Anthropic has published an initial progress report on Project Glasswing, its initiative to scan critical software infrastructure using its most capable AI model before adversaries can exploit the same technology. In just four weeks, Claude Mythos Preview and roughly 50 partner organizations have collectively uncovered more than ten thousand high- or critical-severity vulnerabilities across some of the world's most widely deployed software.
Among the headline findings: Cloudflare identified 2,000 bugs in its critical-path systems — 400 of which were rated high- or critical-severity — with a false positive rate Cloudflare's own team considers better than human testers. Mozilla found and fixed 271 vulnerabilities in Firefox 150, more than ten times the number identified in Firefox 148 using Claude Opus 4.6. And one partner bank used the model to intercept a fraudulent $1.5 million wire transfer, after a threat actor compromised a customer's email account and made spoof phone calls.
Anthropic has also run the model across more than 1,000 open-source projects. Of the 1,752 potential vulnerabilities independently assessed so far, 90.6% were confirmed as genuine, with 62.4% rated high- or critical-severity. One notable example was a now-patched flaw in wolfSSL — a cryptography library used by billions of devices — that would have allowed an attacker to forge digital certificates and impersonate legitimate websites.
The company is frank about the emerging problem its own technology creates. Finding vulnerabilities has become dramatically faster; patching them has not. Several open-source maintainers have asked Anthropic to slow its disclosure rate, and on average a high-severity bug takes two weeks to patch after discovery. Anthropic acknowledges this creates a dangerous window, and is calling on software developers to shorten patch cycles and on network defenders to tighten baseline security controls.
To help close the gap, Anthropic has released Claude Security in public beta for enterprise customers — a tool powered by Claude Opus 4.7 that can scan codebases and propose fixes, which has already been used to patch more than 2,100 vulnerabilities in three weeks. The company has also launched a Cyber Verification Program allowing security professionals to access its models with reduced restrictions for legitimate research purposes.
Anthropic says it has not released Mythos-class models publicly because current safeguards are not yet strong enough to prevent misuse. But given the pace of AI development, it expects similarly capable models to emerge from other labs soon.