Skip to content

Anthropic's Project Glasswing Finds 10,000+ Critical Vulnerabilities in First Month

Anthropic · Story 1 of 6

Anthropic has published the first major update on Project Glasswing, its initiative to use AI for securing the world's most critical software. The results are staggering: in just one month, approximately 50 partner organizations collectively found more than 10,000 high- or critical-severity vulnerabilities. Cloudflare reported discovering 2,000 bugs across its critical-path systems with a false positive rate better than human testers. Mozilla found and fixed 271 vulnerabilities in Firefox 150 using Mythos Preview, over ten times more than they found in Firefox 148 with Claude Opus 4.6. The UK's AI Security Institute confirmed Mythos Preview is the first model to solve both of their cyber ranges end to end. Anthropic also scanned over 1,000 open-source projects independently, finding an estimated 6,202 high- or critical-severity vulnerabilities, with a 90.6% true positive rate after triage. One notable discovery involved wolfSSL, an open-source cryptography library used by billions of devices, where Mythos Preview constructed an exploit that would let attackers forge SSL certificates. The project has already led to a measurable increase in patch velocity across major vendors including Microsoft, Oracle, and Palo Alto Networks.

Analysis
Live

This is a watershed moment for AI-powered cybersecurity. The sheer volume of real vulnerabilities found—combined with a 90%+ true positive rate—means the security landscape has fundamentally shifted from finding bugs to patching them fast enough.

Frequently Asked Questions
What is Project Glasswing?

Project Glasswing is Anthropic's collaborative effort with ~50 partner organizations to use the Mythos Preview AI model to find and help patch vulnerabilities in the world's most critical software before malicious actors can exploit them.

How does Mythos Preview compare to previous AI security tools?

Mythos Preview represents a significant leap: it can construct complete exploit chains and generate working proofs of vulnerabilities, rather than just identifying potential bugs. Mozilla found 10x more vulnerabilities with it compared to Claude Opus 4.6.