Anthropic says Project Glasswing used Claude Mythos Preview to find more than 10,000 high- and critical-severity vulnerabilities in critical infrastructure and open-source software. Here is what it means for users, developers and security teams.
Last checked: May 31, 2026. This article relies on Anthropic's Project Glasswing launch page and May 22 initial update, plus official CISA guidance for vulnerability management. Details for many vulnerabilities remain withheld while fixes and disclosures are coordinated.
Quick answer
Anthropic says its defensive cybersecurity initiative, Project Glasswing, has used a restricted unreleased model called Claude Mythos 2 Preview to find more than 10,000 high- or critical-severity vulnerabilities across systemically important software in its first month.
The most important takeaway is not that every user should panic. It is that AI-assisted vulnerability discovery is now moving faster than traditional verification, disclosure and patching workflows. The bottleneck is shifting from "Can we find the bug?" to "Can we validate, prioritize, fix, test and deploy the patch before attackers can exploit similar weaknesses?"
Anthropic says the early work has included old and high-impact flaws, including a 27-year-old vulnerability in OpenBSD, a 16-year-old issue in FFmpeg and a Linux kernel vulnerability chain. Anthropic also says those specific examples were reported to maintainers and patched.
What Project Glasswing is
Project Glasswing is Anthropic's effort to use advanced AI defensively before similar capabilities become widely available to attackers. The initiative gives selected partners access to Claude Mythos Preview for controlled vulnerability discovery across critical software, first-party systems and open-source projects.
Anthropic's launch materials named Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks among the launch partners. Anthropic also said it extended access to more organizations that build or maintain important software infrastructure.
The project has three practical goals:
- Find serious vulnerabilities before adversaries do.
- Coordinate disclosure and patching with maintainers and affected organizations.
- Learn how society should manage AI systems that can discover and help exploit software flaws.
That last point matters. Project Glasswing is not only a bug-hunting story. It is a warning about where frontier AI capabilities are heading.
What Claude Mythos 2 Preview is
Claude Mythos 2 Preview is not a public model. Anthropic describes it as an unreleased frontier model with unusually strong coding, reasoning and cybersecurity capabilities.
According to Anthropic, Mythos Preview can find vulnerabilities, reason through exploitability and, in controlled settings, construct working exploit chains. That is why Anthropic says the model remains restricted and why it is being used in a defensive program rather than released as a normal product.
For readers, the key distinction is this:
| Term | Meaning |
|---|---|
| Project Glasswing | The defensive initiative and partner program |
| Claude Mythos 2 Preview | The unreleased model Anthropic says powers much of the scanning |
| Vulnerability discovery | Finding a potential software weakness |
| Validation | Proving the finding is real, reproducible and security-relevant |
| Remediation | Fixing, testing, shipping and monitoring the patch |
What Anthropic says it found
Anthropic's May 22 update says Project Glasswing and about 50 partners used Mythos Preview to find more than 10,000 high- or critical-severity vulnerabilities across important software in the first month.
The open-source scan numbers are more detailed:
| Metric from Anthropic's update | Reported figure |
|---|---|
| Open-source projects scanned | More than 1,000 |
| Total candidate findings in open source | 23,019 |
| Estimated high- or critical-severity open-source findings | 6,202 |
| High/critical-rated findings assessed so far | 1,752 |
| Assessed findings that were valid true positives | 1,587, or 90.6% |
| Assessed findings confirmed high or critical | 1,094, or 62.4% |
Those numbers need careful reading. They do not mean every finding is already publicly confirmed, publicly exploitable or patched. They mean Anthropic's early process is producing a very large stream of candidate and validated issues, with independent security research firms helping assess a sample of the highest-rated results.
That is still significant. A normal vulnerability program can be overwhelmed by dozens of high-quality reports. A frontier model producing thousands changes the operating model for maintainers, vendors and national cyber agencies.
Why FFmpeg and OpenBSD matter
The examples Anthropic highlighted are important because they sit deep in the software stack.
FFmpeg is widely used to encode, decode and process audio and video. It can appear directly in desktop apps, cloud services, video workflows, streaming pipelines, mobile apps and embedded products. A flaw in a heavily reused media component can matter far beyond people who knowingly installed FFmpeg.
