Anthropic has published an update on Project Glasswing, its collaborative AI-powered vulnerability discovery initiative launched last month, revealing that Claude Mythos, the company’s most capable and tightly restricted model, has already surfaced more than 10,000 high- or critical-severity zero-day vulnerabilities across the world’s most systemically important software.
The findings represent one of the most significant milestones in AI-driven security research to date, and simultaneously expose a growing crisis: the security ecosystem’s capacity to patch vulnerabilities is being vastly outpaced by AI’s ability to find them.
Mythos Preview has scanned more than 1,000 open-source projects, generating 23,019 candidate findings across all severity levels. Of those, 1,900 were routed for formal review by six independent external security firms, yielding a 90.8% true-positive rate, with 1,726 confirmed as valid.
Claude Mythos Preview Discovers 10,000+ 0-Days
An additional 1,129 findings were disclosed directly to maintainers at their request, without formal triage, as some open-source teams requested faster raw disclosure over accuracy.
In total, 1,596 findings have been reported to maintainers, of which 1,451 have been acknowledged. Only 97 have been patched upstream, and 88 security advisories have been published as of May 22, 2026, a stark illustration of the remediation bottleneck now confronting the security industry.
Among Project Glasswing’s approximately 50 partners, Cloudflare alone reported 2,000 bugs, 400 rated high- or critical-severity, with a false-positive rate that Cloudflare’s security team described as better than that of human testers.
Mozilla found and fixed 271 vulnerabilities in Firefox 150 using Mythos Preview, more than ten times the number identified in Firefox 148 using Claude Opus 4.6. Independent offensive security platform XBOW rated Mythos Preview as a “significant step up over all existing models” on its web exploit benchmark.
The UK’s AI Security Institute independently observed that Mythos Preview is the first model to solve both of its cyber ranges’ end-to-end, multi-step cyberattack simulations, previously unsolvable by any AI system.
On academic exploit benchmarks ExploitBench and ExploitGym, Mythos ranked as the strongest performer across all evaluated models.
One high-profile case involved wolfSSL, a cryptography library deployed across billions of devices worldwide. Mythos Preview autonomously constructed a working exploit capable of forging TLS certificates, allowing an attacker to impersonate banks or email providers with a fully legitimate-appearing website.
The vulnerability has since been patched and assigned the CVE-2026-5194 identifier. Separately, Mythos identified a 27-year-old vulnerability in the OpenBSD kernel and a 16-year-old flaw in FFmpeg, underscoring its ability to detect latent bugs that human researchers had missed for decades.
Anthropic acknowledged that the bottleneck has fundamentally shifted from finding vulnerabilities to fixing them. High- or critical-severity findings take an average of two weeks to patch, and some maintainers have actively asked Anthropic to slow its disclosure rate due to capacity constraints.
The company noted that 827 confirmed high- or critical-severity vulnerabilities are awaiting disclosure, with patches lagging due to overloaded open-source maintainer ecosystems.
To help close the gap, Anthropic launched Claude Security in public beta for Enterprise customers, which has already been used to patch over 2,100 vulnerabilities in three weeks.
The company also released scanning skills, codebase-mapping harnesses, and threat model builder tools to qualifying security teams. A new Cyber Verification Program expands access for security professionals to legitimate red-team and penetration testing work.
Anthropic has additionally partnered with the Open Source Security Foundation’s Alpha-Omega project to help maintainers process the surge of incoming AI-generated bug reports.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
