In a landmark development that underscores both the promise and peril of frontier AI in cybersecurity, Anthropic has revealed that its unreleased Claude Mythos Preview model identified more than 10,000 high or critical severity vulnerabilities across systemically important software within just one month of Project Glasswing launch.
Project Glasswing, Anthropic collaborative defensive initiative, provides limited early access to the powerful Claude Mythos Preview model to approximately 50 trusted partners. These include maintainers of critical open source projects, cloud providers, and financial institutions. The goal is to leverage advanced AI to harden the software backbone of the internet before malicious actors can weaponize similar capabilities.
Scale of Discoveries Stuns the Industry
According to Anthropic initial update on Project Glasswing published May 22, 2026, the model has flagged thousands of issues in partners codebases. Many partners reported more than a 10x increase in bug discovery rates compared to previous methods.
In scans of over 1,000 open source projects that underpin global infrastructure, Mythos Preview surfaced an estimated 6,202 high or critical severity vulnerability candidates. Independent triage of a subset confirmed 1,094 as high or critical severity true positives out of 1,726 validated issues. Only a fraction, around 97, have been fully patched upstream so far, with 88 advisories issued.
Notable examples include a critical flaw in the wolfSSL cryptography library (CVE 2026 5194, CVSS 9.1), which could enable certificate forgery and impersonation of trusted services. The model not only detected it but also constructed a working exploit.
Other findings highlight the model ability to unearth long dormant flaws. In earlier evaluations, Mythos Preview identified vulnerabilities in every major operating system and web browser, including a 27 year old bug in OpenBSD and sophisticated multi vulnerability browser exploit chains capable of escaping sandboxes.
The Discovery Patching Gap Emerges as the New Bottleneck
Anthropic openly acknowledges the core challenge. The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity.
Open source maintainers are already overwhelmed. Some have requested slower disclosure rates to cope with the volume. Traditional 90 day coordinated vulnerability disclosure timelines are straining under the flood of AI generated findings. Many of these require significant human effort to verify, patch, and deploy.
This mirrors broader industry trends. Mozilla used the model to identify and address 271 vulnerabilities in Firefox 150, over ten times more than in a prior release. Major vendors like Microsoft, Oracle, and Palo Alto Networks are issuing larger than usual patch volumes.
Dual Edged Sword for Cybersecurity
While Mythos Preview excels at defensive applications, such as helping one partner bank detect and block a 1.5 million fraudulent wire transfer, its offensive potential is unmistakable. The model autonomously develops sophisticated exploits, including ROP chains and sandbox escapes, often with minimal human guidance.
This has prompted Anthropic to keep Mythos class models under tight control for now. The company has launched tools like Claude Security for enterprise customers and a Cyber Verification Program for legitimate red teaming and research.
What Comes Next?
Security leaders should treat this as a wake up call. Recommendations from Anthropic and industry observers include the following:
- Shortening patch cycles and streamlining deployment.
- Prioritizing foundational controls such as MFA, hardened configurations, and logging.
- Proactively scanning internal codebases with available AI tools.
- Investing in triage and verification capacity to handle AI scale discovery.
As models with Mythos level capabilities proliferate, the advantage will shift decisively to organizations that integrate AI deeply into their defensive workflows. Those relying on traditional methods risk falling dangerously behind.
The era of machine speed vulnerability discovery is here. The race to patch and harden at scale has only just begun.
BurnTheBoat will continue monitoring Project Glasswing developments and their implications for the broader ecosystem.