AI Hunts Security Vulnerabilities: 10,000+ CVEs Found in 1 Month with Claude Mythos
Project Glasswing: When AI Becomes a Security Hunter
In April 2026, Anthropic launched Project Glasswing โ a collaborative program with approximately 50 partners to find security vulnerabilities in the world's most critical software. The primary tool: Claude Mythos Preview, an AI model specialized in security.
The results after one month forced the entire industry to reconsider: over 10,000 high or critical severity vulnerabilities discovered. Bug-finding speed increased tenfold compared to previous approaches.
The key insight: the bottleneck is no longer "where to find bugs." Now the challenge is how quickly vulnerabilities can be verified, reported, and patched.
Concrete Numbers From Partners
Cloudflare โ one of the world's largest network infrastructure companies โ detected 2,000 bugs in critical-path systems, with 400 vulnerabilities rated high or critical severity. The false positive rate was lower than manual human testing.
Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview. That number is over ten times more than what they found in Firefox 148 using Claude Opus 4.6.
Palo Alto Networks released patches at five times their usual volume. Microsoft also reported that new patch counts "will continue trending larger for some time."
Oracle found and patched vulnerabilities across all products and cloud services multiple times faster than before.
These aren't theoretical numbers. This is real data from companies operating global internet infrastructure.
Critical Vulnerabilities in Open Source
Anthropic scanned over 1,000 open-source projects with Mythos Preview. Results: 23,019 total vulnerabilities, with 6,202 rated high or critical severity.
Among 1,752 vulnerabilities assessed by independent security firms, 90.6% were true positives โ nearly perfectly accurate. 62.4% were confirmed at high or critical severity.
One concrete example: Mythos Preview discovered a vulnerability in wolfSSL, an open-source cryptography library used by billions of devices worldwide. This flaw allowed attackers to forge certificates, making fake websites appear completely legitimate to users. The vulnerability was assigned CVE-2026-5194.
What Does This Mean for Developers?
1. Security Is No Longer Just the Security Team's Job
When AI can scan an entire codebase in hours, every developer needs basic security knowledge. Code reviews now must include security reviews.
2. Open Source Is Getting a Deep Clean
This is good news for the entire ecosystem. Thousands of libraries that everyone uses daily are about to become significantly more secure. But it also means: if maintaining an open-source project, prepare for a large wave of bug reports.
3. AI Attack and AI Defense
The flip side: if AI can find vulnerabilities, attackers can use similar AI. Research from arXiv (2605.22001) shows that "domain-camouflaged injection" attacks can evade security detectors with high success rates โ detection rates dropping from 93.8% to 9.7% on some models.
This is an arms race. Defense must be faster than offense.
4. Security Workflows Need to Change
Instead of waiting for periodic audits, integrate security scanning into CI/CD pipelines. Tools like Snyk, Trivy, and now Mythos-class AI can run automatically on every commit.
The Limits: Not Everything Is Perfect
The research also reveals an important reality: vulnerabilities take an average of two weeks to patch even after confirmation. Some maintainers asked Anthropic to slow down reporting because they lacked capacity to handle the volume.
This is the open-source infrastructure dilemma: critical systems maintained by under-resourced teams. AI finds bugs fast, but humans patch slowly.
Moreover, some vulnerabilities require major architectural changes, not simple patches. Verification and ensuring patches don't cause regressions also takes significant time.
Practical Advice
- Check dependencies regularly. Use
npm audit,pip audit, or equivalent in CI pipelines. - Track CVEs for libraries in use. Subscribe to security mailing lists of critical projects.
- Don't ignore low-severity bugs. Attackers can chain multiple small flaws into major attacks.
- Learn secure coding practices. OWASP Top 10 remains the best resource for developers.
Conclusion
Project Glasswing marks a turning point: AI doesn't just write code โ it protects code. Over 10,000 vulnerabilities found in one month is an unprecedented number.
The question for every developer: when was your code last security-scanned?
References:
Related Posts
AI Found 3 Linux Kernel Root Exploits in 2 Weeks โ Developers Can't Patch Fast Enough
Fragnesia, Copy Fail, Dirty Frag โ three privilege escalation vulnerabilities found by AI in the Linux kernel. The AI security research era is here.
Pwn2Own Berlin 2026: 24 Zero-Days in One Day, AI Becomes Target #1
Day one of Pwn2Own Berlin 2026: 24 zero-days exploited, $523K awarded. OpenAI Codex, Claude Code, NVIDIA โ all hacked. The era of AI security is being challenged.
Anthropic Files for IPO at $965B Valuation: What It Means for Developers
Anthropic has confidentially filed for IPO with the SEC, leaping ahead of OpenAI with a $965B valuation and $47B annualized revenue. Here's why developers should care.