Project Glasswing: AI Found 10,000 Critical Vulnerabilities. Now Comes the Hard Part.

The Machine Outran the Patch Cycle

The single most operationally significant fact out of Project Glasswing is not the number of vulnerabilities found. It is the patch rate at launch. At the time of the initial disclosure, over 99% of the vulnerabilities found by Mythos Preview had not yet been patched. That gap between discovery velocity and remediation velocity is the core problem every security team now has to confront.

Anthropic and its Project Glasswing partners have identified more than 10,000 high- or critical-severity vulnerabilities in critical software systems. Over the past few weeks, Claude Mythos Preview identified thousands of zero-day vulnerabilities, many of them critical, in every major operating system and every major web browser, along with a range of other important software. The project launched April 7, 2026. The 10,000-vulnerability update dropped May 26—roughly seven weeks of scanning.

What Mythos Actually Did

Anthropic says it did not explicitly train Mythos Preview to have these capabilities—they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy. The same improvements that make the model more effective at patching vulnerabilities also make it more effective at exploiting them.

Mythos Preview has improved to the extent that it mostly saturates existing benchmarks, which led Anthropic's red team to shift focus to novel real-world security tasks, in large part because metrics measuring replications of previously known vulnerabilities can make it difficult to distinguish novel capabilities from cases where the model simply remembered the solution. Zero-days eliminate that ambiguity.

The exploits are not trivial. In one case, Mythos Preview wrote a browser exploit that chained together four vulnerabilities, writing a complex JIT heap spray that escaped both renderer and OS sandboxes. It autonomously obtained local privilege escalation exploits on Linux and other operating systems by exploiting subtle race conditions and KASLR-bypasses. It reproduced vulnerabilities and developed working exploits on the first attempt in over 83% of cases.

Many of the vulnerabilities it finds are ten or twenty years old, with the oldest found so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security. Mythos also identified a vulnerability in wolfSSL, an open-source cryptography library used by billions of devices, and constructed an exploit that would let an attacker forge certificates to host a fake website for a bank or email provider.

The Validation Numbers Matter

The standing objection to AI-driven security tooling is false positives: flood a security team with noise and triage becomes the bottleneck. Glasswing has actual numbers here. Anthropic scanned more than 1,000 open-source projects with Mythos, identifying 23,019 issues, of which 6,202 were high- or critical-severity vulnerabilities. Anthropic and six independent security research firms assessed 1,752 of those high- or critical-severity findings, and more than 90% were validated as true positives.

Cloudflare reported finding 2,000 bugs, including 400 of high or critical severity, with the model's false-positive rate outperforming human security testers. The UK's AI Security Institute observed that Mythos Preview is the first model to fully solve its multistep cyberattack simulations, while Mozilla utilized the model to uncover and patch 271 vulnerabilities in Firefox 150, yielding ten times more findings than previous testing with Claude Opus 4.6.

A 90%-plus true-positive rate at this scale changes the economics. Traditional static analysis tools routinely produce false-positive rates that make triage itself a full-time job. If Mythos-derived tooling maintains that accuracy in production, security teams can redirect effort from noise filtering to actual remediation.

The Coalition and the Controlled Release

Anthropic gave Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and other partners in the open source community access to the model to help them secure critical software before AI systems can be used to target it.

Anthropic is committing up to $100 million in usage credits for Mythos Preview, as well as $4 million in direct donations to open-source security organizations. The open-source allocation matters because it addresses the weakest link: large OS vendors have the engineering capacity to absorb a surge of findings. The Linux kernel's smaller maintainer teams and thousands of libraries sitting underneath enterprise software stacks do not.

Due to the severe dual-use risks associated with these autonomous exploit capabilities, Anthropic has withheld Mythos from public release, restricting its use to defensive consortium members. To make vulnerability discovery and patching easier for a broader audience, Anthropic released Claude Security in public beta for Claude Enterprise customers. Its Cyber Verification Program allows approved security professionals to use its models for legitimate cybersecurity work with fewer restrictions, and Anthropic is also making tools used with Mythos Preview available to qualifying security teams—including custom skills, an automated scanning and reporting framework, and a threat-modeling tool for identifying and prioritizing attack targets.

The Structural Problem

The industry is entering a transitional phase where the traditional 90-day coordinated vulnerability disclosure window poses new risks. Because Mythos-class models reduce the cost and time of zero-day discovery to nearly zero, the lag between discovery and widespread patch deployment offers a highly dangerous exploit window for threat actors.

This is not theoretical. The median time from the first disclosure to the first observed exploitation dropped from 771 days in 2018 to single-digit hours by 2024, and by 2025, the majority of exploits were weaponized before being publicly disclosed. Mythos does not create this problem; it accelerates a trajectory that was already dangerous.

The deeper issue is what happens when similar capability escapes the Glasswing consortium. Anthropic's own team estimates that similar capabilities will proliferate from other AI labs within six to eighteen months. At that point, the asymmetry reverses: any actor with access to a comparable model can find the same vulnerabilities that Glasswing partners are racing to patch.

The structural problem is asymmetry. AI lowers the cost and skill requirement for finding and exploiting vulnerabilities. Defenders still operate patch cycles, risk models, and detection systems built for human-speed threats.

Anthropic appears to be positioning Claude Security and Glasswing as recurring infrastructure for enterprise security operations, not a one-time research publication. The Cyber Verification Program and the enterprise beta suggest a commercial motion. If that is the intent, it has long-term margin implications—security tooling carries higher switching costs and longer contract durations than productivity software.

What to Watch

1. Patch rate tracking. The success metric for Glasswing is not vulnerabilities found but vulnerabilities closed before exploitation. Watch for Anthropic or partners to publish Mean Time to Remediation data. If the average finding from April 2026 remains unpatched by October 2026, the project's defensive premise weakens.

2. CVE publication cadence. More vulnerability disclosures from Mythos are forthcoming, as the project started a couple of months ago and the coordinated vulnerability disclosure process typically takes time—newly discovered flaws are kept private, usually for 90 days or until patches are available, before being made public. The flood of CVE disclosures beginning in Q3 2026 will test whether enterprise patch pipelines can absorb the volume. Track CVE-2026-4747 (FreeBSD NFS RCE) as the first public stress test.

3. Competitive response from other frontier labs. OpenAI is reportedly developing a model with comparable abilities. If a second lab publishes similar offensive capability findings within the next six months, the controlled-coalition model Anthropic chose becomes harder to sustain as an industry norm.

4. Regulatory clarification. Anthropic plans to work with partners, including the US government and allied governments, to expand Project Glasswing. Watch whether CISA or DHS moves to formalize standards for AI-driven vulnerability disclosure coordination—the 90-day window was built for human-speed research and may not survive contact with Mythos-class throughput.

5. Open-source maintainer capacity. The most likely failure point is not the OS vendors with full-time security teams. It is the critical libraries—cryptography, networking, compression—maintained by small volunteer teams who cannot absorb hundreds of new critical findings per quarter. Watch whether the $4 million in open-source donations gets structured as triage capacity or disappears into general operating costs.