At Google I/O 2026, Google opened the CodeMender API to a select group of external security experts — a direct market challenge to Anthropic’s Mythos, a purpose-built AI model that has already found thousands of zero-day vulnerabilities autonomously across every major operating system and web browser. The collision of two of the world’s most capable AI labs inside the code security market is not a future scenario; it is happening right now, and it has concrete implications for every team running software-dependent marketing infrastructure in production.
What Happened
Google used its I/O 2026 developer conference to expand access to CodeMender, an AI agent for code security that it first debuted in October 2025, according to The Verge (May 19, 2026). Until the I/O announcement, CodeMender had been tested internally. Google is now inviting select groups of external security experts to evaluate the API — a staged rollout strategy that signals a clear move toward broader commercial availability. The Verge noted that the key shift from the initial October 2025 launch is Google making the tool more widely available externally and explicitly marketing it to compete with Anthropic’s Mythos.
The target is not ambiguous. Google is positioning CodeMender directly against Mythos, framing the two products as rivals in the emerging market for AI-powered autonomous code security agents.
Anthropic launched Project Glasswing in April 2026 as the vehicle through which Mythos is being deployed. According to Anthropic’s Glasswing project page, Claude Mythos Preview is an unreleased frontier model purpose-built for vulnerability detection at a level of depth and autonomy that general-purpose AI models do not achieve. The benchmarks are significant: Mythos scores 83.1% on the CyberGym vulnerability reproduction benchmark, compared to 66.6% for Claude Opus 4.6. That is a 16.5-percentage-point improvement on a security-specific benchmark from one model generation to the next — not an incremental gain but a category-level capability jump targeting security tasks specifically.
Mythos has already identified thousands of zero-day vulnerabilities across every major operating system and browser. The specific findings documented on Anthropic’s Glasswing page include: a 27-year-old flaw in OpenBSD allowing remote system crashes; a 16-year-old vulnerability in FFmpeg that survived five million automated test attempts without detection; and multiple Linux kernel vulnerabilities enabling privilege escalation. Critically, Mythos discovered and chained these vulnerabilities autonomously — no human direction required at any step of the vulnerability hunting process.
Project Glasswing is structured as an industry coalition. Its twelve founding organizations include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, per Anthropic’s Glasswing page. More than 40 additional organizations building critical software infrastructure have joined for extended access. Anthropic has committed $100 million in model usage credits to consortium members, $2.5 million to Alpha-Omega and the Open Source Security Foundation (OpenSSF), and $1.5 million to the Apache Software Foundation.
The fact that Google itself is a Glasswing founding partner while simultaneously building a competing product in CodeMender illustrates both the complexity of the AI competitive landscape and the urgency of the underlying security problem. When your primary AI competitor’s product is credible enough that you feel compelled to join their coalition while also building a rival tool, the market signal is clear: AI-powered code security is becoming foundational enterprise infrastructure. Both companies are fighting to own that layer.
The broader Google I/O 2026 context matters here too. According to TechCrunch’s coverage of the conference, Google announced Gemini 3.5 Flash with an explicit strategy of betting “its next AI wave on agents, not chatbots,” alongside Gemini Spark — a 24/7 agentic assistant — and Gemini Omni, which converts images, audio, and text into video. CodeMender fits directly within this agent-first strategy: it is not a chatbot that answers security questions but an agent that acts on code.
Why This Matters
The timing of CodeMender’s external rollout is not coincidental. During the same week Google expanded its security API access, TechCrunch reported (May 19, 2026) that hackers had released over 630 malicious versions across 317 popular open-source packages in approximately 20 minutes. The campaign, dubbed “Mini Shai-Hulud” by researchers at StepSecurity and SafeDep, targeted npm packages including libraries from TanStack and Antv (an open-source library created by Alibaba). Attackers hijacked developer accounts, planted malicious updates, and used downstream access to steal credentials from password managers. OpenAI employees’ machines were among those compromised through the TanStack breach, according to TechCrunch.
