At a glance: Anthropic’s AI model Claude Mythos has discovered over 10,000 security vulnerabilities in critical software through Project Glasswing. 1,094 of these vulnerabilities are classified as highly critical. The company is calling on developers to accelerate their patch cycles and train security professionals.
AI company Anthropic has announced that its Project Glasswing has uncovered more than 10,000 high and critical severity security vulnerabilities in widely used software globally. The Claude Mythos model is being used by approximately 50 partners for vulnerability discovery.
Anthropic’s Project Glasswing is a cybersecurity initiative in which selected partners receive access to Claude Mythos Preview – a state-of-the-art AI model with the ability to identify vulnerabilities in widely distributed software. Of over 10,000 discovered gaps, 6,202 were classified as critical security flaws in more than 1,000 open-source projects. Subsequent analysis revealed 1,726 to be true positives, of which 1,094 were classified as critical.
A particularly critical example is a vulnerability in WolfSSL (CVE-2026-5194, CVSS score: 9.1) that could enable attackers to forge certificates and impersonate legitimate services. To date, 97 of these security vulnerabilities have been patched and 88 security advisories have been published.
Anthropic points to a central challenge: finding security vulnerabilities is comparatively simple, while fixing them is significantly more resource-intensive. Microsoft accounts for this development – the software giant announced it will continuously release more patches per month.
The AI model also demonstrates utility beyond pure vulnerability detection: a Glasswing partner, a bank, used Mythos Preview to prevent fraudulent wire transfer of 1.5 million dollars after an unknown threat actor compromised a customer’s email account.
Given that similar models could become more widely available in the near future, Anthropic is calling on software developers to shorten their patch cycles. The company has also launched a “Cyber Verification Program” that provides security professionals with access to its models without security safeguards for legitimate purposes such as vulnerability research, penetration testing, and red-teaming – similar to OpenAI’s “Daybreak” program.
Models such as Mythos Preview and GPT-5.5-Cyber are currently withheld from the public, as adequate safeguards against large-scale misuse are not yet in place.