What’s in this article
- What Claude Mythos is — a model so capable at finding software flaws Anthropic chose not to release it.
- What Project Glasswing means — Apple, Amazon, Google, and Microsoft now patch the world’s worst bugs together with AI.
- Why this matters even if you don’t write code — every site you ship runs on someone else’s stack.
- What designers and agency owners should do in the next 30 days.
- How I’d actually use this to protect my client work.
I’m Mike Kwal. I build websites every day with AI. When the company behind the model I use most decides not to release something — I pay attention. So should you.
What just happened
Anthropic built a new model called Claude Mythos. They tested it on real software. It found zero-day security flaws in major operating systems and browsers — including a 27-year-old bug in OpenBSD that no human ever caught.
Then they did something unusual. They didn’t ship it.
Instead, Anthropic formed Project Glasswing — a closed initiative where Apple, Amazon, Google, and Microsoft get controlled access to Mythos. The four companies use it to patch the world’s most critical software before the same capability reaches bad actors.
The official line: builders have six to twelve months before adversaries catch up.
Why this matters for designers
You don’t write the operating system your client’s site runs on. You don’t write the browser that loads it. But every page you ship sits on top of code someone else wrote — WordPress core, Webflow’s runtime, Shopify’s checkout, Stripe’s API, the iOS browser your visitor uses.
When that underlying code has a flaw, your client’s site is exposed too. Not because of anything you did wrong. Because the foundation you built on has a crack in it.
Project Glasswing is good news. It means the four biggest companies in software are now patching faster than they’ve ever been able to. The bad news: the same capability will reach attackers eventually.
What it means for you: the gap between “site you shipped six months ago” and “site you’re shipping today” is closing fast. Old sites need security review. New sites need a security pass before they go live.
My $0.02 — How I’d actually use this
I’m not a security engineer. I’m a designer who ships client sites. So my reaction to news like this is practical, not technical.
Here’s the move I made the week this dropped, on every active client site I had.
I opened a fresh chat with Claude and pasted in the code from any custom forms, custom checkout steps, or webhook receivers I’d shipped in the last quarter. I asked Claude one question: “Trace how user input flows through this code. Tell me anywhere a user could pass data that ends up trusted by another part of the system without checking.”
Claude flagged three things I didn’t notice. One was on a Webflow site where a custom contact form posted to a serverless function — the function trusted the email field’s length without limit. Two paragraphs of fix. I shipped it the same afternoon.
For client sites I haven’t touched in a while, I’d at minimum do these three things this month:
- Update the platform. WordPress core, your theme, all plugins. Webflow auto-updates. Shopify auto-updates. WordPress doesn’t.
- Audit the contact form and login flow. These are the two highest-risk surfaces on a marketing site, and they’re where AI-built code most often misses checks.
- Run any custom code through a Claude review. Free if you have any paid Claude plan. 90 seconds of work for a senior-engineer-level scan.
That’s how I take the Mythos news and turn it into a Tuesday afternoon to-do list. Not paranoid. Practical.
Want the full playbook?
For the security prompt and stack I run on every client site, see my Talk-to-Build Stack — the AI tools I actually use, and the security pass that ships before every launch.
FAQ
Should I be worried about my client’s site getting hacked?
Worried, no. Aware, yes. Most attacks don’t come from cutting-edge AI tools — they come from outdated plugins and weak passwords. Fix the boring stuff first.
Will Claude Mythos ever be public?
Not in its current form. The capability will trickle down to public Claude models slowly and with guardrails. Expect Claude Security (already public beta) to inherit pieces of it.
Does my site need a security audit if it’s just a marketing site?
If you have any forms, custom code, or third-party integrations — yes. A static brochure with no inputs is low risk. Anything that takes user input is a target.
Who pays if a client’s site gets compromised?
This is why your contract matters. A clear maintenance clause that says “we patch critical security updates within 48 hours of release” both protects you and gives you a billable line item.
What’s the simplest thing I can do this week?
Update WordPress, theme, and plugins on every active client site. That fixes 80% of real-world exposure for free.
Want help applying this?
Four ways to go deeper:
- Build with Builders. Join the Talk-to-Build community to Learn how to Earn money with AI, Download our AI Skills, Advance your business, Learn to build real assets for Website Design & Shopify stores — Gen-AI images, cinematic AI videos, conversational AI office secretaries — that you can sell to SMBs that want the outcomes but don’t have time to learn the skills.
- Done-for-you. MK-Way builds AEO-ready websites and apps for design agencies and founders who want it shipped fast.
- Quick question. DM me on Instagram. I read every message.
- B2B / strategy. Connect on LinkedIn for deeper conversations about AI in design and agency work.
Last updated: May 7, 2026.