Anthropic says its cybersecurity initiative Project Glasswing has helped uncover more than 10,000 high- and critical-severity software vulnerabilities in just one month, with organizations now struggling to fix bugs as quickly as they are found.
The company said around 50 partners have been using its Claude Mythos Preview model to scan some of the world’s most important software systems. According to Anthropic, the model has dramatically increased the speed of vulnerability discovery across critical infrastructure, cloud platforms, browsers, enterprise software, and open-source projects.
Several participating organizations reported major increases in bug detection rates. Cloudflare said it found 2,000 vulnerabilities across critical systems, including 400 classified as high- or critical-severity. Mozilla reported finding and fixing 271 vulnerabilities in Firefox 150 while testing Mythos Preview, more than ten times the number identified during testing of Firefox 148 with Claude Opus 4.6.
Anthropic said the shift is exposing a new industry bottleneck. “Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it’s limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI.”
Bugs found faster
The company has also used Mythos Preview to scan more than 1,000 open-source projects over the last few months. These projects underpin large parts of the internet and many software products used worldwide.
According to Anthropic, the model identified an estimated 23,019 vulnerabilities in open-source code, including 6,202 rated as high- or critical-severity. Independent security firms reviewed 1,752 of the high- or critical-rated findings and confirmed that 90.6 percent were valid vulnerabilities. Of those, 1,094 were verified as high- or critical-severity.
One example involved wolfSSL, an open-source cryptography library used in billions of devices. Anthropic said Mythos Preview discovered a flaw that could have allowed attackers to forge digital certificates and create fake versions of trusted websites. The vulnerability has since been patched and assigned CVE-2026-5194.
The company noted that software maintainers are increasingly struggling to keep up with reports. Some open-source maintainers have reportedly asked Anthropic to slow the pace of disclosures because they need more time to develop and deploy fixes.
Patching can’t keep up
Anthropic argues that increasingly capable cyber models are changing the economics of software security. While vulnerability discovery once required significant human effort, the company says advanced systems can now uncover flaws at a scale that overwhelms traditional patching workflows.
The effects are already becoming visible. Palo Alto Networks has released more than five times its usual number of patches in a recent update cycle, while Microsoft has indicated that patch volumes will continue growing. Oracle has also reported faster vulnerability discovery and remediation across its products and cloud services.
Beyond vulnerability hunting, Anthropic said Mythos Preview helped one banking partner detect and prevent a fraudulent $1.5 million wire transfer after attackers compromised a customer’s email account and conducted spoofed phone calls.
The company said it is expanding Project Glasswing with additional partners and governments while developing stronger safeguards before considering broader access to Mythos-class systems.
Get the latest in engineering, tech, space & science - delivered daily to your inbox.
With over a decade-long career in journalism, Neetika Walter has worked with The Economic Times, ANI, and Hindustan Times, covering politics, business, technology, and the clean energy sector. Passionate about contemporary culture, books, poetry, and storytelling, she brings depth and insight to her writing. When she isn’t chasing stories, she’s likely lost in a book or enjoying the company of her dogs.