A direct posture update for VeritSpace and VeritGuard clients on the Anthropic Mythos disclosure, the regulator response, and what we are doing in response.
Several of you have asked us about Project Glasswing and the Anthropic AI system called Mythos. This post answers what it means for your firm.
The short version. The Verito stack is built on the platforms inside the Glasswing consortium. The patches Mythos finds in those platforms reach our environment through normal vendor update channels. We are tightening our own patch latency in response. The layered controls already in your VeritSpace and VeritGuard environments do most of the work that the Glasswing news points to.
The longer version follows.
What Project Glasswing Is
On April 7, 2026, Anthropic announced Claude Mythos Preview, an AI model released under a restricted access program called Project Glasswing. Anthropic has stated that Mythos can autonomously discover and exploit zero-day vulnerabilities in every major operating system and every major web browser, and that it is currently far ahead of any other AI model in cyber capabilities.
The model has already produced concrete defensive results. It identified a 27-year-old bug in OpenBSD and a 16-year-old remote code execution vulnerability in FreeBSD. Mozilla fixed 271 Firefox vulnerabilities that Mythos surfaced in a single evaluation pass, more than twelve times the count Anthropic’s previous most capable model produced.
Anthropic restricted access to a launch consortium of eleven members: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. The restriction is meant to keep the model with organizations large enough to triage findings responsibly. The same capability that finds vulnerabilities defensively can be used to exploit them offensively, and Anthropic has been explicit about that constraint.
When Mythos finds a flaw in Microsoft Windows, the finding goes to Microsoft. When it finds something in VMware, the finding goes to Broadcom. The vendor patches the flaw and ships the fix through normal update channels. The public sees the CVE and a patch advisory, never the gap between discovery and fix.
Why Regulators Are Paying Attention
Bank regulators in several jurisdictions have flagged Project Glasswing as a potential source of systemic cyber risk. Public reporting indicates the Bundesbank, the European Central Bank, the Bank of England, the United States Federal Reserve, and the Australian Securities and Investments Commission are all monitoring the situation. The International Monetary Fund discussed it at its spring meetings in Washington.
The public regulatory discussion has focused on banking, but the underlying argument applies to any organization that depends on widely used operating systems and software. Organizations inside the consortium can see where their stack is vulnerable and remediate it. Organizations outside the consortium cannot. Over time, that asymmetry creates a window of exposure for any business whose technology vendors are not part of the consortium, or whose patch deployment lags behind vendor releases.
For your firm, neither condition applies if your environment is on Verito.
Where Your VeritSpace Environment Sits
VeritSpace runs on a vendor stack where the major upstream platforms are Glasswing launch partners.
Microsoft provides the operating system layer for VeritSpace, including Windows Server, Active Directory, and Remote Desktop Services. Microsoft is a Glasswing launch partner.
Broadcom provides the virtualization layer through VMware vSphere and vCenter.
Cisco provides multi-factor authentication for remote access through Duo Security.
CrowdStrike provides endpoint detection and response through Falcon.
The implication is direct. When Mythos finds a vulnerability in any of these platforms, the patch reaches us through the same vendor channels we already monitor. The Glasswing asymmetry that regulators have flagged works in our favor, and through us, in yours.
What We Already Do
Vendor membership in Glasswing only delivers value to your firm if the patches get deployed promptly. The window between vendor patch publication and our deployment is the period an attacker would target. Keeping that window short is the most direct response a hosting provider can offer.
Verito runs a continuous patch management program across the VeritSpace fleet. Microsoft monthly security updates and out-of-band releases are deployed through our managed endpoint platform on a defined cadence. Hypervisor and infrastructure-layer patches follow a parallel cadence with appropriate change control and stability validation.
Beyond patching, your VeritSpace environment includes the controls you would expect of a hosted platform built for tax and accounting firms.
Multi-factor authentication on remote access. Client access to your hosted desktop is protected by MFA through Cisco Duo Security.
