Mythos Preview Identifies 10,000+ Vulnerabilities with Partners

Anthropic and approximately 50 partners have identified more than 10,000 high- or critical-severity vulnerabilities in systemically important software within one month of launching Project Glasswing, demonstrating an increased rate of vulnerability discovery enabled by AI. The collaborative effort utilizes Anthropic’s Claude Mythos Preview to proactively address potential cybersecurity threats before they can be exploited. This surge in findings is now outpacing the industry’s ability to verify, disclose, and patch these weaknesses, creating a new bottleneck in software security. Anthropic explains that progress on software security used to be limited by how quickly new vulnerabilities could be found, but now it’s limited by how quickly the large numbers of vulnerabilities found by AI can be verified, disclosed, and patched. Early results indicate partners are finding bugs at rates exceeding ten times their previous capacity, with Cloudflare discovering 2,000 bugs across critical systems. Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview, over ten times more than they found in Firefox 148 with Claude Opus 4.6. Microsoft has reported that the number of new patches they will release will continue to increase for some time. One Glasswing partner bank even leveraged the model to detect and prevent a fraudulent $1.5 million wire transfer, demonstrating its utility in real-time threat mitigation.

Project Glasswing: Initial Vulnerability Discovery with Claude Mythos Preview

Anthropic, alongside approximately 50 collaborating partners, initiated the project last month to proactively bolster software security before increasingly sophisticated AI models could be exploited for malicious purposes. This collaborative effort is not simply finding more bugs; it’s fundamentally shifting the bottleneck in cybersecurity from detection to remediation. The standard 90-day disclosure policy, traditionally intended to allow time for patching, is now proving inadequate as the sheer volume of AI-discovered vulnerabilities overwhelms existing verification, disclosure, and patching capabilities. Anthropic acknowledges this challenge, stating that they are not yet at the point where they can fully detail their partners’ findings with Mythos Preview without putting end users at risk. Instead, the company is initially releasing aggregate statistics and illustrative examples of Claude Mythos Preview’s performance, promising more detailed analysis once patches are widely deployed.

Early results from partners confirm a substantial increase in bug-finding rates; Cloudflare, for example, uncovered 2,000 bugs, including 400 of high or critical severity, across its critical systems. This aligns with external evaluations, including the UK’s AI Security Institute’s finding that Mythos Preview is the first model to solve both of their cyber ranges end to end. Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview, over ten times more than they found in Firefox 148 with Claude Opus 4.6. Beyond partner discoveries, Anthropic has also used Mythos Preview to scan over 1,000 open-source projects, identifying an estimated 6,202 high- or critical-severity vulnerabilities. Of the 1,752 of these vulnerabilities that underwent independent assessment, a remarkable 90.6% proved to be valid true positives, with 62.4% confirmed as high or critical.

This means the project is currently on track to identify nearly 3,900 high- or critical-severity vulnerabilities in open-source code. One example highlighted is a vulnerability in wolfSSL, where Mythos Preview constructed an exploit allowing an attacker to forge certificates and host a fraudulent website. Anthropic notes that finding these vulnerabilities in the first place has become much more straightforward with Mythos Preview.

Cloudflare & Mozilla Report Increased Bug-Finding with Mythos Preview

The landscape of software security is undergoing a rapid transformation, shifting from a scarcity of vulnerability detection to an abundance fueled by artificial intelligence. This surge is not merely a quantitative increase in discovered flaws, but a fundamental alteration in the rate at which they are being found, placing unprecedented strain on existing verification and remediation processes. Early results demonstrate the power of Anthropic’s Claude Mythos Preview in accelerating vulnerability discovery. This aligns with independent evaluations; the UK’s AI Security Institute confirmed Mythos Preview as the first model to fully solve both of their cyber ranges, complex simulations of multistep cyberattacks. Mozilla’s testing yielded even more dramatic results, with the model identifying and helping to fix 271 vulnerabilities in Firefox 150, over ten times more than they found in Firefox 148 with Claude Opus 4.6.

