Project Glasswing: An Initial Update

May 22 2026 – Anthropic

---

What’s claimed

Anthropic says its Claude Mythos Preview model has already identified more than 10 000 high‑ or critical‑severity vulnerabilities across partner codebases and over 6 200 such bugs in a scan of 1 000+ open‑source projects.
Key numbers include:

• 2 000 bugs found by Cloudflare, 400 of them high/critical, with a false‑positive rate the company deems better than human testing.
• Mozilla discovered 271 issues in Firefox 150, ten times more than with Claude Opus 4.6.
• Independent benchmarks (ExploitBench, ExploitGym, XBOW) rank Mythos Preview as the strongest model for exploit development.
• In open‑source work, 1 587 of 1 752 triaged findings proved true positives, and 1 094 were confirmed high/critical.
• Average time to patch a high/critical bug is about two weeks.

Anthropic also launched Claude Security (beta for Claude Enterprise) and a Cyber Verification Program to let vetted security teams use its models with fewer safeguards.

---

What’s actually new

1. Scale of automated discovery

The headline‑grabbing part is the volume. Traditional static‑analysis tools and manual code review rarely surface thousands of serious bugs in a month. Mythos Preview’s ability to generate plausible exploits—e.g., forging certificates in the wolfSSL library (CVE‑2026‑5194)—shows a shift from finding bugs to demonstrating their exploitability. That level of detail is rare in prior AI‑assisted scanners.

2. Validation pipeline

Anthropic’s numbers are credible because they come from independent security firms and partner organizations. The reported 90.6 % true‑positive rate after human triage is far higher than the 30‑50 % rates typical of earlier AI‑generated alerts. However, the pipeline is still heavily human‑centric: each finding must be reproduced, severity reassessed, and a patch engineered before it can be disclosed.

3. Real‑world impact on patch cadence

Partners such as Palo Alto Networks and Microsoft have already reported a five‑fold increase in the number of patches released in a single cycle. While this correlates with Mythos‑driven discoveries, it also reflects a broader industry push to shorten release windows.

4. Open‑source disclosure bottleneck

The open‑source dashboard (see image above) reveals a steep drop‑off at every stage:

• Discovery → Triage: ~30 % of reported bugs survive initial reproduction.
• Triage → Patch: Only 75 of the 530 high/critical bugs disclosed so far have been patched, and 65 have public advisories. This mirrors community concerns that maintainers are inundated with low‑quality, AI‑generated reports. Even with a high‑precision model, the human capacity to review and patch remains the limiting factor.

5. Tooling for the broader community

Anthropic’s Claude Security beta can automatically generate fix suggestions, and the Cyber Verification Program offers a controlled environment for red‑teamers. These are incremental steps toward making frontier‑capable models usable without exposing them to malicious actors.

---

Limitations and open challenges

1. Triaging overhead – The current workflow still requires expert analysts to reproduce each exploit. Scaling this to the tens of thousands of findings projected for the next year will demand better automation in reproducibility and severity estimation.
2. Disclosure fatigue – Open‑source maintainers report “capacity constraints” and have asked Anthropic to throttle disclosures. Slowing the flow may reduce the advantage of early detection.
3. Patch latency – Even with a two‑week average fix time, the window between discovery and deployment is large enough for sophisticated threat actors to weaponize the same vulnerabilities, especially if they have access to comparable models.
4. Model misuse risk – Anthropic acknowledges that no existing safeguards fully prevent a Mythos‑class model from being weaponized. Until robust containment mechanisms exist, public release remains off‑limits.
5. Benchmark relevance – While Mythos Preview tops current exploit‑development benchmarks, those tests are still synthetic. Real‑world attack chains often involve supply‑chain integration, credential theft, and post‑exploitation steps that are not captured by current metrics.

---

How defenders can adapt now

• Accelerate patch pipelines – Adopt continuous‑integration/continuous‑deployment (CI/CD) practices that allow rapid testing and rollout of security fixes.
• Leverage AI for triage – Use models like Claude Security to prioritize findings based on exploitability scores before human review.
• Harden defaults – Follow NIST and NCSC guidance on network hardening, MFA, and logging; these controls reduce reliance on any single patch.
• Participate in coordinated disclosure – Engaging with initiatives such as the Open Source Security Foundation’s Alpha‑Omega project can help share the triage burden.
• Invest in defender‑focused tooling – The upcoming harnesses, custom instructions, and threat‑model builders announced by Anthropic can lower the entry barrier for security teams that lack deep AI expertise.

---

What’s next for Project Glasswing

Anthropic plans to:

1. Expand the partner network, including collaboration with U.S. and allied governments.
2. Continue scanning open‑source ecosystems, aiming for ≈ 3 900 high/critical bugs once current true‑positive rates hold.
3. Refine safeguards before a general release of Mythos‑class models.
4. Grow the ecosystem around open‑source security (e.g., Cisco’s Foundry Security Spec and the Alpha‑Omega project).

The overarching goal is to shift the security balance: find bugs faster than attackers can exploit them, while simultaneously building processes that can keep up with the flood of findings.

---

For more technical details, see the Frontier Red Team blog and the open‑source vulnerability dashboard linked in the original announcement.