Anthropic just dropped a bomb on the cybersecurity world. The company's unreleased Claude Mythos Preview model has helped around 50 security and infrastructure partners uncover more than 10,000 high- and critical-severity vulnerabilities across some of the planet's most critical software systems, signaling an unprecedented shift in how we approach software security at scale.
Project Glasswing Launches
The findings emerged from Project Glasswing, a cybersecurity initiative launched last month specifically designed to secure critical software before increasingly sophisticated AI systems can be weaponized against defenders. Anthropic's framing makes the stakes clear: as AI capabilities advance on both sides of this equation, the defensive window is shrinking. What used to take months of manual auditing can now happen in weeks—and that's creating its own set of problems.
Bug Detection Hits Tenfold Acceleration
Most participating organizations—which maintain software critical to internet infrastructure and essential services—discovered hundreds of high-risk vulnerabilities within their first few weeks with Mythos Preview. Several partners reported detection rates climbing by more than a factor of 10 compared to traditional methods. The speed isn't just incremental; it's a complete paradigm shift in how vulnerability research operates at scale. Cloudflare, one of the highest-profile participants, disclosed finding approximately 2,000 bugs total, including 400 classified as high or critical severity, across its critical systems. Notably, the company reported a false-positive rate it considered better than human testers—a detail that should make every security team pay attention. When AI starts outperforming humans on both speed and accuracy in bug hunting, the handwriting is on the wall for legacy security workflows. External validation came from unexpected places. The UK's AI Security Institute confirmed that Mythos Preview became the first AI model to complete both of its cyberattack simulation ranges end-to-end—a milestone that's either encouraging or terrifying depending on how you view offensive AI capabilities. Mozilla contributed its own data point: researchers found and fixed 271 vulnerabilities in Firefox 150 using Anthropic's technology, compared to roughly 27 in Firefox 148 when using an earlier model. That's more than a tenfold jump.
Open Source Software Faces Critical Patching Crisis
Beyond enterprise systems, Anthropic scanned over 1,000 open-source software projects, identifying approximately 23,019 total vulnerabilities—including 6,202 classified as high or critical severity. Of 1,752 severe flaws independently reviewed, 90.6% were validated as true positives, while 62.4% remained high or critical after assessment. One concrete example involved wolfSSL, an open-source cryptography library deployed in billions of devices worldwide: Mythos Preview uncovered a flaw that could have allowed attackers to forge certificates and impersonate trusted banking or email websites. The vulnerability has since been patched and assigned CVE-2026-5194. But here's where the story gets uncomfortable. Anthropic acknowledged that severe bugs found by Mythos Preview take an average of two weeks to patch—and that's assuming organizations can even prioritize them. Some open-source maintainers have already asked the company to slow down vulnerability disclosures because they lack the resources to respond at this pace. We're not facing a discovery problem anymore; we're facing a verification, disclosure, and remediation bottleneck that human teams simply can't scale to match.
Key Takeaways
- Mythos Preview helped partners uncover 10,000+ high/critical vulnerabilities in weeks rather than months
- Cloudflare found 2,000 bugs (400 high/critical) with better false-positive rates than human testers
- Mozilla's bug count jumped from ~27 in Firefox 148 to 271 in Firefox 150 using Anthropic's model
- Open-source scanning identified 23,019 total vulnerabilities across 1,000+ projects
- The wolfSSL flaw (CVE-2026-5194) could have enabled certificate forgery attacks at massive scale
The Bottom Line
Anthropic isn't releasing Mythos-class models publicly yet, citing inadequate safeguards—and that's probably the right call for now. But make no mistake: this technology exists, it's being deployed by major players, and it will eventually reach a broader audience. The question isn't whether AI-powered vulnerability research becomes mainstream; it's whether defenders can build patching pipelines fast enough to keep pace with findings that are arriving ten times faster than before. We're witnessing the collision between AI capability acceleration and human bottleneck constraints—and right now, the humans are losing ground fast.