OpenBSD is known for security-focused engineering and is used in infrastructure contexts, including firewall and network systems. A 27-year-old flaw in a security-hardened operating system is a reminder that even mature, respected codebases can carry old assumptions that newer tools may challenge.
Anthropic also described a Linux kernel vulnerability chain. Kernel issues matter because the kernel controls memory, processes, files, devices and privilege boundaries. A vulnerability chain can sometimes turn limited access into deeper system control, depending on the bug class and deployment context.
The article does not include exploit details. That is deliberate. For users and defenders, the useful lesson is about dependency visibility, patch capacity and coordinated disclosure, not how to reproduce a flaw.
Why users should not read this as instant disaster
Big vulnerability counts can sound like a breach headline. This is different.
Project Glasswing is a defensive disclosure and remediation program. Anthropic says the named examples were reported to maintainers and patched. For many other issues, the company has withheld details while fixes are being coordinated.
Also, a high- or critical-severity bug is not automatically reachable in every environment. Real-world risk depends on whether the affected component is present, exposed, configured in a vulnerable way, reachable by an attacker and missing compensating controls.
The right response is urgency, not panic:
- Users should update software from official vendors.
- Developers should inventory dependencies and watch upstream advisories.
- Organizations should reduce the time between confirmed vulnerability and deployed fix.
- Maintainers should expect AI-assisted reports to increase and prepare triage capacity.
The real shift: fixing speed is now the bottleneck
Anthropic's central message is that software security used to be limited by finding new vulnerabilities. In the AI era, it may be limited by how quickly the ecosystem can verify, disclose and patch what AI finds.
That shift changes what security leaders should measure. Counting discovered vulnerabilities is no longer enough. Teams need to track:
- Time from AI report to human validation.
- Time from validation to owner assignment.
- Time from owner assignment to patch.
- Time from patch to tested release.
- Time from release to customer or fleet deployment.
- Percentage of serious issues that remain unpatched after agreed deadlines.
In practical terms, the organizations that win will be the ones with clean asset inventories, good logs, reliable release processes, automated testing and authority to patch high-risk systems quickly.
What security teams should do now
Start by treating AI-discovered vulnerabilities as an intake problem. If thousands of reports arrive, the first failure mode is not technical depth. It is queue collapse.
Security teams should build or refine a process with clear stages:
| Stage | What to decide |
|---|---|
| Intake | Is the report in scope, complete and safe to handle? |
| Reproduction | Can the team confirm the issue without publishing exploit detail? |
| Exposure | Which products, services, customers or environments are affected? |
| Priority | Is it internet-facing, privilege-changing, data-exposing or in a critical dependency? |
| Fix | Who owns the patch and what tests must pass? |
| Release | How fast can the update ship without breaking production? |
| Monitoring | What logs, detections or customer signals show attempted exploitation? |
Use AI to help summarize reports, cluster duplicates, draft patches, generate tests and map affected dependencies. Keep human review over exploit validation, severity decisions, production changes and public disclosure.
Also make vulnerability prioritization more contextual. CISA's Known Exploited Vulnerabilities catalog is useful because it focuses attention on flaws known to be exploited in the wild. Teams should combine that kind of signal with asset criticality, internet exposure, business impact, exploitability and compensating controls.
What developers and maintainers should do
Open-source maintainers and product engineering teams should expect more AI-assisted security reports. Some will be valuable. Some will be duplicates, false positives or incomplete. The goal is to reduce friction for the good reports without letting the queue become unmanageable.
Practical steps:
- Keep a clear security policy and disclosure contact in the repository.
- Use dependency manifests, SBOMs and release notes so downstream users can understand exposure.
- Add fuzzing, sanitizers and regression tests for parsers, media handlers, file formats, network inputs and privilege boundaries.
- Label duplicate and invalid reports consistently so future triage improves.
- Require tests for security patches, especially when AI proposes code changes.
- Avoid rushed fixes that only hide symptoms or introduce compatibility breaks.
For critical open-source projects, funding and maintainer time matter as much as tooling. If AI increases vulnerability volume by an order of magnitude, unpaid maintainers cannot be the only buffer between discovery and safety.
What everyday users should do
Most users cannot inspect FFmpeg, OpenBSD or kernel source code. They can still reduce risk.
Update operating systems, browsers, messaging apps, media apps, cloud storage clients and security tools. Many users encounter FFmpeg indirectly through video editors, media players, conferencing tools, streaming workflows or apps that process uploaded media.
