Anthropic, a prominent player in the AI landscape, has recently shared significant developments regarding its Project Glasswing initiative, which focuses on harnessing AI technologies for vulnerability discovery. Launched just last month, the project has already demonstrated its potential through Claude Mythos, the company’s most advanced and tightly controlled AI model. This initiative has uncovered over 10,000 high- or critical-severity zero-day vulnerabilities across critical software systems globally.
The revelations stemming from this project highlight both a remarkable achievement in AI-driven cybersecurity research and a troubling reality—the security ecosystem is struggling to keep pace with the ever-increasing capabilities of artificial intelligence in identifying vulnerabilities. The sheer volume of vulnerabilities uncovered raises alarms about the current capacity of security teams to address these threats effectively.
The Mythos Preview has actively scanned more than 1,000 open-source projects, leading to the generation of 23,019 possible findings across various severity levels. Out of these, 1,900 cases were escalated for formal review by six independent security firms. Impressively, this led to a true-positive rate of 90.8%, with 1,726 findings ultimately confirmed as valid threats. This high degree of accuracy earned Mythos accolades within the cybersecurity community.
Furthermore, an additional 1,129 findings were disclosed directly to software maintainers at their request without formal triage. Several open-source teams preferred to prioritize speed over accuracy, seeking immediate notifications regarding potential vulnerabilities. Cumulatively, Project Glasswing has officially reported 1,596 findings to maintainers, with 1,451 of those findings acknowledged as legitimate threats. Nevertheless, only 97 of these vulnerabilities have been patched, with 88 security advisories released up until May 22, 2026. This slow progress starkly frames the existing bottleneck hindering organizations from effectively remediating vulnerabilities.
Among the diverse array of partners involved in Project Glasswing, Cloudflare has reported an astonishing 2,000 bugs, 400 of which were classified as high- or critical-severity. According to Cloudflare’s security personnel, the false-positive rate from Mythos is notably lower than that of human testers, showcasing the reliability of AI in vulnerability detection. In a related success story, Mozilla utilized Mythos Preview to discover and remedy 271 vulnerabilities within its Firefox 150 release—this marked a significant increase compared to the vulnerabilities identified in the previous version.
The transition from a reliance on manual security assessments to AI-enhanced solutions represents a paradigm shift in cybersecurity. The UK’s AI Security Institute noted that Mythos Preview is the first AI model capable of successfully solving both of its end-to-end, multi-step cyberattack simulations—a feat that had previously eluded existing AI capabilities. On key academic benchmarks like ExploitBench and ExploitGym, Mythos also ranked as a leading performer among various models, solidifying its standing in the cybersecurity landscape.
Noteworthy examples of vulnerabilities flagged by Mythos include a critical flaw in wolfSSL, a widely-used cryptography library, which allowed for the forgery of TLS certificates. The detection of such vulnerabilities underscores Mythos’s capability to autonomously construct working exploits, posing threats to millions of devices. Following this discovery, the relevant vulnerability was promptly patched and assigned the CVE-2026-5194 designation. Mythos also unearthed a long-hidden vulnerability within the OpenBSD kernel, as well as a significant flaw in FFmpeg, both of which had remained undetected by human researchers for decades.
Anthropic has recognized that the current challenge has shifted from simply identifying vulnerabilities to effectively addressing and resolving them. High- or critical-severity vulnerabilities, it has been observed, take an average of two weeks to patch, suggesting a serious disconnect between detection and remediation efforts. Some maintainers have even urged Anthropic to temper its disclosure rate to manage the overwhelming influx of bug reports.
As of now, 827 confirmed vulnerabilities of high or critical severity await disclosure, a reflection of the capacity issues facing open-source maintainers. In response to these challenges, Anthropic has introduced Claude Security in public beta for enterprise clients. In just three weeks, this initiative has been instrumental in patching over 2,100 vulnerabilities.
Expanding its capabilities further, Anthropic has also deployed scanning skills, codebase-mapping harnesses, and threat model-building tools designed for qualifying security teams. To facilitate the management of incoming AI-generated bug reports, Anthropic has formed a partnership with the Open Source Security Foundation’s Alpha-Omega project.
As the cybersecurity landscape evolves, the need for collaborative efforts and effective solutions to tackle the challenges posed by AI in vulnerability identification becomes increasingly critical. Project Glasswing and Claude Mythos stand at the forefront of this revolution, offering promising pathways to enhance security and protect vital information across the digital ecosystem.