That same week, TechCrunch also reported that CISA — the United States’ primary civilian cybersecurity agency — had its own contractor inadvertently upload plaintext access tokens, cloud keys, and sensitive credentials to a public GitHub repository. GitGuardian researcher Guillaume Valadon discovered and verified the exposure before reporting it to journalist Brian Krebs. CISA acknowledged the incident but stated there was “no indication that any sensitive data was compromised.”
These are not abstract threat scenarios. They are active production incidents affecting teams running the same categories of infrastructure — cloud environments, CI/CD pipelines, open-source dependency chains, public code repositories — that most organizations depend on today. The gap between attacker capability and defender capability has been widening for years. AI on the offensive side is now accelerating that asymmetry to a pace that human security reviews cannot match.
What both Google and Anthropic are betting on is that the same AI capabilities enabling AI-assisted attacks to scale and accelerate can be deployed defensively — and at comparable speed. The approaches differ in meaningful ways:
Mythos / Glasswing deploys a frontier model specifically trained for vulnerability detection, wrapped in a consortium structure that gives critical infrastructure operators controlled access before adversaries gain equivalent capabilities. The model hunts and chains vulnerabilities autonomously — a capability that was previously available only to elite red teams operating over weeks-long manual engagements. The coalition structure means Mythos’ findings flow into the organizations that maintain Linux, Apache, OpenSSF-governed projects, and other critical shared infrastructure.
CodeMender is built as an AI agent for code security — an API-first, developer-workflow-integrated tool. Google’s I/O 2026 staging signals it will be distributed through Google Cloud’s existing enterprise developer relationships rather than through a separate consortium. The API approach means CodeMender is designed to embed in pipelines: scan at commit time, flag vulnerabilities before merge, integrate with existing CI/CD toolchains.
The marketing angle on this is direct and consistently underestimated. Enterprise software procurement decisions are not purely technical choices — they are trust decisions and relationship decisions. The company that owns the AI security layer for a given organization owns the conversation with the CISO. And in 2026, CISOs increasingly influence AI marketing technology budgets, data governance policies, and AI deployment approvals across the entire organization, including the marketing stack.
Marketing operations in a mature organization runs on SaaS platforms, open-source data processing libraries, AI APIs, and custom integration code. Every one of those components is an attack surface. The supply chain attack that compromised OpenAI employees through TanStack also hit teams that had never heard of TanStack — they were downstream victims of a dependency they never audited. When the marketing technology stack depends on 40+ SaaS tools each running their own dependency trees, the blast radius of a single compromised open-source library can reach customer data, campaign infrastructure, and authentication systems simultaneously.
Teams that understand this are already ahead. Teams that treat AI security as someone else’s problem will learn otherwise, usually at the worst possible time.
The Data
The table below compares what is publicly known about Google’s CodeMender and Anthropic’s Mythos Preview as of May 2026.
| Dimension | Google CodeMender | Anthropic Mythos Preview |
|---|---|---|
| Initial Announcement | October 2025 | April 2026 (via Glasswing launch) |
| Current Availability | API in select external beta (post Google I/O 2026) | Consortium partners only (Glasswing) |
| Primary Use Case | AI agent for code security | Autonomous vulnerability detection and chaining |
| Published Benchmark | Not publicly disclosed | 83.1% on CyberGym (vs. 66.6% for Claude Opus 4.6) |
| Notable Findings | Not publicly disclosed | 27-yr OpenBSD bug, 16-yr FFmpeg bug, Linux kernel escalation bugs |
| Autonomous Operation | Not publicly confirmed | Yes — chains vulnerabilities without human guidance |
| Deployment Model | API (external beta expanding post-I/O) | Controlled consortium access via Glasswing |
| Key Partners | Google Cloud ecosystem (expected) | 12 founding orgs + 40+ extended partners |
| Financial Commitment (Disclosed) | Not disclosed | $100M credits + $4M to OpenSSF/Apache |
| Parent Company’s Coalition Role | Glasswing founding member | Glasswing founder and model provider |
Sources: Anthropic Glasswing, The Verge
The benchmark gap deserves attention. Mythos Preview scores 83.1% on CyberGym versus 66.6% for Claude Opus 4.6 — a 16.5-point jump on a security-specific benchmark from one model generation to the next. That jump suggests focused capability development on security tasks, not a passive carry-over from general model improvements. Google has published no equivalent benchmarks for CodeMender. That absence is its own data point. Either the benchmarks don’t exist yet because the tool is earlier-stage, the evaluation is internal-only, or the numbers don’t compare favorably enough to release. That question will get answered as the external beta expands and independent researchers begin testing the tool.
