Anthropic said around 50 cybersecurity and infrastructure partners using its unreleased model, Claude Mythos Preview, have uncovered more than 10,000 high- and critical-severity vulnerabilities in some of the world's most important software systems, signaling a dramatic shift in how software security is evolving.
The findings emerged from Project Glasswing, a cybersecurity initiative launched last month to secure critical software before increasingly advanced AI systems can be turned against defenders.
According to Anthropic, the scale of vulnerabilities surfaced by Mythos Preview has fundamentally altered the pace of software security work.
"Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it's limited by how quickly we can verify, disclose, and patch" the growing number of flaws identified by AI, the company said in a blog post.
Partners Report Tenfold Jump in Bug Detection
Anthropic said most participating organizations, which maintain software critical to the internet and essential infrastructure, found hundreds of high-risk vulnerabilities within weeks. Several partners reported bug-finding rates increasing by more than a factor of 10.
Cloudflare, one of the participants, said it discovered 2,000 bugs, including 400 high- or critical-severity vulnerabilities, across critical systems using Mythos Preview. The company added that the model delivered a false-positive rate it considered better than human testers.
External evaluations also underscored the model's cyber capabilities. The UK's AI Security Institute said Mythos Preview became the first AI model to complete both of its cyberattack simulation ranges end-to-end. Mozilla, meanwhile, reported finding and fixing 271 vulnerabilities in Firefox 150, more than 10 times the number discovered in Firefox 148 using an earlier Anthropic model.
Open-Source Software Faces Patching Bottleneck
Beyond enterprise systems, Anthropic said it scanned more than 1,000 open-source software projects, identifying an estimated 23,019 vulnerabilities, including 6,202 classified as high or critical severity. Of 1,752 severe vulnerabilities independently reviewed, 90.6% were validated as true positives, while 62.4% remained high or critical after assessment.
One example involved wolfSSL, an open-source cryptography library used in billions of devices. Anthropic said Mythos Preview uncovered a vulnerability that could have enabled attackers to forge certificates and impersonate trusted banking or email websites. The flaw has since been patched and assigned CVE-2026-5194.
Still, Anthropic warned that cybersecurity teams are struggling to keep up with the flood of discoveries. Severe bugs found by Mythos Preview take an average of two weeks to patch, while some open-source maintainers have asked the company to slow vulnerability disclosures because of limited resources.
The company said it is not yet releasing Mythos-class models publicly, arguing that safeguards against misuse remain inadequate, even as it expands Project Glasswing with governments and critical infrastructure partners.