Anthropic’s Project Glasswing uncovers over 10,000 software vulnerabilities using AI

Claude Mythos Preview found thousands of zero-day flaws in critical software, including bugs that went undetected for decades, but fewer than 100 have been patched so far.

Share

Add us on Google by Editorial Team May. 23, 2026

Anthropic’s restricted AI model just did in weeks what human security researchers couldn’t do in decades. Project Glasswing, the company’s cybersecurity coalition, has collectively identified over 10,000 high- and critical-severity software vulnerabilities, including thousands of zero-day flaws that had been lurking undetected in widely used systems for years.

Among the discoveries: a 27-year-old vulnerability in OpenBSD and a 16-year-old bug in FFmpeg. Both had survived every prior round of human code review and automated testing.

What Project Glasswing actually is

Anthropic launched Project Glasswing on April 7, 2026, built around its unreleased frontier model called Claude Mythos Preview. The core idea is straightforward: point an extraordinarily capable AI at critical software infrastructure and let it hunt for security flaws that humans keep missing.

Advertisement

Claude Mythos Preview is so good at finding and exploiting vulnerabilities autonomously that Anthropic decided not to release it publicly. Instead, they formed a coalition of technology and infrastructure companies that get exclusive access to the model strictly for defensive security work.

Over 40 organizations now participate in the initiative. Anthropic has committed up to $100 million in model usage credits to support the effort, along with roughly $4 million earmarked for open-source security enhancements.

The update released around May 22-23, 2026, is where the numbers get staggering. Partners collectively reported those 10,000-plus high- and critical-severity vulnerabilities, with thousands classified as zero-days, meaning they were previously unknown to the software maintainers and the broader security community.

The remediation bottleneck

Finding vulnerabilities is one thing. Fixing them is another problem entirely.

Of the thousands of validated high-severity findings, fewer than 100 confirmed patches have been deployed so far. The AI can discover flaws at a pace that dramatically outstrips the industry’s ability to actually remediate them.

The zero-day discoveries are particularly revealing. A 27-year-old flaw in OpenBSD means that for nearly three decades, every security audit, every fuzzing campaign, every pair of expert eyes that reviewed that codebase missed something that an AI model caught. The 16-year-old FFmpeg bug tells a similar story. These aren’t obscure projects. OpenBSD is renowned for its security focus, and FFmpeg is embedded in countless media applications worldwide.

What this means for investors

The $100 million in usage credits that Anthropic committed to the initiative signals how seriously major AI labs are taking the dual-use nature of their models. By restricting Claude Mythos Preview to a vetted coalition rather than releasing it broadly, Anthropic gets to demonstrate responsible deployment while building deep relationships with enterprise security teams.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.