On May 22, Anthropic published the first results from Project Glasswing, the program that applies its unreleased Claude Mythos Preview model to vulnerability discovery across critical software. Per Anthropic’s update, approximately fifty partner organizations using Mythos Preview have collectively found more than ten thousand high- or critical-severity vulnerabilities in the first month.

What the numbers say

Anthropic puts the validation rate at 90.6% — 1,587 confirmed true positives in a representative review sample. An estimated 6,202 high- or critical-severity issues were identified across more than 1,000 open-source projects in the same period.

Two named cases anchor the report. Per Anthropic, Cloudflare ran Mythos Preview against its critical-path systems and surfaced 2,000 bugs, 400 of them high- or critical-severity; Cloudflare’s team rates the false-positive rate better than its human testers. Mozilla fixed 271 vulnerabilities in Firefox 150 during Mythos Preview testing.

The bottleneck moved

The line worth quoting in full is Anthropic’s own: “Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it’s limited by how quickly we can verify, disclose, and patch them.” Open-source maintainers in the program report capacity constraints averaging two weeks of human work per high- or critical-severity bug, and some have asked Anthropic to slow disclosure.

Money and access

Anthropic committed $100 million in Mythos Preview usage credits across these efforts plus $4 million in direct donations to open-source security organizations. Mythos Preview itself is not publicly available; Anthropic states it has not released Mythos-class models because safeguards remain insufficient.

The asymmetry between fast finding and unchanged patching is taken up in AI found the bugs faster than we can patch them.