Anthropic's Project Glasswing Uncovers Over 10,000 High-Severity Vulnerabilities Using Claude Mythos AI
Anthropic's Project Glasswing has discovered over 10,000 high- or critical-severity vulnerabilities in widely used software using its Claude Mythos AI model, marking a major leap in automated vulnerability research.
Anthropic on Friday disclosed that Project Glasswing, a cybersecurity initiative leveraging its Claude Mythos AI model, has uncovered more than 10,000 high- or critical-severity vulnerabilities across systemically important software since launching last month. The effort involves about 50 partner organizations, including banks and security firms, that have been granted access to the frontier model to find flaws in widely used codebases.
Of the vulnerabilities identified, 6,202 were classified as high- or critical-severity, impacting over 1,000 open-source projects. Subsequent validation confirmed 1,726 as true positives, with 1,094 assessed as high- or critical-severity. One notable finding is a critical flaw in WolfSSL (CVE-2026-5194, CVSS 9.1) that could allow certificate forgery. So far, 97 findings have been patched upstream, and 88 advisories have been issued.
Anthropic acknowledged the challenge: "The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity." The company urged software vendors to shorten patch cycles, noting that Microsoft has already seen a surge in patches due to AI-assisted discovery. Autonomous security platform XBOW described Mythos Preview as "a major advance" that is "substantially better than prior models at finding vulnerability candidates."
Beyond vulnerability discovery, Mythos Preview has demonstrated practical utility. In one case, a partner bank used the AI to detect and prevent a fraudulent $1.5 million wire transfer after a threat actor breached a customer's email account. This highlights the model's potential for real-time fraud detection and response.
Given that models with similar capabilities could become broadly available soon, Anthropic is urging organizations to harden their defenses. Recommendations include shortening patch testing and deployment timelines, enforcing multi-factor authentication, and maintaining comprehensive logs. The company has also launched a Cyber Verification Program, allowing security professionals to use its models without guardrails for legitimate research, similar to OpenAI's Daybreak initiative.
However, models like Mythos Preview and GPT-5.5-Cyber have not been released publicly due to concerns about inadequate safeguards against misuse at scale. Anthropic emphasized that Project Glasswing aims to give systemically important defenders an asymmetric advantage while urging broader adoption of security best practices.
The development comes amid a broader trend of AI-driven vulnerability discovery reshaping the cybersecurity landscape. As AI models become more capable, the gap between finding and fixing vulnerabilities may widen, necessitating faster patch cycles and more proactive defense measures.