21.05.2026
3 min
135
Anthropic said its AI model, Claude Mythos, has helped identify more than 10,000 high- and critical-level vulnerabilities in popular software around the world. Some of the issues have already been confirmed as real, and hundreds of them could pose a serious threat to system security.
Project Glasswing was a defense initiative developed by an artificial intelligence (AI) company to defend against threats to critical global software. The company provided a small group of around 50 “partners” with early access to the Claude Mythos Preview, an advanced model capable of detecting potential vulnerabilities in many commonly used software programs prior to those being exploited by attackers.
Out of the 6202 vulnerabilities identified as high or critical, over 1000 were found in open-source projects. Upon further review of the vulnerability candidates, it was determined that 1726 were true positives. Of all the identified vulnerabilities, 1094 were ranked as high or critical.
Additionally, one of the most severe vulnerabilities that was identified is a critical flaw in WolfSSL (CVE-2026-5194 CVSS = 9.1). If an attacker could exploit this flaw they would be able to create fake certificates to pose as legitimate services. Additionally, based on the results from these efforts, there were 97 corrections made to software bugs and 88 additional warnings.
According to Anthropic “the relatively easy nature of identifying vulnerabilities versus the difficult task of resolving vulnerabilities presents a substantial threat to cyber security.” According to Anthropic “once we successfully address this problem, the security of our software will be significantly improved.”
This announcement comes during a period of rapid growth in the number of fixes that have been created due to the growing use of AI in discovering vulnerabilities. In fact Microsoft has stated that the number of monthly patches it plans to issue “will continue to rise for sometime.
Anthropics stated that the benefits of previewing mythos extend far beyond simply discovering security vulnerabilities. According to glasswing partner bank, they were able to stop a potential fraud loss of $1.5 Million dollars using an ai model to detect and prevent a fraudulent transaction when an unknown hacker was able to obtain access to a customers e-mail account by making false phone calls.
As anthropic has indicated, models capable of being just as good or better than mythos are expected to be widely adopted in the coming months/years. Therefore, anthropic recommends shortening the amount of time it takes to create updates and apply security patches as soon as they can be created. Oracle has already shortened their patch release cycle from quarterly to monthly to enable timely releases of critical security fixes.
According to anthropic, “cyber defenders should reduce the amount of time required to test and implement patches. Some ways include; hardening the default configuration of networks, implementing mfa (multi factor auth) and logging all activity for monitoring/detection/response”.
Additionally, according to anthropic, the company has established a cyber verification program that would allow qualified individuals to utilize their models freely, but only for specific uses related to cyber defense including; conducting vulnerability research, performing penetration testing and utilizing red team tactics. Similar programs exist with openai’s daybreak where defenders may utilize gpt-5.5-cyber for specialized work-flows.”
