TL;DR
Anthropic’s Project Glasswing gave roughly 50 organizations access to Claude Mythos Preview — an unreleased frontier model that scores 83.1% on CyberGym and 93.9% on SWE-bench Verified. In eight weeks, those organizations found over 10,000 high- or critical-severity vulnerabilities in operating systems, browsers, cryptographic libraries, and infrastructure software. On June 2, Anthropic expanded the program to 150 more organizations in 15+ countries. The model won’t be released publicly. Here’s what that means.
From 500 Bugs to 10,000
Back in April, I wrote about Claude finding 500 zero-days using a bash-script pipeline that Nicholas Carlini built by asking Claude to write its own vulnerability-hunting agent. That was one researcher with a VM and standard tools.
Project Glasswing is what happens when you take that same capability and hand it to AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, NVIDIA, and Palo Alto Networks, backed by a model significantly more capable than what Carlini had.
The jump from 500 to 10,000 comes mainly from model capability, not headcount. Claude Mythos Preview outperforms the Opus 4.6 model Carlini used by 16.5 percentage points on CyberGym (83.1% vs. 66.6%) and 13.1 points on SWE-bench Verified (93.9% vs. 80.8%). Mythos finds classes of bugs that older models couldn’t see.
What Project Glasswing Actually Is
Anthropic announced Project Glasswing in early April 2026 with a simple premise: frontier AI models have gotten good enough at finding software vulnerabilities that the only question is whether defenders or attackers use them first.
The program gives vetted organizations access to Claude Mythos Preview, a general-purpose model Anthropic describes as its most capable ever. Partners use it for codebase scanning, patch generation, penetration testing, threat detection, and rebuilding legacy code in memory-safe languages. Each organization must meet Anthropic’s security requirements before gaining access.
Anthropic committed $100 million in Mythos usage credits, plus $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, and $1.5 million to the Apache Software Foundation. The launch partners read like a who’s-who of tech infrastructure: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks (Anthropic itself rounds out the 12).
Anthropic estimates that for most Glasswing partners, a successful attack on their systems “could affect more than 100 million people.”
Mythos vs. Everything Else
The benchmark gap between Mythos Preview and the publicly available Opus 4.6 model is wide. Mythos is a general-purpose frontier model, not a narrowly fine-tuned security scanner. It happens to be radically better at finding exploitable code paths.
| Benchmark | Mythos Preview | Opus 4.6 | Gap |
|---|---|---|---|
| CyberGym (Vulnerability Reproduction) | 83.1% | 66.6% | +16.5 pts |
| SWE-bench Pro | 77.8% | 53.4% | +24.4 pts |
| SWE-bench Verified | 93.9% | 80.8% | +13.1 pts |
| Terminal-Bench 2.0 | 82.0% | 65.4% | +16.6 pts |
| GPQA Diamond | 94.6% | 91.3% | +3.3 pts |
The SWE-bench Pro gap is the one that caught my eye. Going from 53.4% to 77.8% on a benchmark that tests real-world software engineering tasks (with vulnerability hunting as a subset) means Mythos can trace complex interaction patterns across large codebases, the kind of multi-file reasoning where simpler models lose the thread.
The UK AI Security Institute independently tested Mythos and reported it was the first model to solve both of their cyber range simulations end-to-end. XBOW, a security evaluation firm, called it “a significant step up over all existing models” with “absolutely unprecedented precision.”
The Bugs: Specific Finds Worth Knowing About
The aggregate numbers are impressive but abstract. The individual findings put them in context.
A 27-year-old OpenBSD remote crash. Mythos found a flaw in OpenBSD that had survived since 1999. Triggering it crashes the system remotely. OpenBSD is used in firewalls and security-sensitive infrastructure precisely because of its reputation for audited, clean code. Twenty-seven years of manual review missed this.
FFmpeg had a vulnerability that survived 5 million automated test executions over 16 years. Fuzzing, the standard approach for finding memory safety bugs in C code, never triggered it. Mythos identified the vulnerable path through code reasoning rather than random input generation.
WolfSSL certificate forgery (CVE-2026-5194). Mythos constructed a working exploit against the wolfSSL cryptographic library that allows an attacker to forge TLS certificates. In practice, that means hosting a fake banking website that passes certificate validation, the kind of bug that gets its own CVE and an emergency patch cycle.
Mozilla pointed Mythos at Firefox 150 and got 271 vulnerabilities in a single scan. Claude Opus 4.6 found roughly a tenth of that scanning Firefox 148. The 10x jump aligns with the benchmark gap: Mythos can trace execution paths through complex C++ codebases where older models lose the thread.
