Anthropic published its first progress report on Project Glasswing on May 22, and the headline is designed to travel: in a single month, Anthropic and roughly 50 partners used the unreleased Claude Mythos Preview model to identify more than 10,000 high- or critical-severity vulnerabilities across the world’s most systemically important software. Glasswing is the company’s initiative to harden that software before a capable model gets pointed at it by someone hostile, and the update is the first hard evidence of what a frontier vulnerability-finder does when you turn it loose on real code.
The more useful read is buried under the round number. Ten thousand is an AI-estimated aggregate, not ten thousand confirmed, exploitable, patched bugs, and the update’s own figures show why that distinction matters. What Glasswing actually demonstrates is a shift in where the cost lives. Discovery, the part that used to require a scarce human specialist and weeks of effort, is now fast and cheap. Verification, disclosure, and patching — the parts that were always slow — are now the entire bottleneck. That reversal is the real finding, and it reads worse than the press line.
What Actually Shipped
Glasswing is not a product launch. It is a restricted-access program: about 50 vetted partners get early access to Claude Mythos Preview, a model Anthropic will not release publicly because it can autonomously find and exploit software vulnerabilities. The launch partners are the names you would pick if you were trying to cover critical infrastructure — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, with Cloudflare and Mozilla among those reporting results.
The concrete findings are more interesting than the aggregate. Anthropic pointed Mythos Preview at more than 1,000 open-source projects and reports 23,019 vulnerabilities across all severities, of which it estimates 6,202 are high or critical. Cloudflare ran roughly 2,000 findings, about 400 of them high or critical. Mozilla reported 271 vulnerabilities in Firefox 150 — an order of magnitude more than an earlier Claude model had surfaced in a prior version. The most quotable single result is a certificate-forgery flaw in wolfSSL (CVE-2026-5194, CVSS 9.1) that would let an attacker impersonate a legitimate service, and a partner bank that used the model in the course of catching a fraudulent $1.5 million wire transfer.
This is the origin story we covered when Anthropic first unveiled Claude Mythos Preview and Project Glasswing in April, now with a month of output attached. The capability was never in doubt. What the update tests is whether the output is usable.
The 10,000 Number, Unpacked
Anthropic, to its credit, published the funnel rather than just the top of it, and it narrows fast. Six security firms independently reviewed a sample of 1,752 findings. Around 90% came back as true positives, which is a strong signal-to-noise ratio for automated tooling. But only about 62% of those confirmed findings were graded high or critical severity on human review — roughly 1,094 out of the sample. The model is good at finding real defects. It is noticeably less reliable at rating how bad they are, and severity is the field that decides whether anyone drops what they are doing to fix a thing.
| The 10,000 funnel | Figure |
|---|---|
| Headline: high/critical vulns claimed (month one) | 10,000+ |
| Open-source scan: all severities | 23,019 |
| Open-source scan: estimated high/critical | 6,202 |
| Independent sample reviewed | 1,752 |
| Confirmed true positives (~90%) | ~1,587 |
| Confirmed high/critical (~62% of sample) | ~1,094 |
Not everyone accepts the framing. David Shipley of Beauceron Security argued that once you pare the numbers to what is human-verified and legitimately high-severity, “you get closer to 1,500,” which would put the real-signal rate around 15% of the marketing figure. The exact counts are also contested across outlets: reporting on true positives and on how many bugs have actually been disclosed and patched disagrees depending on the source, so any single tally should be read as approximate. Treat 10,000 as the size of the haystack Mythos flagged, not the number of needles anyone has pulled out and confirmed sharp.
The Capability Cuts Both Ways
The uncomfortable subtext of Glasswing is that the defensive program runs on the exact capability Anthropic considers too dangerous to ship. Mythos Preview is gated precisely because it can find and weaponize zero-days, and Anthropic says so plainly: no company, itself included, “has developed safeguards strong enough to prevent such models from being misused and potentially causing severe harm.” That sentence is the whole reason the model reaches 50 vetted partners instead of a download page.
It is the same tension that has kept Anthropic’s other high-capability cyber work — the vulnerability-finding and exploit-development side of models like Claude Fable 5 — behind restrictive controls rather than in general release. A model that lets a maintainer catch a bug in their own dependency is, bit for bit, a model that lets an attacker who can rent the same compute find it first. Anthropic’s bet is that giving defenders a head start under supervision beats the alternative of waiting for the capability to leak. That is a defensible bet, but it is a bet, and it depends entirely on the gate holding.
The pattern is not unique to Anthropic. OpenAI made the same structural choice with its GPT-5.4-Cyber gated-access program, restricting a more permissive security model to credentialed defenders. The labs have converged on the same answer to dual-use: keep the sharpest tools behind an eligibility fence and hope the fence is the part that scales. Glasswing is that philosophy applied at industrial volume, and the same frontier-model capabilities driving Anthropic’s commercial lead are what make the fence necessary in the first place.
The Patching Problem Is the Real Story
Here is where the update earns its keep. Anthropic states the finding directly: “The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity.” In plain terms, they built a machine that produces confirmed high-severity bugs faster than the humans downstream can validate, disclose, and patch them. Average time to patch a Mythos-found high or critical bug is running around two weeks — and that is with well-resourced partners. Some open-source maintainers have asked Anthropic to slow the flow of disclosures, because a volunteer project cannot absorb a firehose of legitimate critical findings on a two-week clock.
That inversion is the genuinely new thing here, and it is not obviously good news. For two decades the scarce resource in vulnerability research was the researcher. Glasswing makes discovery abundant and leaves triage, coordinated disclosure, and remediation exactly as constrained as they were. A backlog of thousands of real, unpatched, now-documented critical bugs is not automatically safer than not knowing — it depends who reads the disclosures first. There is also the unglamorous question of cost: one skeptic estimated the model burns something like $500 a minute in tokens at scale, a figure Anthropic has not confirmed and which, if anywhere near right, means this capability is abundant only for organizations that can afford it.
What To Watch
The number that will actually matter three months from now is not how many vulnerabilities Mythos finds. It is the ratio of confirmed-critical to patched. If disclosure and remediation stay human-bound while discovery keeps compounding, Glasswing produces a widening inventory of known-but-open holes, which is a strange definition of progress. Watch whether Anthropic funds the boring downstream work — maintainer support, disclosure coordination, patch tooling — with the same seriousness it funded the model.
Watch the gate, too. The entire safety case rests on ~50 vetted partners and Anthropic’s own admission that adequate misuse safeguards do not yet exist. Any expansion of access, or any evidence that Mythos-class capability has appeared outside the program, changes the calculus immediately. The counts are the last thing to track: the gap between the 10,000 headline and the ~1,500 a skeptic will verify is the gap between a capability demonstration and a security outcome. Glasswing has clearly proved the first. Whether it delivers the second depends on the part of the pipeline no model has made cheap.
Sources
- Project Glasswing: An initial update — Anthropic
- Anthropic says Mythos has already found more than 10,000 vulnerabilities — Engadget
- Anthropic: Claude Mythos identified 10,000+ software flaws — Help Net Security
- Project Glasswing has uncovered 10,000 vulnerabilities — CSO Online
- Claude Mythos AI Finds 10,000 High-Severity Flaws — The Hacker News
