Project Glasswing: An initial update
Anthropic says Project Glasswing and Claude Mythos Preview have found more than 10,000 serious vulnerabilities, shifting the bottleneck to patching them.
Anthropic’s Glasswing update argues that frontier AI is already powerful enough to find huge numbers of bugs in critical software. The hard part now is verifying, disclosing and patching them fast enough before attackers can exploit them.
Anthropic made a smart computer helper that is very good at finding mistakes in software.
It is like a super-fast checker that can spot tiny holes in a fence. The problem is that finding the holes is faster than fixing them.
So the company is also building tools to help people patch the holes faster. The article says that if the fixes do not keep up, the software can stay unsafe for a while.
Glasswing’s early signal
Anthropic says Project Glasswing, its effort with about 50 partners, has used Claude Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities in some of the world’s most important software. The company frames this as a shift in cybersecurity: the limiting factor is no longer only discovery, but the human work required to verify, disclose and patch bugs.
What the model is finding
The post says partners such as Cloudflare have found large numbers of bugs with very low false positives, and outside testers have also reported strong results. Anthropic cites the UK AI Security Institute, Mozilla, XBOW, and benchmark results from ExploitBench and ExploitGym as signs that Mythos Preview is unusually capable at exploit development and vulnerability discovery.
The open-source scan numbers are large. Anthropic says it has scanned more than 1,000 projects and estimates 6,202 high- or critical-severity vulnerabilities among 23,019 total findings. It says 1,752 of the high- or critical-rated issues were independently assessed, with 90.6% confirmed as valid and 62.4% confirmed as high- or critical-severity.
Why patching is the bottleneck
The article emphasizes that maintainers are overwhelmed. Some have asked Anthropic to slow disclosures so they have more time to patch, and Anthropic says high- or critical-severity bugs take about two weeks to patch on average. That mismatch between discovery speed and repair speed is the central security problem Glasswing is trying to manage.
What Anthropic is shipping
Alongside the research update, Anthropic says it is releasing tools such as Claude Security in public beta for enterprise customers, plus a cyber verification program and additional tooling for scanning, triage and reporting. It also says it is working with foundations and partners to help the ecosystem absorb the flood of findings.
The article’s broader point is that Mythos-class models could make software safer, but the transition period is risky. Faster bug-finding without faster patching creates a dangerous gap, and Anthropic is positioning Glasswing as a way to help close it.
Key points
- Anthropic says Project Glasswing has found more than 10,000 serious vulnerabilities.
- The company says Mythos Preview is helping partners and testers find bugs much faster than before.
- Open-source scans turned up thousands of likely high- or critical-severity issues.
- Maintainters are struggling to triage and patch the flood of findings quickly enough.
- Anthropic is also releasing defensive tools and programs to help security teams respond.
