AI Hunts Security Vulnerabilities: 10,000+ CVEs Found in 1 Month with Claude Mythos

Project Glasswing: When AI Becomes a Security Hunter

In April 2026, Anthropic launched Project Glasswing — a collaborative program with approximately 50 partners to find security vulnerabilities in the world's most critical software. The primary tool: Claude Mythos Preview, an AI model specialized in security.

The results after one month forced the entire industry to reconsider: over 10,000 high or critical severity vulnerabilities discovered. Bug-finding speed increased tenfold compared to previous approaches.

The key insight: the bottleneck is no longer "where to find bugs." Now the challenge is how quickly vulnerabilities can be verified, reported, and patched.

Concrete Numbers From Partners

Cloudflare — one of the world's largest network infrastructure companies — detected 2,000 bugs in critical-path systems, with 400 vulnerabilities rated high or critical severity. The false positive rate was lower than manual human testing.

Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview. That number is over ten times more than what they found in Firefox 148 using Claude Opus 4.6.

Palo Alto Networks released patches at five times their usual volume. Microsoft also reported that new patch counts "will continue trending larger for some time."

Oracle found and patched vulnerabilities across all products and cloud services multiple times faster than before.

These aren't theoretical numbers. This is real data from companies operating global internet infrastructure.

Critical Vulnerabilities in Open Source

Anthropic scanned over 1,000 open-source projects with Mythos Preview. Results: 23,019 total vulnerabilities, with 6,202 rated high or critical severity.

Among 1,752 vulnerabilities assessed by independent security firms, 90.6% were true positives — nearly perfectly accurate. 62.4% were confirmed at high or critical severity.

One concrete example: Mythos Preview discovered a vulnerability in wolfSSL, an open-source cryptography library used by billions of devices worldwide. This flaw allowed attackers to forge certificates, making fake websites appear completely legitimate to users. The vulnerability was assigned CVE-2026-5194.

What Does This Mean for Developers?

1. Security Is No Longer Just the Security Team's Job

When AI can scan an entire codebase in hours, every developer needs basic security knowledge. Code reviews now must include security reviews.

2. Open Source Is Getting a Deep Clean

This is good news for the entire ecosystem. Thousands of libraries that everyone uses daily are about to become significantly more secure. But it also means: if maintaining an open-source project, prepare for a large wave of bug reports.

3. AI Attack and AI Defense

The flip side: if AI can find vulnerabilities, attackers can use similar AI. Research from arXiv (2605.22001) shows that "domain-camouflaged injection" attacks can evade security detectors with high success rates — detection rates dropping from 93.8% to 9.7% on some models.

This is an arms race. Defense must be faster than offense.

4. Security Workflows Need to Change

Instead of waiting for periodic audits, integrate security scanning into CI/CD pipelines. Tools like Snyk, Trivy, and now Mythos-class AI can run automatically on every commit.

The Limits: Not Everything Is Perfect

The research also reveals an important reality: vulnerabilities take an average of two weeks to patch even after confirmation. Some maintainers asked Anthropic to slow down reporting because they lacked capacity to handle the volume.

This is the open-source infrastructure dilemma: critical systems maintained by under-resourced teams. AI finds bugs fast, but humans patch slowly.

Moreover, some vulnerabilities require major architectural changes, not simple patches. Verification and ensuring patches don't cause regressions also takes significant time.

Practical Advice

• Check dependencies regularly. Use npm audit, pip audit, or equivalent in CI pipelines.
• Track CVEs for libraries in use. Subscribe to security mailing lists of critical projects.
• Don't ignore low-severity bugs. Attackers can chain multiple small flaws into major attacks.
• Learn secure coding practices. OWASP Top 10 remains the best resource for developers.

Conclusion

Project Glasswing marks a turning point: AI doesn't just write code — it protects code. Over 10,000 vulnerabilities found in one month is an unprecedented number.

The question for every developer: when was your code last security-scanned?

---

References:

• Project Glasswing: An Initial Update — Anthropic
• Blind Spots in the Guard — arXiv:2605.22001
• Cloudflare: Cyber Frontier Models
• Mozilla: AI Security Zero-Day Vulnerabilities
• CVE-2026-5194 — wolfSSL