Claude Mythos AI Finds 10,000 High Severity Bugs in Commonly Used Software
Anthropic on Friday revealed that Project Glasswing has helped uncover more than 10,000 high or critical vulnerabilities in all of the world’s most critical software “systems” since the cybersecurity program went live last month.
Project Glasswing is a defense effort launched by an artificial intelligence (AI) company to protect critical global software infrastructure. It offers a small set of 50 partners exclusively, early access to the Claude Mythos Preview, a border model with the ability to automatically identify vulnerabilities in widely used software before bad actors can exploit them.
Of these vulnerabilities, 6,202 were described as high or critical bugs affecting more than 1,000 open source projects. Subsequent analysis of these at-risk individuals identified 1,726 as positive individuals. A total of 1,094 errors were assessed as high or very serious.
One of the noted vulnerabilities is a critical flaw in WolfSSL (CVE-2026-5194, CVSS score: 9.1) that could allow an attacker to create certificates and impersonate a legitimate service. In total, these efforts resulted in 97 upstream findings and the issuance of 88 advisories.
“The ease of detecting vulnerabilities compared to the difficulty of fixing them equates to the biggest challenge in cyber security,” Anthropic acknowledges. “Addressing this challenge successfully will make our software more secure than ever.”
The development comes as software vendors are sending out more fixes than ever before, driven by an increase in AI-assisted vulnerability detection, with Microsoft noting that the number of new patches it expects to release every month to “continue the big trend for some time.”
Independent offensive security forum XBOW described Mythos Preview as a “major improvement” that is “much better than previous models at detecting vulnerabilities” and “intelligent to analyze source code with a security mindset.” A recent analysis also found the model to be successful in converting vulnerabilities into end-to-end attack chains.
The Mythos Preview utility, Anthropic added, goes beyond finding security flaws. In one case, Glasswing’s partner bank is said to have used an AI model to detect and prevent $1.5 million in fraudulent wire transfers after an unknown malicious actor breached a customer’s email account and made unsolicited calls.
Given that models with similar capabilities to the Mythos may become more widely available in the near future, Anthropic urges software developers to shorten their patch cycles and make security fixes available as soon as possible. It is worth mentioning here that Oracle has recently switched to a monthly cycle to address critical security issues.
“Network defenders must shorten their patch testing times and deployment times,” Anthropic said. “This includes measures such as hardening the automatic configuration of networks, enforcing multi-factor authentication, and maintaining comprehensive logs for discovery and accountability.”
The AI company also said it has launched a Cyber Validation Program that allows security professionals to use its models without monitoring for legitimate purposes such as vulnerability research, penetration testing, and red-collar collaboration. This is similar to OpenAI’s Daybreak, which also allows defenders to use GPT-5.5-Cyber with a special workflow.
Models such as Mythos Preview and GPT-5.5-Cyber are yet to be released to the public due to concerns that there are currently insufficient safeguards to prevent their large-scale abuse.
“Glasswing helps the most important cyber defenders achieve an asymmetric advantage,” it pointed out. “However, there is an urgent need for as many organizations as possible to strengthen their cyber defenses. We hope that our commonly available models, and the new tools, resources, and research we provide to accompany them, will support those organizations to improve their cybersecurity posture.”