Use official app stores and vendor update channels. Do not install unofficial "emergency patches" from forums, social posts or direct messages. When real fixes are available, they should come from the software vendor, operating system vendor, package manager or trusted administrator.
For home users and small businesses:
- Turn on automatic updates where practical.
- Remove apps and browser extensions you do not use.
- Back up important files before major updates.
- Use MFA or passkeys for email, banking, cloud storage and admin accounts.
- Be careful with unexpected media files, archives and links.
What companies should check this week
If your organization runs software that processes files, media, user uploads, network traffic or untrusted input, assume AI-assisted vulnerability discovery will increase pressure on your patch process.
Useful checks:
- Do you know where FFmpeg, OpenSSL, wolfSSL, image libraries, PDF parsers and compression libraries are used?
- Can you quickly identify which products and containers include a vulnerable dependency?
- Do you have emergency patch windows for internet-facing and critical systems?
- Can you test and deploy fixes without waiting for a quarterly release cycle?
- Do you have an owner for each critical open-source dependency?
- Can you communicate clearly with customers if a serious vulnerability affects them?
Asset inventory is the foundation. Without it, a serious upstream advisory becomes a search exercise during a crisis.
The risks behind the breakthrough
Project Glasswing is defensive, but the capability it demonstrates has dual-use risk.
The main risks are:
- Offensive misuse: Similar models could help attackers find, chain or operationalize bugs faster.
- Disclosure pressure: Maintainers may receive more valid reports than they can safely fix.
- False positives: Even a strong true-positive rate still produces noise at large scale.
- Patch quality: Fast fixes can create regressions or incomplete remediation.
- Maintainer burnout: Open-source projects may become overloaded without funding and support.
- Uneven defense: Large vendors may absorb AI-generated reports faster than smaller projects can.
The best answer is not to ignore AI vulnerability discovery. It is to pair it with controlled access, careful disclosure, funding for maintainers, better prioritization and stronger patch engineering.
FAQ
Did Anthropic say Project Glasswing found more than 10,000 vulnerabilities?
Yes. Anthropic's May 22, 2026 update says Project Glasswing and approximately 50 partners used Claude Mythos Preview to find more than 10,000 high- or critical-severity vulnerabilities across systemically important software.
Are the FFmpeg and OpenBSD vulnerabilities already patched?
Anthropic says the highlighted OpenBSD, FFmpeg and Linux kernel examples were reported to maintainers and have been patched. Users should still rely on official vendor and package updates rather than unofficial fixes.
Is Claude Mythos Preview available to the public?
No. Anthropic describes Claude Mythos 2 Preview as an unreleased model. The company says it is being used in restricted defensive work because of the cybersecurity capabilities it observed.
Does this mean AI can replace security researchers?
No. AI can increase discovery speed, but humans still need to validate findings, judge severity, coordinate disclosure, review patches, test releases and make risk decisions.
What should organizations measure now?
Measure remediation speed: time to validate, assign, patch, test, deploy and confirm fixes. In an AI-discovery environment, a growing unpatched backlog can become the real risk.
Bottom line
Project Glasswing is a preview of a new cybersecurity operating model. Advanced AI can find serious software flaws at a scale that traditional processes were not built to handle.
For users, the answer is to update through trusted channels. For developers, it is to improve dependency visibility and testing. For security teams, it is to build a remediation pipeline that can handle machine-speed discovery without losing human accountability.
Sources
- Anthropic Project Glasswing launch page: anthropic.com/glasswing
- Anthropic initial Project Glasswing update, May 22, 2026: anthropic.com/research/glasswing-initial-update
- Anthropic red-team blog on Mythos Preview: red.anthropic.com/2026/mythos-preview
- CISA Known Exploited Vulnerabilities catalog: cisa.gov/known-exploited-vulnerabilities-catalog
- CISA Secure by Design: cisa.gov/securebydesign
- CISA Secure Our World videos: cisa.gov/secure-our-world/videos
Before you move on
Defensive security explainers. Use this short checklist to turn the article into action.
- Change reused passwords on important accounts.
- Enable multi-factor authentication or passkeys where available.
- Keep a separate backup for files you cannot afford to lose.
This guide is written for practical user safety. For account, platform, or legal decisions, confirm critical steps with the official help center or your service provider.
