Anthropic's advanced AI model, Claude Mythos Preview, has identified more than 10,000 high- and critical-severity software vulnerabilities in critical global infrastructure within its first month of operation under Project Glasswing. This rapid discovery rate highlights a growing imbalance between the speed of vulnerability identification and the capacity for remediation.

Key Takeaways

• Claude Mythos Preview, an AI model from Anthropic, has discovered over 10,000 high- or critical-severity software vulnerabilities.

• The AI's findings indicate that the pace of vulnerability discovery now outstrips the ability of developers to verify, disclose, and patch them.

• Project Glasswing, Anthropic's initiative, provides limited access to this AI for cybersecurity partners.

• The rapid discovery of flaws raises concerns about the potential for misuse by malicious actors.

Project Glasswing and Claude Mythos Preview

Anthropic launched Project Glasswing to provide a select group of approximately 50 partners with early access to Claude Mythos Preview. This frontier AI model is designed to autonomously identify vulnerabilities in widely-used software before they can be exploited. The initiative aims to bolster the security of critical global software infrastructure.

Unprecedented Vulnerability Discovery

Since its inception, Claude Mythos Preview has scanned over 1,000 open-source projects, identifying more than 23,000 vulnerabilities in total. Of these, 6,202 were initially flagged as high- or critical-severity candidates, with 1,726 confirmed as valid true positives. A significant portion, 1,094, were assessed as genuinely high- or critical-severity flaws. Notable discoveries include a critical vulnerability in WolfSSL (CVE-2026-5194) that could allow for certificate forgery.

The Patching Bottleneck

Anthropic acknowledges a significant challenge: the ease with which vulnerabilities are found by AI far exceeds the current capacity for developers to fix them. The process of verifying, disclosing, designing, testing, and rolling out patches is time-consuming, creating a widening risk window. While AI can find bugs in minutes or hours, fixing them still takes days or weeks. This imbalance is leading to an increase in the volume of patches being released by software vendors.

Industry Impact and Future Concerns

Partners involved in Project Glasswing have reported dramatic increases in their bug discovery rates, with some experiencing more than a tenfold jump. Cloudflare, for instance, identified around 2,000 bugs, including 400 high- or critical-severity issues. The UK's AI Security Institute has recognized Mythos Preview as the first AI model capable of successfully completing advanced cyberattack simulation tests end-to-end.

Anthropic warns that models with similar capabilities to Mythos Preview are likely to become more widely available soon. Given the current lack of adequate safeguards against misuse, the company urges software developers to shorten their patch cycles and encourages network defenders to reinforce basic security measures like multi-factor authentication and hardened configurations.

Sources

• Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software, The Hacker News.

• Anthropic's Mythos finds 10,000+ vulnerabilities, flags security bottleneck | Tech News, Business Standard.

• Claude Mythos AI Uncovers More Than 10,000 High-Severity Software Vulnerabilities, CXO Digitalpulse.

• Anthropic warns Claude Mythos Preview finds bugs faster than developers can patch them, The Decoder.