Anthropic says its unreleased AI cybersecurity model, Claude Mythos Preview, has already identified more than 10,000 high- and critical-severity software vulnerabilities through Project Glasswing, the company’s initiative to secure critical software systems before advanced AI models can be weaponized by attackers.
According to Anthropic, the project has exposed a growing imbalance in cybersecurity: AI systems can now discover vulnerabilities far faster than humans can verify, patch, and deploy fixes for them.
AI Bug Hunting Accelerates Dramatically
Anthropic said roughly 50 partner organizations have been using Mythos Preview to scan critical software infrastructure over the past month.
The company claims most partners have individually uncovered hundreds of serious vulnerabilities, while collectively identifying more than 10,000 high- or critical-severity issues.
Several organizations reportedly increased their bug-finding rates by more than tenfold using the model.
Cloudflare said it found roughly 2,000 bugs across critical systems while testing Mythos Preview, including around 400 categorized as high- or critical-severity.
Anthropic also cited testing from the UK’s AI Security Institute, which reportedly found Mythos Preview became the first AI model capable of autonomously completing both of its multistep cyberattack simulation environments end-to-end.
Meanwhile, Mozilla said it uncovered and fixed 271 vulnerabilities in Firefox 150 using Mythos Preview, more than ten times the number found in Firefox 148 using earlier Claude models.
Open-Source Software Under Pressure
Anthropic has also been using Mythos Preview internally to scan more than 1,000 open-source software projects that underpin large portions of the internet and cloud infrastructure.
The company says the model identified 23,019 total vulnerabilities, including 6,202 initially assessed as high- or critical-severity.
Of the 1,752 high- or critical-rated vulnerabilities independently reviewed so far, Anthropic says 90.6% were confirmed as legitimate vulnerabilities and 62.4% remained categorized as high- or critical-severity after human verification.
One disclosed example involved a vulnerability in the open-source cryptography library wolfSSL, which Anthropic says could have allowed attackers to forge certificates and impersonate trusted websites such as banks or email providers.
The vulnerability has since been patched and assigned CVE-2026-5194.
AI Is Outpacing Human Patch Capacity
Anthropic argues the main bottleneck in cybersecurity is no longer vulnerability discovery, but human capacity to triage reports, coordinate disclosures, and deploy patches safely.
The company said some open-source maintainers have already asked Anthropic to slow the pace of vulnerability disclosures because they lack the resources to process and fix issues quickly enough.
According to Anthropic, a typical high- or critical-severity vulnerability identified by Mythos Preview currently takes roughly two weeks to patch.
The company warned this creates a dangerous transition period where AI systems can rapidly discover and potentially exploit flaws faster than organizations can secure their software.
Anthropic Expands Cybersecurity Tools
Anthropic says it is now releasing additional cybersecurity tooling based on its work with Mythos Preview.
That includes Claude Security, a vulnerability scanning and remediation tool for enterprise customers, along with a new Cyber Verification Program designed for vetted security researchers using Claude models for legitimate cybersecurity work.
The company is also releasing internal scanning tools, threat-modeling systems, and “harnesses” that help coordinate autonomous AI vulnerability research workflows.
Anthropic Delays Public Release of Mythos-Class Models
Despite the reported results, Anthropic says it still does not believe the industry has developed strong enough safeguards to safely release Mythos-class cybersecurity models publicly.
The company warned that similarly capable systems could dramatically lower the cost and complexity of offensive cyberattacks if released without adequate protections.
The update follows growing concern across governments and cybersecurity organizations about the risks posed by increasingly capable AI systems that can autonomously identify and exploit vulnerabilities in software infrastructure.
Anthropic recently briefed the Financial Stability Board and global regulators about the cybersecurity risks associated with Mythos Preview, while Chris Olah also warned at the Vatican that advanced AI development should not be left solely to private technology companies.
