Organizations participating in Anthropic’s Project Glasswing identified more than 10,000 serious software vulnerabilities, including flaws participants said previous methods likely would not have found.
Anthropic released a detailed update on Project Glasswing, its restricted cybersecurity initiative that gives selected organizations access to Claude Mythos Preview (Mythos) to identify software vulnerabilities in widely used technology systems before attackers can exploit them.
Participating organizations identified more than 10,000 high- and critical-severity vulnerabilities during the first weeks of the program. The company said the vulnerabilities were found in “systemically important” open-source software projects heavily used across cloud infrastructure, operating systems, browsers, enterprise applications, and internet services.
Anthropic noted that several partners are finding more bugs faster, often by a factor of 10, outpacing human-guided efforts and even previous versions of Claude. Some examples include:
- Cloudflare identified roughly 2,000 software flaws across critical systems, including 400 classified as high or critical severity. Cloudflare said the system produced fewer incorrect vulnerability alerts than its human security testers typically generate.
- Mozilla said it found and fixed 271 vulnerabilities in Firefox 150 after testing with Mythos. Mozilla said that was more than ten times the number of vulnerabilities identified in Firefox 148 using Claude Opus 4.6, an earlier Anthropic model.
- The UK’s AI Security Institute said Mythos became the first AI model to successfully complete both of its simulated cyberattack exercises, meaning the system was able to carry out an entire multi-step intrusion scenario from identifying a weakness to achieving the attack objective.
Finding open source threats
Anthropic used Mythos to scan over 1,000 open-source software projects that support major internet systems.
The company said Mythos identified 23,019 total vulnerabilities, of which 6,202 were estimated to be high- or critical-severity.
Anthropic said 1,752 of the high- or critical-rated findings have been reviewed by six independent security research firms, with a small number reviewed by Anthropic. Of the reviewed findings, 90.6% (1,587) were confirmed as real vulnerabilities. Anthropic said 62.4%, or 1,094, were confirmed as high- or critical-severity.
Based on those review results, Anthropic said Mythos Preview is on track to identify nearly 3,900 high- or critical-severity vulnerabilities in open-source code, even if it finds no additional flaws. The company said it plans to continue scanning open-source projects, so it expects that number to increase.
The company said most vulnerabilities identified through Project Glasswing have not been publicly disclosed because software maintainers are still developing fixes. Anthropic said vulnerabilities are handled through coordinated disclosure processes, in which affected organizations receive private notice before public disclosure.
Anthropic introduces Cyber Verification Program, countering OpenAI’s Trusted Access for Cyber (TAC) program
Anthropic also announced a separate gated cybersecurity program for security professionals. The program removes certain cyber guardrails, allowing security professionals already using Anthropic cyber models (Mythos excepted) for cybersecurity purposes to conduct real-world research and testing.
Anthropic said it plans to expand the number of Project Glasswing partners and increase collaboration with critical partners, including governments and infrastructure operators.