The supply chain attack data illustrates the operational tempo that AI security scanning must match, per TechCrunch’s reporting:
| Metric | Detail |
|---|---|
| Packages compromised | 317 packages |
| Malicious versions released | 630+ |
| Time window to distribute malicious updates | ~20 minutes |
| Campaign designation | “Mini Shai-Hulud” |
| Identified by | StepSecurity and SafeDep |
| Libraries targeted | TanStack, Antv (Alibaba) |
| Notable downstream victim | OpenAI employees’ computers |
| Attack objective | Credential theft from password managers |
Source: TechCrunch, May 19, 2026
The 20-minute distribution window is the critical number. A human security team reviewing package updates on a daily or even hourly review cycle has no chance of catching a supply chain compromise before a malicious version merges and propagates downstream. Pipeline-integrated AI scanning that operates at commit velocity is not a premium capability in this threat environment — it is the minimum viable defense posture.
Real-World Use Cases
Use Case 1: DevSecOps Teams Protecting AI Marketing Platforms
Scenario: A B2B SaaS company builds AI-powered marketing automation software. Their product relies on a dozen open-source libraries for data processing, API integration management, and LLM orchestration. One of those libraries receives 40 or more version updates per year, each representing a potential supply chain entry point.
Implementation: The DevSecOps team integrates CodeMender into their CI/CD pipeline at the dependency review stage. Every time a new library version is pulled into a pull request, CodeMender scans the update before merge approval is granted. Separately, they access Mythos capabilities through a Glasswing-affiliated security vendor and configure it to run weekly autonomous vulnerability hunts across the full codebase — specifically targeting vulnerability chains that rule-based static analysis cannot detect because they require multi-step reasoning across components.
Expected Outcome: Supply chain compromises get caught at the pipeline before they reach production. The combination of pipeline-integrated scanning (CodeMender) and autonomous hunting (Mythos) creates overlapping defense layers at different time horizons — continuous at merge time and deep weekly. A “Mini Shai-Hulud” style attack never reaches their production environment because the malicious library version is flagged before it merges.
Use Case 2: Agencies Building AI Security Audit Services
Scenario: A mid-size digital marketing agency has been offering AI marketing stack audits since 2025. Client CISOs are now requesting security reviews of AI-specific systems — conversational customer service bots, personalization engines that process behavioral data, and AI content tools that touch customer records. The agency needs a scalable methodology that does not require hiring a full-time security engineer.
Implementation: The agency trains a two-person team on the CodeMender API. For each client engagement, they run CodeMender against the client’s AI application codebase to identify prompt injection surfaces, insecure API key handling patterns, and data exfiltration paths. Findings are delivered in a CISO-ready format — mapped to CVEs and internal remediation workflows — not raw scanner output. The engagement runs two to three weeks per client.
Expected Outcome: The agency closes two to three AI security audit engagements per quarter. More strategically, the security audit creates a recurring revenue path: the CISO keeps the agency on quarterly retainer for CodeMender sweep reviews. This is genuine revenue expansion using a publicly accessible API as service infrastructure. The methodology differentiates the agency from competitors that cannot credibly speak to AI security.
Use Case 3: In-House MarTech Teams Protecting Customer Data
Scenario: A retail brand runs a Customer Data Platform aggregating purchase history, behavioral signals, and AI-generated audience segments across millions of customers. The CDP depends on an event processing library used widely across the industry — exactly the dependency profile that makes a package a high-value supply chain target.
Implementation: The team subscribes to a vulnerability intelligence feed drawing from Glasswing disclosures, OpenSSF bulletins, and Alpha-Omega project outputs. When a vulnerability is flagged for a library in their dependency tree, they cross-reference their specific version and issue an emergency patch if affected. CodeMender runs on their custom enrichment scripts and data pipeline integration layers on a continuous scan cycle tied to their deployment process.
