Project Glasswing, Anthropic's collaborative AI cybersecurity initiative, has just published its first major progress report -- and the numbers are striking. Since launching, Anthropic and its approximately 50 partners have used Claude Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities across the most systemically important software in the world. The finding that stands out most, though, is not the volume of bugs found. It's what's now bottlenecking the whole effort: humans can't patch fast enough.
Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it's limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI. That's a fundamental shift in the economics of cybersecurity -- and it has implications for every organization that ships software.
What Claude Mythos Preview Actually Is
Claude Mythos Preview is a general-purpose, unreleased frontier model that reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. This is not a fine-tuned security scanner. It is a general reasoning model that happens to be extraordinarily good at understanding code at a deep, adversarial level.
Internal testing revealed the model's capacity to locate vulnerabilities and, crucially, combine those primitives into complete, end-to-end attack chains, a level of sophistication previously unseen in large language models. An "exploit primitive" is a building block of an attack -- for example, a memory corruption trick that lets you write to an arbitrary address. Chaining these into a full attack is what separates a theoretical bug from a working weapon.
The Numbers Behind the First Month
After one month, most partners have each found hundreds of critical- or high-severity vulnerabilities in their software. Several have told us that their rate of bug-finding has increased by more than a factor of ten. Some specific highlights from partners and external evaluators:
- Cloudflare found 2,000 bugs (400 of which are high- or critical-severity) across their critical-path systems, with a false positive rate that Cloudflare's team considers better than human testers.
- Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview -- over ten times more than they found in Firefox 148 with Claude Opus 4.6.
- The UK's AI Security Institute (AISI) found that Mythos Preview is the first model to fully solve its rigorous corporate network attack simulations, completing an average of 22 out of 32 steps and achieving full end-to-end compromise in 30% of attempts.
Don't miss what's next in AI
Join 300,000+ engineers and researchers who get the signal, not the noise.
- Full access to in-depth AI research breakdowns
- Be the first to know what's trending before it hits mainstream
- Daily curated papers, repos, and industry moves