Anthropic’s Claude Mythos uncovers 10,000+ software flaws

Anthropic, in collaboration with its Project Glasswing partners, has uncovered more than 10,000 high- or critical-severity vulnerabilities within essential software systems. The company shared this milestone in a recent progress update on the initiative.

Mythos identifies thousands of high-severity vulnerabilities

Back in April 2026, Anthropic launched Claude Mythos Preview, a powerful large language model designed to autonomously detect zero-day vulnerabilities and generate working exploits for them. Alongside this release, the company introduced Project Glasswing, granting access to the LLM for major industry players including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and various open-source community partners. The goal was to help these organizations secure critical software before malicious AI systems could be turned against it.

Since then, Mythos has already aided companies like Cloudflare and Mozilla in discovering hundreds of vulnerabilities within their own codebases. Anthropic has also scanned more than 1,000 open-source projects using the model, resulting in the identification of 23,019 issues. Of those, 6,202 were classified as high- or critical-severity vulnerabilities.

Anthropic and six independent security research firms have assessed 1,752 of those severe findings, and over 90% were validated as true positives, the company reported.

Patching becomes the bottleneck

More vulnerability disclosures aided by Mythos are expected in the coming months, given that the project began only recently. The coordinated vulnerability disclosure process typically requires keeping newly discovered flaws private for 90 days or until patches are available, whichever comes first.

One example involves a vulnerability Mythos found in wolfSSL, an open-source cryptography library embedded in billions of devices. The model constructed an exploit that could allow an attacker to forge certificates, enabling them to host a fraudulent website for a bank or email provider. Although the vulnerability has been patched, technical details remain confidential.

Anthropic noted that while they have provided detailed vulnerability reports to open-source maintainers, these maintainers have become a major bottleneck in the AI-driven vulnerability discovery pipeline.

“The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity,” the company stated.

Plans for the future

To address this bottleneck, Anthropic has partnered with the Open Source Security Foundation’s Alpha-Omega project to help maintainers process and triage bug reports more efficiently.

The company also released Claude Security in public beta for Claude Enterprise customers, aiming to streamline both vulnerability discovery and patching. Additionally, its Cyber Verification Program allows approved security professionals to use Anthropic’s models for legitimate cybersecurity work with fewer restrictions. Qualifying security teams can also access tools used with Mythos Preview, including custom skills, an automated scanning and reporting framework, and a threat-modeling tool designed to identify and prioritize attack targets.

Looking ahead, Anthropic plans to expand Project Glasswing in cooperation with the U. S. government and allied governments. The company intends to make Mythos-class models generally available but only after developing stronger safeguards.

“At present, no company , including Anthropic , has developed safeguards strong enough to prevent such models from being misused and potentially causing severe harm,” the company concluded.