This week we talk about Project Glasswing, Anthropic, and Q Day.

We also discuss exploit markets, vulnerabilities, and zero days.

Recommended Book: The Culture Map by Erin Meyer

Transcript

In the world of computer security, a zero-day vulnerability is an issue that exists within a system at launch—hence, zero-day, it’s there at day zero of the system being available—that is also unknown to those who developed said system.

Thus, if Microsoft released a new version of Windows that had a security hole that they didn’t know about, but someone else, a hacking group maybe, discovered before it was released, they might use that vulnerability in Windows or Word or whatever else to hack the end-users of that software.

While large companies like Microsoft do a pretty good job, considering the scope and scale of their product library, of identifying and fixing the worst of the security holes that might leave their customers prone to such attacks, that same scope and scale also means it’s nearly impossible to fill every single possible gap: a truism within the cybersecurity world is that defenders need to get it right every single time, and attackers only need to get it right once, and the same is true here. There’s never been a perfect piece of software, and as these things expand in capability and complexity, the opportunity to miss something also increases, and thus, so does the range of possible errors and exploitable imperfections.

Because of how damaging zero-days can be for both users of software and the companies that make that software, there are thriving marketplaces, similar to those that deal in other illicit goods, where those who discover such vulnerabilities can sell them, usually for cryptocurrencies or funds derived from stolen credit cards.

Software companies have countered the increasing sophistication of these exploit black markets with white and grey market efforts, the former being direct payouts to hackers, basically saying hey, thanks for finding this bug, here’s a lump-sum of money, a bug bounty, rather than punishing all hacking of their systems, which is how they would have previously responded, which had the knock-on effect of sending all hackers, even those who weren’t looking to cause trouble, either underground, or actively hunting for bugs for the black market.

The grey market is more complicated and diverse, and also the largest of marketplaces for those shopping around for these types of exploits. And it’s populated by the same sorts of neverdowells who might frequent the exploit black markets, but also includes all sorts of governments and intelligence agencies, who scoop up these sorts of vulnerabilities to use against their opponents, or to deny them to others who might use them instead, against them.

All sorts of governments, from the US to Russia to North Korea to Iran are regular shoppers on these computer system exploit grey markets, and that has created a complicated, entangled system of incentives, as is some cases, it’s better for the US government, or Iranian government, or whomever, if the company making these systems doesn’t know about a bug or other vulnerability, because they just spent several million dollars to buy a map to said bug or gap, which could, at some point in the future, allow them to tunnel into an enemy’s computers and cause damage or steal information.

What I’d like to talk about today is a new AI system that is apparently very, very good at identifying these sorts of exploits, and why this is being seen as a milestone moment for some people operating in the zero day, and overall computer security space.

—

On April 7, 2026, US-based AI company Anthropic announced Project Glasswing—a new initiative that is currently only available to 11 companies that’s meant to help those companies shore-up their cyber defenses before more AI systems like the one that underpins Project Glasswing, which is called Mythos Preview, hit the market.

So these companies, Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, make a lot of stuff, and in particular make and maintain a lot of vital online and device-based software infrastructure, like operating systems and all the stuff that keeps things in our apps and on the web secure.

Mythos Preview is a new model created by Anthropic, similar to their existing Claude models, but apparently vastly more powerful. There are tests that AI companies use to compare the potency of their models at a variety of task types, but those are generally considered to be flawed or game-able in all sorts of ways, so the main thing to know here is that M