Expected Outcome: The team avoids a data breach scenario that would trigger regulatory review, customer notification requirements, and remediation costs. More practically, they build a documented AI-era security review process for the marketing stack — a requirement that is appearing with increasing frequency in enterprise vendor risk assessments and procurement questionnaires from their own business customers.
Use Case 4: AI Security Vendors Building on the Glasswing Ecosystem
Scenario: An early-stage security startup is building an agentic email security platform to combat AI-powered phishing. The market validates the positioning: Ocean, a comparable startup, recently raised $28 million led by Lightspeed Venture Partners, per TechCrunch (May 19, 2026). Ocean CEO Shay Shwartz described the threat environment directly: “AI just made the entire process automatic, so the scale is much, much bigger now.” The new startup wants to leverage frontier AI security capabilities without a decade of model training investment.
Implementation: The startup applies for extended access through Project Glasswing. They integrate Mythos capabilities into their platform’s email threat analysis engine and use Anthropic’s $100 million in Glasswing model credits to maintain competitive unit economics during the growth phase. The startup positions the Glasswing affiliation as a trust signal in enterprise sales conversations — Mythos-powered threat detection backed by a coalition that includes AWS, Cisco, and CrowdStrike carries credibility that a startup’s own model claims cannot.
Expected Outcome: The startup ships a differentiated product that can credibly compete with entrenched incumbents like Proofpoint and Mimecast without building foundational model capabilities from scratch. They access frontier AI security performance on a credit basis, maintain better gross margins, and close enterprise deals faster because the Glasswing affiliation reduces procurement risk perception.
Use Case 5: Enterprise Security Teams Evaluating Both Tools
Scenario: The security team at a large marketing technology holding company is evaluating AI security tools for their 2027 budget cycle. They need a defensible framework to compare Google Cloud’s CodeMender integration with Mythos access through a Glasswing-affiliated vendor — and they need documentation that satisfies both the CFO and the procurement team.
Implementation: They construct a parallel structured evaluation against a test codebase seeded with known vulnerabilities at varying complexity levels: single-CVE bugs, multi-hop vulnerability chains, and logic flaws that static analysis tools cannot detect. They measure four metrics across both tools: detection rate, false positive rate, time-to-detection, and developer friction (effort required to action findings). They also run a vendor risk assessment covering data residency, model output logging, and data processing agreement terms — critical for a company handling customer data at scale.
Expected Outcome: The team produces a documented vendor evaluation that justifies the budget ask to the CFO and satisfies procurement requirements. They select the tool that performs better on their specific technology stack. The evaluation framework becomes reusable for future AI security tool procurement and is shared across the holding company’s subsidiary brands, creating institutional knowledge rather than a one-off decision.
The Bigger Picture
The Google-Anthropic code security competition is one thread in a much larger structural shift in how AI capabilities are being deployed at the infrastructure layer of the enterprise technology stack.
Google I/O 2026 was primarily an agents conference. Per TechCrunch’s coverage, the central strategic bet articulated at the event was Gemini 3.5 Flash as the foundation for “agents, not chatbots.” That framing encompasses Gemini Spark (a 24/7 agentic assistant with Gmail integration), Gemini Omni (multimodal generation), AI Studio for app development, and — through the security lens — CodeMender. These are all autonomous agents operating across live systems with broader permissions and longer task horizons than a conversational AI assistant.
Security is the natural and urgent next domain for autonomous agents, for a specific operational reason: attackers have already automated at scale. The “Mini Shai-Hulud” campaign — 630 malicious package versions across 317 repositories in 20 minutes — was possible because attackers had automated the account compromise and package distribution layers entirely. Human review at that pace is not possible. Defender automation that matches attacker automation is not optional; it is the only viable response architecture.
The Project Glasswing coalition structure signals something important about how the AI security market will mature. Glasswing’s twelve founding organizations include direct competitors — Google, Microsoft, AWS, and Palo Alto Networks all have overlapping security product lines. The coalition exists because the underlying problem, critical software security, is a shared infrastructure concern where every organization in the ecosystem benefits from defensive advances regardless of who produces them. The $100 million in model credits and $4 million in direct grants to OpenSSF and Apache is infrastructure investment, not charity — it makes the open-source foundations that everyone’s products run on more secure.
