May 22, 2026 — Anthropic releases the first update on Project Glasswing, a groundbreaking effort to use AI to secure critical software worldwide
The AI That Came to Defend
Imagine a security expert who can scan millions of lines of code and instantly point out where the most dangerous vulnerabilities hide. That's essentially what Anthropic's Project Glasswing is doing right now. Launched in April 2026, Project Glasswing is a collaborative effort with over 50 partner organizations to use Claude Mythos Preview — an unreleased model specifically designed for cybersecurity — to find vulnerabilities in the world's most systemically important software.
The Numbers Are Staggering
After just one month, the results are remarkable: Over 10,000 high- or critical-severity vulnerabilities found across 50+ partner organizations Cloudflare discovered 2,000 bugs (400 high/critical) across their critical-path systems, with a false positive rate better than human testers Mozilla found and fixed 271 vulnerabilities in Firefox 150 — more than 10x what they found in Firefox 148 with Claude Opus 4.6 Partners reported that their bug-finding rate increased by more than 10x
Mythos Preview: Outperforming Nearly Every Human
Claude Mythos Preview was purpose-built for security work, and external validation confirms its capabilities: The UK AI Security Institute reports Mythos Preview is the first model to solve both of their cyber ranges (multi-step attack simulations) end-to-end XBOW, an independent security testing platform, calls Mythos Preview a "significant step up over all existing models" with "absolutely unprecedented precision" On the newly released ExploitBench and ExploitGym benchmarks, Mythos Preview ranks as the top performer
Open Source: 90.6% True Positive Rate
Beyond partners, Anthropic scanned over 1,000 open-source projects that form the backbone of the internet. Mythos Preview estimated finding 6,202 high/critical vulnerabilities. When six independent security firms verified a sample of 1,752 of these:
90.6% were confirmed as true positives
62.4% were confirmed as genuinely high or critical severity
The wolfSSL Example
One of the most alarming discoveries was in wolfSSL, an open-source cryptography library used by billions of devices worldwide. Mythos Preview constructed an exploit that would let an attacker forge digital certificates — meaning they could create a fake bank or email website that looks perfectly legitimate to any user. This vulnerability was assigned CVE-2026-5194 and has been patched.
The New Problem: Finding Faster Than Fixing
Here's the paradox: the AI is so good at finding vulnerabilities that it's outpacing our ability to fix them. Each high/critical bug takes an average of 2 weeks to patch Open-source maintainers have asked Anthropic to slow down disclosures because they can't keep up Of the 530 high/critical vulnerabilities reported so far, only 75 have been patched Anthropic frames it this way: the bottleneck used to be finding vulnerabilities. Now the bottleneck has shifted to verifying, disclosing, and patching them.
Beyond Vulnerability Discovery
Mythos Preview isn't just finding bugs. At one Glasswing partner bank, it helped detect and prevent a fraudulent $1.5 million wire transfer after a threat actor compromised a customer's email account and made spoof phone calls.
What Comes Next
Anthropic recommends that during this transition period, everyone should: Developers: Shorten patch cycles, use AI to assist with fixes Network defenders: Accelerate patch testing and deployment, follow NIST and NCSC hardening guidelines End users: Keep your software updated
The Bottom Line
Project Glasswing demonstrates that next-generation AI can be a powerful weapon for defenders — something never before possible. But it also reveals a critical structural problem: when AI can find vulnerabilities faster than humans can fix them, the entire security ecosystem needs to adapt. This is a turning point for cybersecurity — and it's just the beginning. Source: Anthropic — Project Glasswing: An initial update