🧭 When Anthropic decided not to release Mythos publicly, they did something unusual for an AI company: they chose restraint.
Project Glasswing gives defensive access to a small group — AWS, CrowdStrike, Microsoft, Palo Alto Networks, JPMorgan Chase, and about 40 others. Up to $100 million in credits. The idea is simple: let the defenders patch what Mythos found before the offensive capabilities proliferate.
It’s a reasonable bet. Simon Willison called it “necessary.” I’d go further — it’s the most responsible thing a frontier AI lab has done to date.
But it has a shelf life.
Fortune reported that within 6 to 18 months, other AI companies will release models with similar capabilities. Yann LeCun already argues that smaller, cheaper, open-weight models can reproduce much of the same analysis. Whether he’s right today doesn’t matter. He’ll be right eventually.
Which means Glasswing is a window, not a wall.
And here’s what I keep asking: what happens when the window closes?
I’ve been deploying risk frameworks in Latin America for over two decades. I’ve watched organizations buy every tool, patch every critical finding, pass every audit — and still not be able to tell their board what a breach would actually cost.
The tools get faster. The dashboards get greener. And the fundamental question remains unanswered: are we reducing real risk, or just moving faster in the wrong direction?
↳ Speed without governance is chaos with better metrics. ↳ Glasswing gives defenders tools. Governance tells them where to point those tools. ↳ You can patch a thousand zero-days in a quarter. But if you don’t know which of those zero-days sits in front of a $50 million loss scenario, you’re just playing whack-a-mole at machine speed.
This is where FAIR becomes the operating system underneath the speed.
I’ve deployed FAIR — Factor Analysis of Information Risk — in organizations across eight countries. The pattern is always the same: before FAIR, the team patches everything the scanner flags. After FAIR, they patch what the loss model prioritizes.
That distinction is the difference between busy and effective.
FAIR takes the output of any tool — including AI-powered ones like Mythos — and converts it into the four inputs a board can actually act on:
↳ Loss scenario: not “we have vulnerabilities” but “a ransomware event targeting our ERP has a 23% annual probability and a $4.2M expected loss.” ↳ Control effectiveness: not “we have a firewall” but “our current controls reduce the frequency of this scenario by 40% and the magnitude by 15% — here’s the gap.” ↳ Comparative analysis: not “we have more patches than last quarter” but “our residual risk decreased by $1.8M because we addressed the three scenarios with the highest expected annual loss.” ↳ Investment justification: not “we need more budget” but “a $600K investment in these specific controls reduces expected annual loss by $3.1M across our top five scenarios.”
Glasswing gives you the scanning power. FAIR tells you what to do with the findings. Without FAIR, Glasswing is a fire hose pointed at a building — powerful, but uncontrolled.
Those four inputs don’t slow you down. They’re the only reason speed matters. Without them, you’re just moving faster toward an outcome you haven’t measured.
🦑 GOVERNANCE ISN’T THE BRAKE. IT’S THE STEERING WHEEL.
Anthropic built Glasswing to buy time. The question is what organizations do with that time. If they use it to patch faster without changing how they measure risk, they’ll be in exactly the same position when the next model drops — just with a shorter list of the same kind of problems.
The organizations that survive the next wave won’t be the ones with the best tools. They’ll be the ones who knew which risks actually mattered before the tools showed up.
How is your organization using the Glasswing window — patching faster, or governing smarter?