Several broader dynamics connect directly to marketing operations and martech:
AI agents are the next primary attack surface. Agentic systems carry broader permissions, run longer-lived sessions, make external API calls, and operate on filesystems. An AI agent with write access to a marketing database has a fundamentally different risk profile than a static analytics dashboard. Securing agentic AI systems requires tooling built for that threat model — not the vulnerability scanners designed for 2019 codebases.
Supply chain risk in the AI stack is underappreciated. The libraries most widely used in AI and data engineering stacks — LLM orchestration frameworks, embedding processors, API wrapper packages — are exactly the high-visibility community packages that supply chain attackers target. Teams running AI marketing platforms should treat their AI-specific dependencies as a distinct attack surface category requiring dedicated review, separate from their core application dependencies.
CISO influence over marketing AI budgets is growing. As AI tools handle customer data at scale — in CDPs, personalization engines, AI content systems, and chatbots — security review of marketing AI is shifting from optional checkbox to procurement requirement. Teams that build security evaluation into their AI adoption process now will have faster procurement cycles and better working relationships with CISOs than those still treating security as an afterthought in Q4 budget cycles.
The AI security services market is real and growing. Ocean’s $28 million raise at an early stage — competing against Proofpoint and Mimecast — validates that enterprise buyers are actively paying for AI-native security approaches. The gap between the AI-era threat model and what incumbent security vendors currently provide is a durable business opportunity for agencies, platform vendors, and consultants who invest in AI security tooling and methodology now rather than waiting for the market to mature further.
What Smart Marketers Should Do Now
1. Apply for CodeMender API Access Before General Availability
Google is running a selective external beta starting from Google I/O 2026. Organizations that secure early access will be able to evaluate the tool against their actual codebase, train their teams on its output format, and potentially surface product feedback that shapes the roadmap before general availability. Enterprise software relationships are built on early access participation, not on adoption after the market has already formed. Request inclusion in the CodeMender beta through Google Cloud directly. The request costs nothing. The access creates operational leverage and relationship capital that will matter when enterprise contracts and pricing tiers are set.
2. Pull a Software Bill of Materials for Every Production Application in Your Marketing Stack
The “Mini Shai-Hulud” attack demonstrates that you do not need to be a direct target — you only need to use the same libraries as someone who was. Pull an SBOM (Software Bill of Materials) for every production application your marketing team depends on, from CDPs to AI content tools to analytics platforms and marketing automation systems. Cross-reference your inventory against newly disclosed vulnerabilities using a service like Snyk, Dependabot, or Socket Security. This is a one-time audit that should become a monthly automated process integrated into your team’s operational rhythm. The discovery potential is high; the cost is low.
3. Add AI Security Requirements to Your Vendor Procurement Checklist
Every AI tool your team evaluates in 2026 should be required to answer a standard set of security questions before purchase approval: Where is training data and inference output stored? How is model output logged and retained? What are the permission scopes of any agentic features? Does the vendor participate in responsible disclosure programs or have an active bug bounty? Has the vendor been independently audited in the past 18 months? The CISA contractor incident — uploading plaintext credentials to a public GitHub repository — demonstrates that even government-approved vendors maintain weak internal security hygiene. Your procurement checklist is your first line of defense and your best documentation in the event of a breach.
4. Monitor Glasswing Vulnerability Disclosures as Operational Intelligence
Project Glasswing has committed to sharing findings across the security ecosystem, per Anthropic’s Glasswing page. When Anthropic publishes the vulnerabilities Mythos discovers — the OpenBSD flaws, the FFmpeg bugs, Linux kernel escalation paths — those disclosures will be specific to production software that most organizations run. Subscribe to Anthropic’s security research outputs, OpenSSF bulletins, and Alpha-Omega project disclosures. Treating vulnerability research as proactive operational intelligence is the practice that separates teams that catch threats proactively from teams that respond to breaches reactively. The lag between disclosure and exploitation by attackers is measured in hours, not days.
