The Bottom Line: AI models now find vulnerabilities ten times faster than previous methods, but the industry must accelerate its verification and patching processes to avoid becoming a risk itself.
The Anthropic Project Glasswing has discovered over ten thousand critical or high-severity vulnerabilities in globally critical software within its first four weeks, working with approximately 50 partners. The system uses Claude Mythos Preview, a language model specifically tailored for security questions.
Since Project Glasswing launched in April 2026, a central problem in software security has intensified: while vulnerability discovery was long the limiting factor, it is now the speed of verification, disclosure, and remediation. The participating partners — including infrastructure providers like Cloudflare — report a tenfold or greater increase in their bug detection rate. Cloudflare itself identified 2,000 bugs in its critical systems, of which 400 were of high or critical severity, with a false positive rate that the company rates as better than human testers.
External testing confirms Mythos Preview’s performance: the UK AI Security Institute reported that Mythos Preview was the first model to solve both of their cyber-range simulations end-to-end. Mozilla found 150 vulnerabilities during testing on Firefox 150 — more than ten times as many as in Firefox 148 with Claude Opus 4.6. The XBOW platform describes Mythos Preview as a significant leap compared to existing models in their web exploit benchmark, with unprecedented precision. Academic benchmarks such as ExploitBench and ExploitGym show Mythos Preview as the strongest performer.
Anthropic follows established disclosure rules in handling the findings: vulnerabilities are disclosed 90 days after discovery — or approximately 45 days after a patch is available. This is intended to give users time to update before attackers can exploit the gaps. Specific details about Mythos Preview’s findings will therefore only be published after sufficient patch distribution, to avoid creating interim risks.
The high rate of vulnerability detections in foundational internet and infrastructure software reduces risks for billions of end users who rely on this software. At the same time, it is clear: AI-powered vulnerability discovery demands new processes in the coordination of security research and software development.
Source: ainews-dev.lumi-systems.io · Published 23 May 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.5.2.