XBOW, an independent security platform, further validated these findings, stating Mythos Preview is a significant improvement over all existing models and delivers on a token-for-token basis. However, the speed of discovery is now creating a critical bottleneck. Anthropic acknowledges this, explaining that disclosed vulnerabilities represent a lagging indicator of AI’s accelerating capabilities. The sheer volume of findings is overwhelming the capacity of security teams to triage, verify, and deploy fixes. Patched software is now being rolled out much more quickly; the latest Palo Alto Networks release included over five times as many patches as usual. Microsoft has reported that the number of new patches they will release will continue to increase for some time, and Oracle is finding and fixing vulnerabilities across its products and cloud multiple times faster than before. This imbalance, easy to find, difficult to fix, represents a major challenge for cybersecurity, demanding adaptation from defenders to effectively manage the new reality of AI-driven vulnerability discovery.

AI Security Institute Validates Mythos Preview’s Cyber Range Capabilities

The United Kingdom’s AI Security Institute has confirmed Anthropic’s Claude Mythos Preview as the first artificial intelligence model to successfully navigate both of its complex cyber ranges, simulations designed to replicate multistep cyberattacks, a validation that underscores the rapidly evolving landscape of automated vulnerability discovery. This achievement arrives as Project Glasswing, a collaborative initiative spearheaded by Anthropic and involving approximately 50 partners, reveals an unprecedented rate of identifying high- and critical-severity software flaws. Initial results demonstrate that the project has already uncovered more than ten thousand such vulnerabilities across systemically important software, a figure that dramatically exceeds previous discovery rates. This surge in identified vulnerabilities is not simply a matter of increased scanning; it’s fundamentally altering the bottleneck in cybersecurity. Previously, the limiting factor was the speed of vulnerability discovery; now, it’s the capacity to verify, disclose, and patch these flaws before they can be exploited.

Anthropic acknowledges this shift, noting that the industry’s standard 90-day disclosure policy, allowing time for updates before public release of vulnerability details, is becoming increasingly strained. The company explains, highlighting the tension between transparency and immediate security. Independent assessments further corroborate Mythos Preview’s capabilities. The impact extends beyond identifying existing flaws; Mythos Preview is accelerating the patching process itself. The latest Palo Alto Networks release included over five times the usual number of patches, and Microsoft has reported that the number of new patches they will release will continue to increase for some time. One Glasswing partner bank even leveraged the model to detect and prevent a fraudulent $1.5 million wire transfer, demonstrating its utility in real-time threat mitigation.

Open-Source Scan Reveals 6,202 High/Critical Vulnerabilities

The accelerating pace of artificial intelligence-driven vulnerability discovery is rapidly shifting the cybersecurity paradigm, demanding a re-evaluation of traditional defensive strategies. Project Glasswing, Anthropic’s collaborative initiative, has already identified over ten thousand high- or critical-severity vulnerabilities across systemically important software within its first month, demonstrating a dramatic increase in the rate at which flaws are being exposed. This surge is not simply about finding more bugs; it’s about the sheer volume now overwhelming existing verification and remediation processes. Anthropic has leveraged its Claude Mythos Preview model to scan a vast landscape of code, revealing a previously hidden wealth of security weaknesses. A particularly telling aspect of the project is the focus on open-source software, the foundational building blocks of much of the modern internet.

So far, Mythos Preview has found what it estimates are 6,202 high- or critical-severity vulnerabilities in these projects (out of 23,019 in total, including those it estimates as medium- or low-severity). 1,752 of those high- or critical-rated vulnerabilities have now been carefully assessed by one of six independent security research firms, or in a small number of cases by Anthropic itself. Of these, 90.6% (1,587) have proved to be valid true positives, and 62.4% (1,094) were confirmed as either high- or critical-severity. That means that even if Mythos Preview finds no further vulnerabilities, at its current post-triage true-positive rates, it’s on track to have surfaced nearly 3,900 high- or critical-severity vulnerabilities in open-source code, to those it has found for Project Glasswing’s partners. Anthropic intends to continue scanning open-source code for some time, so this number is expected to rise.

Accelerated Patching Rates Reflect AI-Driven Security Progress

The conventional wisdom surrounding software security, that progress hinges on finding new vulnerabilities, is undergoing a rapid shift. Project Glasswing, Anthropic’s initiative leveraging its Claude Mythos Preview AI model, demonstrates that the primary limitation is no longer discovery, but the capacity to verify, disclose, and ultimately patch the escalating number of flaws identified by artificial intelligence. This surge in findings is not merely quantitative; it’s fundamentally altering the security landscape. Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview, over ten times more than they found in Firefox 148 with Claude Opus 4.6. The challenge extends beyond major corporations; even at one partner bank, Mythos Preview aided in detecting and preventing a fraudulent $1.5 million wire transfer.