- AI vulnerability scanning by Anthropic’s Claude Mythos has uncovered more than 10,000 critical flaws in just one month.
- AI vulnerability scanning has shifted the bottleneck in cybersecurity from finding bugs to verifying and patching them fast enough.
- Cloudflare found 2,000 bugs using Mythos Preview, with a false positive rate better than human testers.
- Over 1,500 open-source vulnerabilities have been independently verified as true positives, with 62% confirmed critical or high severity.
- AI vulnerability scanning by Anthropic’s Claude Mythos has uncovered more than 10,000 critical flaws in just one month.
- AI vulnerability scanning has shifted the bottleneck in cybersecurity from finding bugs to verifying and patching them fast enough.
- Cloudflare found 2,000 bugs using Mythos Preview, with a false positive rate better than human testers.
- Over 1,500 open-source vulnerabilities have been independently verified as true positives, with 62% confirmed critical or high severity.
AI Vulnerability Scanning Just Rewrote the Rules of Cybersecurity
Anthropic’s AI vulnerability scanning initiative, Project Glasswing, has produced early results that are difficult to overstate. In roughly one month of operation, the project and its approximately 50 industry partners have used Claude Mythos Preview — Anthropic’s most capable model yet — to surface more than 10,000 high- or critical-severity vulnerabilities across the software that keeps the modern internet running. That’s not a year’s worth of work. That’s one month.
To understand why that matters, you have to appreciate how slow traditional security research has always been. Finding a serious bug in a large, complex codebase typically requires skilled human researchers spending days or weeks hunting through millions of lines of code. Historically, the constraint on improving software security was simple: you could only fix vulnerabilities as fast as humans could find them. AI vulnerability scanning has flipped that constraint entirely. The bottleneck now isn’t discovery — it’s the pipeline that comes after. Verification, coordinated disclosure, patch development, and deployment are suddenly the slow parts of a process that the discovery phase used to dominate.
That’s a genuinely strange position for the industry to find itself in, and it has real implications for how security teams need to be structured and funded going forward. The Cybersecurity and Infrastructure Security Agency (CISA) has long emphasized that faster vulnerability identification must be matched by equally rapid remediation capacity — a challenge Project Glasswing is now making urgent at scale.
What the Partner Results Actually Show
Glasswing’s initial partners are not small players. They build and maintain infrastructure that billions of people depend on daily — the kind of software where a single exploited vulnerability can cascade across industries. After one month, most partners have individually found hundreds of critical- or high-severity bugs in their own code. Collectively, the tally exceeds 10,000.
The Cloudflare numbers are particularly striking. The company found 2,000 bugs total, 400 of which were classified as high- or critical-severity, across their critical-path systems. Crucially, Cloudflare’s team assessed Mythos Preview’s false positive rate as better than human testers. That’s a significant claim. False positives are a persistent problem in automated security tooling — they create alert fatigue and waste engineering time. If Mythos is genuinely outperforming humans on precision, that changes the cost-benefit calculation for AI-assisted security work considerably.
Several partners have reported that their rate of bug discovery has increased by more than a factor of ten. Palo Alto Networks’ most recent software release included over five times as many patches as a typical release. Microsoft has publicly stated that its patch volumes will
Source: https://www.anthropic.com/research/glasswing-initial-update