Cloudflare’s results were even more striking. Mythos found 2,000 vulnerabilities in their codebase, 400 of which were high or critical severity. Their security team noted the false positive rate was “better than human testers.” Cloudflare handles roughly 20% of all web traffic, so every critical bug in their stack is a potential incident affecting hundreds of millions of users.
The Open-Source Audit
Beyond the partner organizations, Mythos Preview scanned over 1,000 open-source projects. Anthropic’s initial update breaks down the results:
- 23,019 total findings across all severity levels
- 6,202 estimated high or critical severity
- 1,752 vulnerabilities independently validated by six security research firms
- 90.6% true positive rate (1,587 of 1,752 confirmed real)
- 62.4% of validated findings confirmed as high or critical severity
- Projected total: nearly 3,900 high/critical bugs across the scanned open-source projects
Security scanners, including commercial tools from Veracode, Snyk, and Checkmarx, are notorious for false positive rates that can exceed 50%. A tool that’s right nine times out of ten and operates at this speed would already change how security teams work even if it weren’t finding novel zero-days. The AI bug bounty crisis already showed that AI-generated vulnerability reports are overwhelming existing programs — Glasswing’s 90.6% accuracy rate is the difference between a useful signal and a noise flood.
The Patching Bottleneck
Mythos can find bugs orders of magnitude faster than any team can fix them.
From Anthropic’s data: of 530 reported high or critical vulnerabilities in open-source projects, only 75 have been patched. Just 65 received public advisories. The average patching time for those that did get fixed: about two weeks.
That’s a 14% patch rate. The other 86% of confirmed critical bugs are sitting in production code right now, disclosed to maintainers, waiting for someone to write a fix.
Most open-source projects are maintained by volunteers or small teams with day jobs. When your project suddenly receives 50 high-severity vulnerability reports from an AI model, the backlog doesn’t clear itself. The standard 90-day disclosure window — already under strain from the 500 zero-days Carlini’s team found — is now facing a volume problem it was never designed for.
Anthropic’s response has been to fund open-source maintenance directly ($2.5M to OpenSSF, $1.5M to Apache) and to extend patching support through the Glasswing partners. But the structural gap between AI-speed discovery and human-speed remediation is a problem that money alone doesn’t solve.
The June Expansion: 150 New Organizations
On June 2, Anthropic announced the expansion of Glasswing to roughly 150 new organizations in more than 15 countries. The total program now covers about 200 partners.
The expansion targets industries that weren’t well represented in the initial launch: power utilities, water systems, healthcare providers, communications infrastructure, and hardware manufacturers. These are sectors where a vulnerability in a single vendor’s SCADA system or medical device firmware has physical-world consequences.
Each new partner goes through Anthropic’s security vetting before receiving Mythos access. The screening exists for an obvious reason: the same model that finds vulnerabilities to patch them could, in the wrong hands, find vulnerabilities to exploit. Given that AI coding tools already leak secrets at 2x the rate of manual code, the access controls around a model this capable are a genuine concern.
Why You Can’t Have Mythos
Anthropic has been explicit: Claude Mythos Preview won’t be released to the general public. The program page states the model is withheld due to “the absence of safeguards sufficient to prevent serious misuse.”
Every other frontier model (GPT-5.5, Gemini 3.1, even Anthropic’s own Opus 4.8) is commercially available. Mythos sits behind a gate because its vulnerability-finding capabilities are dangerous enough that unrestricted access would hand the same power to attackers.
The planned path forward involves two pieces. First, Anthropic launched Claude Security alongside the Glasswing expansion: a product built on Claude Opus 4.8 and other frontier models that provides codebase scanning and patch suggestions. It’s the public-facing version — less capable than Mythos, but available to a broader audience. Second, Anthropic is developing a Cyber Verification Program that would grant Mythos-class capabilities to vetted security professionals through a structured verification process.
Post-research pricing for Mythos access sits at $25 per million input tokens and $125 per million output tokens. That’s about 5x what Opus 4.8 costs ($5/$25 per MTok), but for organizations scanning million-line codebases, the cost per bug found is still far below hiring an equivalent team of human security researchers.
