snitch + project glasswing
Claude Mythos finds vulnerabilities that survived decades of human review. Snitch is building the audit framework that makes those findings actionable.
When Anthropic announced Project Glasswing, we saw the future of security scanning. A model that chains exploits, reasons about business logic, and understands cryptography at a level no tool has matched. We immediately started building for it.
Snitch already runs inside Claude Code as a 68-category security audit skill. For Mythos, we're going deeper. 74 categories with deep reasoning analysis, real-time exploit chain detection, and severity that adapts to actual defense depth. Not pattern matching. Real understanding.
What we're building
74 security categories with deep analysis
Every category rewritten to go beyond pattern matching. Race conditions analyzed against database isolation levels. Timing attacks assessed for practical exploitability. Business logic chains traced through state machines. 6 new categories that only make sense with a reasoning model.
Real-time exploit chain detection
Current tools find individual vulnerabilities and correlate them after the scan. Mythos can reason about chains as they emerge. An IDOR found in category 28 immediately gets checked against the XSS from category 2 for account takeover potential.
Contextual severity
A SQL injection behind three layers of authentication and a WAF isn't the same as one on a public endpoint. Mythos can assess defense depth, rate limiting, network position, and practical exploitability to give severity scores that reflect reality.
Reasoning chains, not pattern reports
Every finding includes what the attacker does, what preconditions are needed, and what the actual impact is. Not just 'this matches a dangerous pattern' but 'here's how this gets exploited and why the existing mitigations don't stop it.'
OWASP A10:2025 and ASVS coverage
Full coverage of the new Mishandling of Exceptional Conditions category. Plus vulnerability patterns sourced from OWASP ASVS 4.0 that no other scanning tool checks for.
New categories for Mythos
Cat 69
Business Logic Chains
State machine violations, workflow bypasses, price manipulation, subscription abuse
Cat 70
Cryptographic Depth
KDF cost analysis, CSPRNG seeding, IV reuse, curve selection, JWT algorithm confusion
Cat 71
Exploit Chains
Real-time multi-finding correlation with precondition analysis and blast radius
Cat 72
Contextual Severity
CVSS recalibration based on defense depth, rate limiting, and practical exploitability
Cat 73
Error Handling
OWASP A10:2025. Failing open, swallowed errors, leaked stack traces, missing boundaries
Cat 74
ASVS Gaps
Anti-automation, session fixation, request smuggling, cache poisoning, clickjacking
Where we are
The Mythos client is built. 74 categories, deep analysis sections, reasoning rules, real-time chain detection. It's ready and waiting for the model.
We've applied to Project Glasswing. Snitch already runs inside Claude Code, and we think structured security scanning and a model this capable are a natural fit. We want to benchmark structured categories against raw prompting and publish the results.
If you're working on security tooling for Mythos, or you're part of Glasswing and want to talk about structured audit frameworks, reach out. We'd love to collaborate.
ian@khuur.dev · snitchplugin.com