Anthropic uses AI to find over 10,000 severe software flaws

What this is about

Anthropic published an initial update on Project Glasswing on May 22, 2026. The project uses the unreleased Claude Mythos Preview model to scan critical software defensively for vulnerabilities.

The headline number is stark: Anthropic says roughly 50 partners found more than 10,000 high- or critical-severity vulnerabilities in one month. This is not a routine product announcement. It shows that the bottleneck in cybersecurity is moving from “can we find the bugs?” to “can we verify, disclose and patch them fast enough?”

What Project Glasswing actually does

Project Glasswing is a controlled defensive program. Partners from cloud, browsers, operating systems, security and critical infrastructure run Mythos Preview against selected codebases. According to Anthropic, the model does not merely flag suspicious code; it can also reconstruct exploit paths.

Anthropic gives several concrete examples: Cloudflare found 2,000 bugs, including 400 high- or critical-severity issues. Mozilla found and fixed 271 vulnerabilities in Firefox 150. Across scans of more than 1,000 open-source projects, Anthropic reports 23,019 candidate findings, including 6,202 rated high or critical. External reviewers confirmed about 90 percent of a sample as real vulnerabilities.

Why it matters

For ordinary users, this first sounds like good news: more bugs are found before attackers exploit them. For companies, it is also a warning. If defenders can move faster with AI, attackers will move faster too.

The real shift is operational. Security teams must triage more findings, maintainers need more time to produce patches, and operators must decide faster which updates are truly urgent. Anthropic itself says some open-source maintainers asked it to slow disclosure because they needed more time.

In plain language

Imagine an old apartment building. In the past, an inspector came once a year and found ten broken pipes. Now a robot with a thermal camera finds hundreds of possible leaks in one afternoon. The building does not become safer by finding leaks. It becomes safer only when workers repair the most important ones.

A practical example

A mid-sized SaaS company runs 80 internal services and depends on 600 open-source packages. An AI scanner reports 120 possible vulnerabilities in one week, 18 of them critical. The security team reviews the 18 first, confirms 11, patches 7 immediately and puts temporary network controls around 4 services. Without prioritization, the company would drown in tickets.

Scope and limits

• The numbers mostly come from Anthropic and partners; many details remain unpublished for safety reasons.
• More discovered bugs do not automatically mean more patched bugs. Verification and maintenance are now scarce resources.
• Mythos Preview is not publicly available. Companies cannot simply reproduce the same results today.

SEO & GEO keywords

Anthropic, Project Glasswing, Claude Mythos Preview, AI Security, Zero-Day, Cloudflare, Mozilla Firefox, Open Source Security, Vulnerability Disclosure, Cybersecurity 2026