Two days after Anthropic announced Project Glasswing — its restricted rollout of Claude Mythos to a small group of cybersecurity partners — OpenAI confirmed it is doing the same thing.
On April 9, Axios reported that OpenAI is finalising a cybersecurity product it plans to release to a small set of vetted partners. The product is not a new model. It is a controlled access layer built on top of GPT-5.3-Codex, OpenAI’s most capable reasoning and coding model, launched in February 2026.
The timing is not a coincidence. Both OpenAI and Anthropic have separately concluded that their frontier models can exploit software vulnerabilities faster than human security teams can patch them — and both have decided that restriction, not broad release, is the responsible path.
What OpenAI Is Actually Releasing
The product builds on the Trusted Access for Cyber program OpenAI launched alongside GPT-5.3-Codex in February. It sits alongside OpenAI’s acquisition of Promptfoo, the enterprise red-teaming platform, as part of a concerted push to own the enterprise security conversation. That program committed $10 million in API credits to vetted organisations — primarily open-source projects and critical infrastructure operators — for defensive cybersecurity research.
The April announcement extends that into a structured product with enhanced access controls, automated monitoring, and tighter enforcement pipelines for who can use the model in cybersecurity contexts.
GPT-5.3-Codex is the first model OpenAI has rated “High capability” for cybersecurity tasks under its internal Preparedness Framework. It is specifically trained to identify and fix software vulnerabilities autonomously, not just suggest patches for developers to review. The staggered rollout — invite-only at launch — reflects the same concern driving the restricted access model: organisations need to be vetted before receiving access to a model that can run sophisticated vulnerability exploitation workflows with minimal human oversight.
Why Two Labs Reached the Same Conclusion in the Same Week
The pattern here is worth noting. Anthropic published its Glasswing announcement on April 7. Two days later, Axios reported OpenAI’s parallel product. These are not coordinated releases. They are two organisations working from the same underlying data — their own internal testing — reaching the same conclusion.
Both labs now describe their frontier cybersecurity models in terms that would previously have been reserved for national security discussions. Anthropic said Claude Mythos “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.” OpenAI’s framing is similarly direct: GPT-5.3-Codex can execute autonomous vulnerability discovery workflows that move faster than any human response team.
The convergence is significant precisely because it is not strategic. Two competing organisations with strong commercial incentives to ship broadly are both choosing restraint at the same moment. When that happens in AI, it is usually because the internal test data is genuinely alarming.
The Competitive Dimension
The restricted access framing also has a competitive element that is worth being clear-eyed about. Both OpenAI and Anthropic are using this approach to deepen their relationships with large enterprise security vendors — the companies that sit at the centre of enterprise IT stacks.
Anthropic named Amazon, Apple, Broadcom, Cisco, CrowdStrike, the Linux Foundation, Microsoft, and Palo Alto Networks as Project Glasswing launch partners. OpenAI has not yet released a partner list for its cybersecurity product, but the firms likely to receive early access are a very similar set. These are not consumer companies. They are the vendors whose security tools your organisation probably already runs.
That positioning matters. When CrowdStrike or Palo Alto Networks integrates an AI layer that uses GPT-5.3-Codex or Claude Mythos capabilities under the hood, that capability reaches enterprise customers through products they already trust — rather than as a raw model deployment most security teams are not equipped to manage safely.
The $10 Million Credit Program
One aspect of OpenAI’s approach that has not received enough attention is the $10 million in API credits committed to Trusted Access for Cyber participants. This is not a small gesture. It is a meaningful subsidy for the organisations doing the hardest, least commercially rewarding cybersecurity work: maintaining open-source infrastructure, securing critical national systems, and finding zero-day vulnerabilities before attackers do.
The open-source security community has historically been chronically underfunded relative to the threats it faces. OpenAI’s credit commitment is a recognition that frontier AI should be actively directed at this gap, not just made available to whoever can pay.
Whether the commitment holds as the program scales is a fair question. But the structure — pre-selected access, usage monitoring, credits targeted at defensive work — is the right framing for how powerful AI capabilities should enter the cybersecurity market.
What This Means for Business
The AI-assisted vulnerability gap is real and growing. Two of the three most capable AI labs in the world are now formally restricting their most powerful models because they can automate sophisticated cyberattacks. Organisations that assume their current security tooling is adequate to handle AI-assisted threat actors are operating on outdated assumptions.
Defensive AI is not just for large enterprises. The $10 million credit program and the partner structure are focused on the vendors and infrastructure operators that serve the entire market. The defensive AI capabilities being tested in restricted programs today will eventually reach smaller organisations through security platforms, SaaS tools, and cloud providers. The question is whether your organisation’s security posture will be ready when they do.
Your security vendors are about to get a lot more capable. The firms named in Anthropic’s Glasswing program — Cisco, CrowdStrike, Palo Alto Networks — are building AI capabilities into their existing platforms. This is not abstract. Within 12 months, the security tools you already pay for are likely to include AI-assisted vulnerability discovery that moves significantly faster than anything available today.
The restricted access model is worth watching as a governance pattern. Both OpenAI and Anthropic are establishing a precedent: that the most dangerous AI capabilities should be deployed through controlled partner programmes with vetting, monitoring, and access controls — not broad public release. This approach, if it holds, is a more sustainable model for deploying powerful AI in sensitive domains than the “release and iterate” approach that has characterised earlier AI cycles.
Enterprise DNA put together a free field guide on exactly this: the full Claude ecosystem, Claude Code, and how to roll agents out without breaking things. Get the guide.
Source
Axios