain in preview indefinitely. Anthropic has said its eventual goal is to deploy Mythos-class models safely at scale. The path there runs through a new Claude Opus model that will carry improved safeguards, allowing Anthropic to refine those safeguards on a model that does not carry the same risk profile as Mythos Preview.

When those safeguards are ready, a Cyber Verification Program will allow security professionals whose legitimate work is affected by the restrictions to apply for expanded access.

The compute picture will also change. The Broadcom-Google deal signals that Anthropic is building toward the capacity needed to serve frontier models at scale without cannibalizing subscriber sessions. Whether that capacity arrives before subscribers lose patience with limits they cannot predict or plan around is a different question.

For now, the equation is this: Anthropic has the most capable security model it has ever built. It has decided the right use of that model is not a product launch. It is a coalition. The cost of running that coalition is shared across the same infrastructure that serves the people paying for Claude every month.

The subscribers who hit their limits in March were not victims of mismanagement. They were, without being told, participants in something larger. Whether that framing is satisfying depends on how you weigh a patched zero-day in a major operating system against an hour of coding time you did not get to use.

Sources:

Previously on TheQuery: The Day Claude Code's Moat Disappeared