If you’re not in the Glasswing program, Claude Security with Opus 4.8 is the closest you can get today. A basic vulnerability scan through the API looks like this:
import anthropic
client = anthropic.Anthropic()
with open("src/auth.c", "r") as f:
source_code = f.read()
response = client.messages.create(
model="claude-opus-4-8-20260528",
max_tokens=4096,
messages=[{
"role": "user",
"content": (
"Audit this C source file for security vulnerabilities. "
"For each finding, report: severity (critical/high/medium/low), "
"the vulnerable line range, CWE classification, a proof-of-concept "
"trigger if possible, and a suggested fix.\n\n"
f"```c\n{source_code}\n```"
),
}],
)
print(response.content[0].text)
This won’t match Mythos on novel zero-day discovery in complex codebases, but it catches common vulnerability patterns (buffer overflows, injection flaws, use-after-free) faster than manual code review.
What This Changes
I’ve been following AI vulnerability research since Carlini’s 500-bug paper in February, and covering Anthropic’s approach to agentic coding in parallel. The progression has been fast enough to feel unsettling. In February, one researcher found 500 bugs with a bash script. By April, 50 organizations found 10,000. By June, 200 organizations are scanning critical infrastructure across 15 countries.
The speed of discovery is no longer the constraint; patching is. The 86% of critical open-source bugs still sitting unpatched tell you everything about where the bottleneck actually sits. Every dollar Anthropic puts into OpenSSF and Apache does more good, right now, than the next benchmark improvement to Mythos itself.
Security teams at companies large enough to get Glasswing access are already seeing the value. Cloudflare’s “better than human testers” assessment isn’t hyperbole when you compare it to the false positive rates of commercial scanners.
The rest of us have Claude Security on Opus 4.8 as the near-term option. It won’t match Mythos on novel zero-day discovery, but it catches known vulnerability patterns faster than a manual audit. And if the Cyber Verification Program ships in a usable form, independent security researchers may eventually get Mythos-class tooling too.
The best vulnerability-finding AI in the world exists today, and most of the software it would find bugs in doesn’t have maintainers with the bandwidth to fix them. Project Glasswing is producing real fixes at the top of the stack (Cloudflare, Mozilla, the Linux kernel) while the long tail of open-source projects struggles to absorb the flood.
FAQ
What is Project Glasswing?
Project Glasswing is Anthropic’s cybersecurity initiative that provides vetted organizations with access to Claude Mythos Preview, an unreleased frontier AI model, to find and fix critical software vulnerabilities. It launched in April 2026 with about 50 partners and expanded to 200+ organizations in June 2026. Anthropic committed $100M in usage credits and additional funding to open-source foundations.
How many vulnerabilities did Claude Mythos find?
Over 10,000 high- or critical-severity vulnerabilities in the first eight weeks across partner organizations. In open-source software specifically, scanning 1,000+ projects produced 23,019 total findings, with an estimated 6,202 at high or critical severity. Independent validation by six security firms confirmed a 90.6% true positive rate.
Which companies are in Project Glasswing?
The 12 launch partners are AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The June 2026 expansion added roughly 150 organizations across power, water, healthcare, communications, and hardware sectors in 15+ countries.
Is Claude Mythos available to the public?
No. Anthropic has stated Claude Mythos Preview won’t be released publicly due to the absence of safeguards against misuse. Anthropic offers Claude Security (built on Opus 4.8) as a publicly available alternative for codebase scanning. A Cyber Verification Program for independent security professionals is in development.
How does Claude Mythos compare to other AI models at finding vulnerabilities?
Mythos Preview scores 83.1% on CyberGym (vs. 66.6% for Opus 4.6), 93.9% on SWE-bench Verified (vs. 80.8%), and was the first model to solve both UK AI Security Institute cyber range simulations end-to-end. Mozilla reported Mythos found roughly 10x more vulnerabilities in Firefox than Opus 4.6 did.
Sources
- Project Glasswing: Securing critical software for the AI era — Anthropic — official program page with partner list, funding commitments, and benchmarks
- Expanding Project Glasswing — Anthropic — June 2 expansion announcement with industry details
- Project Glasswing: An initial update — Anthropic — detailed vulnerability statistics, validation methodology, and patching data
- Anthropic scales Claude Mythos to critical infrastructure in 15+ countries — TechCrunch — independent reporting on the expansion
- Claude Mythos AI Finds 10,000 High-Severity Flaws — The Hacker News — cybersecurity industry coverage
- Anthropic expanding access to Project Glasswing — CyberScoop — security industry analysis
Bottom Line
Project Glasswing proves that AI-driven vulnerability discovery at scale already works. The 10,000-bug count from 50 organizations in eight weeks is real, validated, and growing. The harder question is who patches 10,000 bugs when most maintainers can barely keep up with their existing backlog. Anthropic is spending money in the right places (OpenSSF, Apache), but the gap between discovery speed and fix speed is the actual frontier now, and closing it will take more than a bigger model.