Anthropic revealed on Friday that Project Glasswing has helped discover more than 10,000 high-severity or high-severity vulnerabilities across some of the world’s most “systemically” critical software since the cybersecurity initiative was launched last month.
As part of Project Glasswing, an initiative led by an artificial intelligence (AI) company, approximately 50 small partners gained access to Claude Mythos Preview, a frontier model with the ability to discover vulnerabilities in widely used software.
Of these vulnerabilities, 6,202 are classified as high-severity flaws affecting over 1,000 open source projects. Subsequent analysis of these vulnerability candidates identified 1,726 as valid true positives. 1,094 defects are rated as high or critical.
One of the weaknesses identified is a critical flaw in WolfSSL (CVE-2026-5194, CVSS score: 9.1) that could allow an attacker to forge a certificate and impersonate a legitimate service. These efforts resulted in a total of 97 findings that were revised upstream and 88 recommendations issued.
“The relative ease of finding vulnerabilities compared to the difficulty of fixing them is a major challenge for cybersecurity,” Antropic acknowledged. “By successfully meeting this challenge, our software will be much more secure than before.”
The development comes as software vendors are shipping more patches than ever before due to a surge in AI-assisted vulnerability discoveries, and Microsoft said the number of new patches scheduled to be released each month “will continue to trend upward for some time.”
Autonomous attack security platform XBOW calls Mythos Preview a “significant advance” that is “significantly better than previous models at finding candidate vulnerabilities” and “excellent at analyzing source code with a security mindset.” Recent analysis also found that this model is better at turning vulnerabilities into end-to-end attack chains.
Anthropic added that the utility of Mythos Preview goes beyond finding security flaws. In one case, a Glasswing partner bank allegedly leveraged an AI model to detect and stop a $1.5 million fraudulent transfer after an unknown attacker compromised a customer’s email account and made spoofed phone calls.
Given that models with similar functionality to Mythos may become widely available in the near future, Anthropic is urging software developers to shorten patch cycles and make security fixes available. It’s worth mentioning here that Oracle recently moved to a monthly patch cycle to address critical security issues.
“Network defenders need to shorten their patch testing and deployment schedules,” Anthropic said. “This includes steps such as hardening network default settings, enforcing multi-factor authentication, and keeping comprehensive logs for detection and response.”
The company also announced that it has launched a cyber validation program that allows security professionals to use its models without guardrails for legitimate purposes such as vulnerability research, penetration testing, and red teaming. This is similar to OpenAI’s Daybreak, where defenders can also leverage GPT-5.5-Cyber for specialized workflows.
Models such as Mythos Preview and GPT-5.5-Cyber are not yet publicly available due to concerns that adequate safeguards do not currently exist to prevent large-scale exploitation.
“Glasswing helps system-critical cyber defenders gain an asymmetric advantage.” “However, there is an urgent need for as many organizations as possible to strengthen their cyber defenses. We hope that the publicly available model, and the new tools, resources and research we are providing along with it, will support those organizations in improving their cybersecurity posture.”
Source link
