Anthropic Built AI Too Dangerous to Release. It's in Your Power Grid.

The history of dual-use technology follows a pattern. Someone builds something powerful enough to change everything. Then people realize it can change everything in both directions. Then the question becomes: who gets to decide which direction?

We are at that moment with Claude Mythos.

Anthropic's most capable model yet — not available to you, not available to developers through an API, not accessible to the thousands of companies building products on Claude — has just been given to 150 organizations operating power grids, water treatment facilities, hospitals, and communications networks across 15 countries. Every organization in the cohort was chosen for the same reason: a successful attack on their systems could affect more than 100 million people.

This is Project Glasswing. And the reason you haven't heard much about it isn't that it isn't working. It's that it's working so well that Anthropic won't say exactly how.

The Capability Gap

What Claude Mythos can do is specific enough to be alarming. Given access to a codebase, the model can systematically identify zero-day vulnerabilities — security flaws that haven't been publicly disclosed, for which no patch exists, that human security teams may have missed for years. The initial cohort of about 50 partners, which included the U.S. government, used Mythos to scan their systems over several weeks. The result: more than 10,000 high or critical severity flaws identified.

Ten thousand holes. In the infrastructure of governments and critical systems that were presumably being maintained by competent security teams.

To be clear, finding vulnerabilities is what Anthropic intended. That's the whole point of Project Glasswing. But notice what's sitting just beneath the surface of that achievement: an AI that can read a million lines of code and identify the specific places where an attack would succeed isn't just a defensive tool. It's a blueprint generator. The same capabilities that let it defend are the capabilities that, in different hands, would let someone design an attack.

The Circular Logic

This is why Anthropic won't release Mythos publicly. In their own framing, they're working to develop "highly robust safeguards" before any general access — safeguards that "developers have yet to develop," as they put it. Which is a remarkable thing to admit out loud: we've built a tool capable of causing catastrophic harm, we haven't figured out how to prevent that yet, and we're deploying it anyway, but only to the most critical targets.

The logic is simultaneously coherent and unsettling. If AI can find vulnerabilities in critical infrastructure, the argument goes, better for the defenders to have it than for the attackers to discover it independently. Give the water utilities the AI before someone gives it to people who want to take the water utilities down.

That's a defensible position. Anthropic isn't being reckless — they're making a bet that controlled deployment to defensive actors is better than waiting for adversaries to get there first. The same argument was made about nuclear deterrence, about offensive cyber capabilities, about every dual-use technology where one side having it first seemed better than neither side having it.

The uncomfortable part is what the argument requires you to assume: that all 150 organizations chosen for Glasswing will use this capability only as intended, secure their access appropriately, and avoid the kind of insider threat or institutional failure that has compromised every other sensitive technology program in history. Across 15 different countries with 15 different regulatory environments and 15 different definitions of who counts as an adversary.

A Pattern Worth Watching

Dual-use technology isn't new. Explosives built highways and also wars. Nuclear physics gave us power generation and also weapons. The same research that produced radar gave us microwave ovens. Encryption algorithms protect banking and also criminal networks. Every technology powerful enough to be genuinely useful has also been powerful enough to be genuinely dangerous.

What's different about AI is the compression of timelines. The printing press took decades to become weaponized. Nuclear technology moved from discovery to deployment in roughly six years under wartime conditions. Large language models went from research curiosity to critical infrastructure deployment in less than five years, accelerating even as the capabilities expanded.

Anthropic went public last month at $965 billion on the promise that safety and capability could be developed together. Project Glasswing is that thesis in practice. And the honest version of the thesis is: we're deploying capabilities we can't fully constrain yet, in the most critical systems we have, because the alternative might be worse.

That might be right. It's also something the public should be following more closely than a TechCrunch brief.

The Question That Is Not Being Asked

There are two versions of how this plays out.

In the optimistic version, AI finds more vulnerabilities than human security researchers, faster, in systems that have been inadequately protected for decades. Hospitals stop getting ransomed. Power grids get harder to attack. The technology narrows the gap between the sophistication of attacks and the sophistication of defenses, and it turns out that gap was always the real problem.

That version might be exactly what happens.

But there's another version, and it deserves scrutiny proportional to the stakes: a model too dangerous to release publicly is now embedded in 150 critical infrastructure systems across 15 countries, with safeguards that Anthropic's own communications acknowledge are incomplete. The first 50 partners found 10,000 critical vulnerabilities. Anthropic is expanding to 150 organizations. Someone, eventually, will ask what happens when that catalog of vulnerabilities — the precise locations of 10,000 holes in critical systems — ends up somewhere it wasn't supposed to.

That's not a reason to stop. It might be a reason to pay more attention to who's asking the question.

---

If you find this kind of analysis useful, the About.chat newsletter covers the AI industry every week — without the press release framing.