clauding.de
DE
3 min read AI-generated

Project Glasswing: Mythos Found Over 10,000 Critical Security Vulnerabilities

Copy article as Markdown

Anthropic's unreleased model found more bugs in one month than entire security teams find in years. And it's just getting started.

Anthropic Mythos Security Glasswing Cybersecurity
Featured image for "Project Glasswing: Mythos Found Over 10,000 Critical Security Vulnerabilities"

Anthropic published the first progress report on Project Glasswing on May 22 — and the numbers are staggering. Claude Mythos Preview, Anthropic’s most powerful and still-unreleased model, has found more than 10,000 high- or critical-severity vulnerabilities across roughly 50 partner organizations. In a single month.

What Is Project Glasswing?

Launched in April, the program aims to harden the world’s most critical software before similarly capable AI models can be weaponized by attackers. The logic is straightforward: if Mythos-class models are coming from other labs soon, defenders need a head start.

The Numbers Are Wild

The partner results read like a security annual report on fast-forward:

  • Cloudflare found 2,000 bugs, 400 rated high or critical — with a false positive rate that Cloudflare’s team considers better than human testers.
  • Mozilla found and fixed 271 vulnerabilities in Firefox 150 — over ten times more than they found in Firefox 148 with Claude Opus 4.6.
  • In wolfSSL, a cryptography library used by billions of devices, Mythos constructed a working exploit that could forge security certificates — essentially enabling fake bank websites that look completely legitimate.
  • The UK AI Security Institute confirms Mythos is the first model to solve both of their cyber ranges end to end.

On top of that, Anthropic’s own scans of over 1,000 open-source projects have surfaced an estimated 6,200 high- or critical-severity vulnerabilities. With a true-positive rate above 90%, that’s nearly 3,900 confirmed issues in open-source code alone.

The Bottleneck Is Now Human

Here’s the real twist: finding bugs is no longer the hard part. The bottleneck is now verifying, reporting, and patching them. On average, a critical bug found by Mythos takes two weeks to patch. Some open-source maintainers have actually asked Anthropic to slow down — they can’t keep up with the flood of reports.

When Can Everyone Use Mythos?

Short answer: not yet. Anthropic is clear that no company — including themselves — has built safeguards strong enough to release a model this capable publicly. That said, traces of something called ‘Mythos 1’ and ‘claude-mythos-1-preview’ briefly appeared in Claude Code, suggesting Anthropic is at least preparing for limited availability.

In the meantime, Anthropic is making its security tooling more accessible: Claude Security has been in public beta for Enterprise customers for three weeks, and the Cyber Verification Program lets professional security researchers use Claude’s models without certain misuse safeguards.

My Take

Project Glasswing isn’t just a marketing exercise. It demonstrates that frontier models are fundamentally reshaping cybersecurity — for both attackers and defenders. The fact that Anthropic is sharing results this transparently is smart: it builds trust while pressuring the entire industry to harden their software faster. The question is no longer whether AI will find massive numbers of bugs — it’s whether we can fix them fast enough.

Sources: