8 min read

Fable 5 Is Frozen and Glasswing Still Leaves Two Problems Open

A glasswing butterfly resting on a green leaf, its transparent wings revealing the leaf surface beneath
The glasswing butterfly is named for wings that show exactly what lies behind them. Anthropic chose the name deliberately. The question is what Glasswing the project is designed to reveal, and what sits outside its field of view. - Photo by Ben Berwers / Unsplash
Last updated: 30 June 2026 | What's changed: both models were suspended on 12 June under a US export directive. On 27 June, Mythos 5 access was partially restored to around 100 vetted US critical infrastructure organisations. Fable 5 stays restricted.

On 12 June 2026, Anthropic disabled Claude Fable 5 and Claude Mythos 5 for every customer worldwide. A US government export control directive, citing national security authorities, had ordered access blocked for any foreign national. Anthropic could not apply that restriction selectively, so it switched both models off three days after launch.

Mythos 5 is the unrestricted model, Fable 5 is its public guardrailed version, and Project Glasswing is the programme both sit under.

Glasswing answered the vulnerability discovery problem. Two larger problems are left open. The first is the human layer: most breaches still run on phishing, credential abuse, and social engineering, not zero-days.

The second is that the agentic attack surface is expanding faster than any response. The export freeze, whatever its merits, is another fight about the vulnerability discovery layer. Whether the state acted to contain a real risk or to buy time before the capability spreads, the two layers that drive most breaches are untouched either way.

The reported trigger was a method of jailbreaking Fable 5 to read a codebase and surface its software flaws. That is the exact capability the model was built to deliver, and the exact capability this article warned was only one part of the problem.

The story started two months earlier. On 7 April, Anthropic announced that Claude Mythos Preview, the model Fable 5 and Mythos 5 are built on, had autonomously found thousands of zero-day vulnerabilities across every major operating system and web browser. Federal Reserve Chair Jerome Powell and Treasury Secretary Scott Bessent convened the CEOs of America's largest banks at short notice. JPMorgan's Jamie Dimon, a Project Glasswing launch partner, had already written that cybersecurity "remains one of our biggest risks" and that "AI will almost surely make this risk worse."

Export controls are for weapons. The state has now decided that finding vulnerabilities at machine scale belongs in that category. It picked the layer that was never the dominant breach path.

The government has not stated its full reasoning, and the case it can make is not trivial. A model that finds vulnerabilities at expert level is a strategic asset whether or not any single jailbreak is real, and a capable model handed to the wrong party can be copied through distillation. Reporting points to a specific trigger: a South Korean carrier with alleged China ties had gained Glasswing access days before the order, and Anthropic's largest investor flagged a Fable bypass to the White House directly.

Read one way, this is a panicked response to a narrow incident. Read another, it is the state deciding that vulnerability discovery is now its to control, and moving before the capability spreads.

Project Glasswing addresses what AI can find. It does not address the attack surface that AI is simultaneously building.

Project Glasswing, the coordinated defensive initiative Anthropic built around Mythos Preview, grew fast. It launched in April with around 50 partners and expanded on 2 June to roughly 200 organisations across more than 15 countries, including power, water, healthcare, and communications operators. Anthropic backed it with $100 million in usage credits and $4 million in donations to open source security organisations. The scale and intent are genuine.

By June the preview had become product. Anthropic released Fable 5, the public guardrailed version, alongside Mythos 5, the unrestricted model held for vetted Glasswing partners. The export control directive that followed on 12 June reached past the partner programme and shut both off for everyone, which tells you how seriously the discovery capability is now being treated. Two weeks of negotiation later, on 27 June, Commerce let Mythos 5 back to around 100 vetted US critical infrastructure organisations. Fable 5 stayed off. The capability is now something the state hands back selectively, to approved holders, on its own terms.

It still addresses one attack path.

The Dominant Threat Has Always Been the Human Layer

Not everyone in the security community is treating this as a watershed moment. David Sacks wrote that it is "hard to ignore that Anthropic has a history of scare tactics." Marcus Hutchins, the researcher who stopped WannaCry and now principal threat researcher at Expel, made a more substantive point: attackers have long relied on social engineering and phishing to gain access without ever needing a novel vulnerability. Defenders, he argued, hold the resource advantage when it comes to building AI systems at this scale.

Hutchins is right that the dominant paths never needed a novel vulnerability. The question is how far that goes, and it goes further than the discovery layer entirely.

Most breaches do not start with a zero-day. They start with a phishing email, a misconfigured service account, an MFA prompt approved at the wrong moment, or a helpdesk agent socially engineered into a password reset. AI accelerates all of those paths too. Spear phishing that previously required skilled manual targeting can now be produced at volume with accurate contextual detail drawn from automated OSINT. Automated reconnaissance maps misconfigured assets faster than any human red team. The human and configuration layer of the attack surface does not get harder to exploit because Glasswing exists.