Tenant isolation. Each firm runs on dedicated, private servers. Your environment is logically segmented from every other client environment at the platform level.
Endpoint detection and response. CrowdStrike Falcon is deployed across the VeritSpace fleet. Falcon’s behavior-based detection operates independently of any specific vulnerability list, which matters most for threats that have not yet been publicly catalogued.
Backup and disaster recovery. Your hosted environment is protected by enterprise backup infrastructure with defined recovery point and recovery time objectives.
For VeritGuard Clients
If your firm runs local infrastructure with VeritGuard managed services rather than VeritSpace hosting, the Glasswing development sharpens the value of several practices already in place.
Browser update enforcement. Browsers are the highest-velocity attack surface in any practice environment. The Firefox vulnerability count from the Mythos evaluation illustrates why. VeritGuard enforces automatic update channels for Chrome, Edge, and Firefox on managed endpoints, with no user-side ability to defer security updates.
Third-party application patching. Operating system patches alone are not sufficient. VeritGuard manages patching for common business applications including Adobe products and Java runtimes.
Continuous vulnerability advisory monitoring. VeritGuard tracks vendor security advisories and the United States Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities catalog. Vulnerabilities affecting software on a managed endpoint, with evidence of active exploitation, are escalated for accelerated remediation.
Endpoint detection and response. Behavior-based EDR is on every managed endpoint. This is the most important defensive layer for vulnerabilities the public does not yet know exist.
Multi-factor authentication and security posture review. MFA across email, remote access, and administrative functions is a baseline. Each VeritGuard client receives a regular review covering patch compliance, EDR coverage, MFA status, backup integrity, and any items requiring attention.
Incident response readiness. We maintain client-specific incident response procedures covering containment, communication, evidence preservation, and recovery, so response is procedural rather than improvised when speed matters most.
Where Residual Risk Lives
We want to be direct about what no single defense covers, including Glasswing itself.
The consortium covers operating systems, virtualization, networking, endpoint security, and major cloud platforms. It does not cover every smaller third-party tool that may run inside a firm’s environment. There are categories of risk, including AI-enabled phishing and impersonation against your clients, that no patching pipeline alone can resolve.
This is the reason VeritSpace and VeritGuard both invest in defense-in-depth. Behavior-based endpoint detection, MFA, patch discipline, tenant isolation, and access controls all continue to protect against threats that have not yet been catalogued, including any the consortium has not surfaced. The Glasswing development reinforces the importance of these layers. It does not replace them.
The Compliance Picture
For tax and accounting firms, the Glasswing story sits inside a regulatory environment that already takes data security seriously. IRS Publication 4557 requires every paid preparer to maintain a written information security plan. The FTC Safeguards Rule, expanded in 2023, treats tax preparers as financial institutions under GLBA, with specific requirements covering risk assessment, encryption, MFA, vendor oversight, and incident response.
Your VeritSpace and VeritGuard environments are built around both frameworks. The Glasswing development does not change those obligations. It does change the threat environment they are designed to protect against, which is the reason we have reviewed our patch deployment cadence to confirm it remains appropriate to the current landscape.
Bottom Line
For VeritSpace clients, the platform’s upstream vendor stack is inside the Glasswing consortium and our patch deployment program is calibrated to the urgency this story creates.
For VeritGuard clients, the practices that protect your endpoints already extend beyond the consortium’s coverage area through behavior-based detection, identity controls, and accelerated response to actively exploited vulnerabilities.
We will continue to monitor public statements from regulators and from the Glasswing consortium. If material changes occur, we will publish updates here and notify clients directly through normal support channels. For questions specific to your environment, contact your Verito support team.
It just works. Securely.
![IRS Publication 4557 & WISP Compliance for Accounting Firms [FULL Guide]](https://verito.com/blog/wp-content/uploads/2025/10/IRS-Publication-4557-WISP-Compliance-for-Accounting-Firms-FULL-Guide-380x220.jpg)