5. Evaluate AI Security as a Productizable Service Line
If you run an agency or consultancy, the CodeMender API is a productizable service asset. The capacity to run an AI-powered security scan against a client’s marketing technology stack — their CDP integration code, their AI content pipeline, their customer data APIs, their custom enrichment scripts — is a service that virtually no traditional marketing agency currently offers at scale, but that CMOs and CISOs are starting to ask for in the same procurement conversation. Building a structured AI security audit offering on CodeMender requires a Google Cloud API subscription and a documented methodology. The margin is in the relationship trust and the repeatable quarterly retainer structure, not in the tool cost itself. This is a real revenue expansion opportunity that leverages infrastructure you can access today.
What to Watch Next
Google CodeMender general availability timeline: Based on the staged rollout pattern — internal debut in October 2025, external beta announced at Google I/O in May 2026 — general availability is likely in Q3 or Q4 2026. Watch for Google Cloud pricing tier announcements, integration announcements with Security Command Center, and MSSP partnership deals that would accelerate enterprise distribution. The pricing model will determine how accessible the tool is to mid-market teams versus enterprise-only buyers.
Mythos Preview full release and updated benchmarks: Anthropic describes Mythos explicitly as “Preview,” signaling a full production release is planned. The Glasswing consortium serves as the controlled deployment environment for capability validation at scale. Watch for updates to the 83.1% CyberGym benchmark — if the number improves further with the full release, it will accelerate enterprise procurement decisions away from incumbent security tools. Also watch for any new high-profile zero-day disclosures attributed to Mythos that extend coverage beyond the initial OS and browser findings.
Project Glasswing findings publications: The coalition has committed to sharing vulnerability research across the security ecosystem, per Anthropic’s Glasswing project page. These publications will be among the most technically detailed AI security research available, and they will reference vulnerabilities in production software your organization likely runs. Subscribe directly via Anthropic’s research blog and OpenSSF communications before the publication cadence begins in earnest.
Supply chain attack escalation patterns: The “Mini Shai-Hulud” campaign followed a previous larger campaign, suggesting an ongoing escalation sequence. Watch CISA advisories and OpenSSF bulletins closely over the next six months — specifically for campaigns targeting Python, Go, and Rust package ecosystems, which are the primary dependency layers for AI and data engineering stacks beyond npm. The next wave will likely be faster, target different ecosystems, and involve more sophisticated evasion of static analysis tools.
Glasswing access productized through enterprise security platforms: Cisco, CrowdStrike, and Palo Alto Networks are all Glasswing founding partners. Watch for announcements about how each is integrating Mythos access into their existing enterprise security platforms — Falcon for CrowdStrike, Prisma Cloud for Palo Alto, and Cisco’s security portfolio. These distribution deals will determine how quickly Mythos capabilities reach the average enterprise security team rather than just the founding consortium members. When CrowdStrike ships Mythos-powered scanning inside Falcon, the competitive dynamics of the CodeMender vs. Mythos contest shift substantially in Anthropic’s favor on enterprise reach.
Regulatory movement on AI security disclosures: Several jurisdictions are advancing mandatory disclosure requirements for AI system vulnerabilities. Watch for FTC guidance on AI system security disclosure obligations for U.S. companies — this is likely to emerge in late 2026 and will directly affect how marketing AI systems are governed, audited, and contractually represented to enterprise buyers. Teams that have already built security review processes for their AI stack will be significantly better positioned for compliance than those still building them under a regulatory deadline.
Bottom Line
Google’s decision to open the CodeMender API to external testers at I/O 2026 is not a minor product announcement — it is a direct market entry against Anthropic’s Mythos, a model that has already demonstrated autonomous detection of decades-old vulnerabilities in production-critical infrastructure. The AI code security market is forming right now, shaped simultaneously by supply chain attacks compromising hundreds of packages in minutes, government agencies leaking credentials through contractor mistakes, and AI-powered phishing scaling to volumes that human review cannot address. For marketers and marketing technologists, the operational stakes are concrete: the AI tools running your marketing stack are attack surfaces, the open-source dependencies they rely on are active attack vectors, and the two most capable AI labs in the world are racing to become the infrastructure layer for how organizations defend their code. Get into the CodeMender beta, pull your dependency inventory, and add AI security review to your procurement process before the next supply chain campaign makes those decisions for you.
0 Comments