The CSA and SANS community reached the same conclusion. Their Mythos-ready briefing notes that the collapse in time-to-exploit, now under a day in 2026 on Sergej Epp's Zero Day Clock, has not produced a matching rise in the impact of exploitation. The most consequential incidents of recent years ran on credential abuse, social engineering, and supply chain compromise, not zero-days. They frame the clock as a leading indicator of where attacker capability is heading, not a measure of current damage.

A Mythos-ready programme that focuses on vulnerability management is better than what most organisations had six months ago. It still leaves the other layers largely unaddressed.

The Attack Surface Is Growing Faster Than the Response

There is a second problem the Glasswing conversation has not fully absorbed. The attack surface itself is in active expansion, and the discovery capability is no longer Anthropic's to gate.

The agentic ecosystem is already producing observable incidents with no established security baseline. The governance response to that gap is only now taking shape, in the agent control planes every major platform is racing to ship. Antiy CERT documented 1,184 malicious skills across ClawHub before coordinated disclosure. Trend Micro found 492 MCP servers exposed to the internet with zero authentication controls. Check Point Research disclosed remote code execution in Claude Code through poisoned repository configuration files. The CyberDesserts investigation into OpenClaw documented this pattern in detail: security was not a design consideration in the early agentic marketplace, and attackers found it before defenders had finished mapping the surface.

OpenClaw: When AI Agent Marketplaces Become a Supply Chain Risk

Anthropic's own Glasswing announcement is unambiguous on the compounding factor: open source software constitutes the vast majority of code in modern systems, including the systems AI agents use to write new software. Developer teams shipping production code through coding agents, often without security review and often without awareness of what those agents are introducing, are adding to a vulnerability population that grows faster than any audit cycle can cover.

Glasswing reached around 200 organisations before the directive froze even that. Gating Anthropic is close to meaningless when the capability is an emergent property of frontier models generally. Anthropic's own red team describes it as a byproduct of better code reasoning, not a feature built for security, and an independent test reproduced its flagship discovery across eight separate models including small open-weights ones. OpenAI has already rated a model high for cyber capability, and a control that pulls one lab's models offline does nothing to the same capability maturing everywhere else.

What the Response Needs to Cover

Glasswing is a meaningful step. Treating it as a complete answer is the risk.

The response needs to work across all three layers simultaneously: the vulnerability discovery problem Glasswing was built for, the agentic attack surface already generating incidents, and the human and configuration layer that remains the dominant breach path regardless of what AI can now do with zero-days.

Step back and the layers resolve into one surface. The vectors that matter chain across discovery, identity, and the agentic estate, which is why defending any one layer in isolation fails. Phishing-resistant MFA, access review, dependency hygiene, and agent governance is where real world attacks live.

This is not a new argument, it is exposure management applied to a new moment. The vulnerability-centric reflex is a hangover from the Conficker and WannaCry era, when the unpatched CVE was the breach. The threat moved to identity, configuration, and the agentic estate, and the lens has to move with it.

AI review belongs in that list, with the same caution. Testing three AI security reviewers against one codebase showed each had different blind spots, and what gets caught depends on what you point the tool at. The capability helps, but the judgement on whether a finding is real, and whether the fix closes the exposure, stays human.

The freeze makes the point sharper. A government can switch off a vulnerability discovery model in an afternoon, then negotiate part of it back on a fortnight later for a hundred approved organisations, and on every one of those days the phishing emails and the exposed MCP servers and the unreviewed agent-written code are all still there. Defensive capability that can be revoked, and reinstated, by directive was never going to be the whole answer.

Much of the security community sees the freeze differently from the government. An open letter signed by dozens of veterans, Alex Stamos and Katie Moussouris among them, argued the ban pulled the best capability from defenders while the same capability remains available through rival, open-weight, and Chinese models. Having reviewed the research behind the ban, Moussouris characterised the so-called jailbreak as a defender asking the model to find and fix bugs, the everyday work the capability exists to do. The government may yet have grounds it has not made public, but the argument is over the vulnerability discovery layer, while the human and agentic layers draw no such fight.

Auditing the npm Supply Chain


As of 30 June, Mythos 5 access has been partially restored to around 100 vetted US critical infrastructure organisations following a 26 June Commerce Department letter, while Fable 5 remains restricted and under negotiation. The CSA and SANS community response to Mythos, co-authored by 250 CISOs with contributors from Google, NSA, and CISA, was published on 1 May 2026 at the Cloud Security Alliance.


References