Anthropic’s Claude Mythos Preview has turned software security into a volume problem.
The AI company says partners in its Project Glasswing programme have found more than 10 000 high- or critical-severity vulnerabilities in their own software after just one month of access. Cloudflare alone found 2 000 bugs, including 400 rated high or critical, according to Anthropic’s initial update.
That sounds like good news.
But it also exposes a bigger problem: AI can now discover dangerous bugs faster than many companies can confirm, rank, report, and patch them.
What Anthropic’s Mythos AI actually found
Anthropic launched Project Glasswing as a restricted cybersecurity programme built around Claude Mythos Preview, an unreleased AI model designed for advanced defensive security work.
The company says Mythos can help trusted partners find vulnerabilities in major software systems before attackers exploit them. It has also given access to more than 40 additional organisations that build or maintain critical software infrastructure.
That matters because these are not normal app bugs.
We’re talking about flaws in systems that keep browsers, operating systems, cloud platforms, banks, payment rails, and enterprise networks running. If those systems break, the impact doesn’t stay inside Silicon Valley.
It can reach a fintech company in Cape Town, a bank in Sandton, a university portal, or a government service that depends on the same open-source building blocks.
The numbers are huge — and messy
Anthropic says most Project Glasswing partners found hundreds of critical or high-severity bugs in their own software. Collectively, those partners found more than 10 000.
Here’s the simpler breakdown:
| Area | What Anthropic reported |
| Project Glasswing partner findings | 10 000+ serious vulnerabilities |
| Cloudflare findings | 2 000 bugs |
| Cloudflare high/critical bugs | 400 |
| Open-source projects scanned | 1 000+ |
| Estimated high/critical open-source bugs | 6 202 |
| Total open-source findings across severities | 23 019 |
Anthropic also scanned more than 1 000 open-source projects that underpin much of the internet. In those projects, Mythos estimated 6 202 high- or critical-severity vulnerabilities out of 23 019 total findings.
The key word there is “estimated.”
Security teams still need humans to reproduce the issue, confirm whether it’s real, judge how severe it is, and avoid flooding maintainers with bad AI-generated reports.
Why this is not just another AI benchmark
A normal AI benchmark tells us a model scored higher on a test.
This is different.
Anthropic says Mythos has already found thousands of high-severity vulnerabilities, including some in every major operating system and browser. It also says the model can identify and exploit some flaws with little human steering.
That shifts the conversation from “Can AI code?” to “Can AI find the cracks in code faster than defenders can close them?”
For cybersecurity teams, that’s the uncomfortable part.
Bug discovery used to require rare expertise, time, and patience. Mythos suggests advanced AI can compress that process dramatically. It doesn’t remove the need for experts, but it changes what those experts spend their time doing.
They now face a backlog problem.
The bottleneck is patching, not discovery
Anthropic makes one point very clearly: the hardest part is no longer finding the bugs. It’s fixing them.
The company says maintainers are already capacity-constrained, and some have even asked Anthropic to slow down disclosures because they need more time to design patches. Anthropic says a high- or critical-severity bug found by Mythos takes about two weeks to patch on average.
That is a major warning for companies.
If AI tools can discover thousands of flaws, every organisation needs a stronger process for triage. Otherwise, security teams drown in alerts while attackers focus on the few bugs that matter most.
Reuters reported a similar view from cybersecurity practitioners. Experts said Mythos represents a real technical advance, but the bigger challenge is validating, prioritising, and fixing flaws without breaking systems.
That sounds less dramatic than “AI super-hacker.”
But it’s probably more useful.
What this means for South African companies
South African companies don’t need direct access to Mythos to feel the impact.
Local banks, payment startups, retailers, logistics platforms, and public institutions all run on global software stacks. They use Linux servers, open-source libraries, cloud services, browser technologies, APIs, and developer tools that overlap with the systems Mythos is scanning.
So the risk travels.
A serious bug in a widely used library can hit a Johannesburg fintech just as easily as a US cloud company. A vulnerable authentication tool can affect a local SaaS business. A weak crypto library can put customer trust at risk.
That’s why South African teams should ask three practical questions now:
- Do we know which open-source packages our systems depend on?
- Can we patch critical systems quickly without breaking production?
- Do we have a clear process for ranking AI-discovered bugs?
This also connects to the wider AI-security race. We’ve already covered how an OpenAI code security issue exposed internal credential material after attackers hit the software supply chain, which shows how developer tools have become a major attack surface.
Mythos is powerful, but not magic
There’s a danger in overreacting too.
Reuters reported that some cybersecurity experts believe early fears around Mythos have been overstated. Their point is simple: AI-assisted bug hunting already existed, and attackers were dangerous long before Mythos arrived.
The difference is scale.
Mythos appears to lower the effort needed to find serious flaws and scan large codebases. That helps defenders, but it also hints at a future where similar capabilities spread beyond carefully controlled programmes.
Anthropic says Project Glasswing exists to put these tools in defenders’ hands first. It has committed up to $100 million in Mythos usage credits and $4 million in donations to open-source security organisations.
That’s a big commitment.
But open-source maintainers, banks, software vendors, and governments still need to turn findings into fixes.
The new cybersecurity race is about response speed
The lesson from Mythos isn’t that every company needs its own frontier AI model.
The lesson is that every company needs a faster security loop.
That means better software inventories, faster patch testing, tighter access controls, safer deployment pipelines, and teams that can separate scary-looking reports from genuinely urgent vulnerabilities.
For smaller South African startups, this may sound expensive. But the basics still matter: keep dependencies updated, remove unused packages, rotate secrets, monitor abnormal activity, and don’t let one developer laptop become the doorway into everything.
AI will keep finding more cracks.
The real question is whether companies can fix the right ones before attackers arrive.
FAQs
What is Anthropic Mythos AI?
Claude Mythos Preview is Anthropic’s unreleased AI model for advanced cybersecurity work. It helps selected partners find serious software vulnerabilities before attackers exploit them.
How many bugs did Mythos find?
Anthropic says Project Glasswing partners found more than 10,000 high- or critical-severity vulnerabilities in one month. It also reported thousands more findings from open-source software scans.
Should South African companies worry?
Yes, but they shouldn’t panic. The main lesson is to improve patching, dependency tracking, and security triage, because AI can now surface bugs faster than many teams can fix them.
Could Mythos AI replace human cybersecurity teams?
No. Mythos AI can find vulnerabilities quickly, but human experts still need to verify whether those bugs are real and dangerous. The bigger shift is that security teams may spend less time hunting for flaws and more time prioritising, patching, and testing fixes.