Anthropic Says Project Glasswing's Mythos Surfaced More Than 10,000 Vulnerabilities in a Month

Project Glasswing's first numbers turn the abstract claim that AI will find vulnerabilities at scale into a concrete operational reality — and in doing so they relocate the defender bottleneck from discovery to the much harder work of verifying, disclosing, and patching what the model surfaces.

SAN FRANCISCO, CALIFORNIA — On May 23, 2026, Anthropic published an initial update on Project Glasswing, the defensive AI initiative The CyberSignal first described in its coverage of Germany's warning about a Chinese AI 'superhacker.' The update puts hard numbers on the program for the first time: Anthropic says that since launching roughly a month earlier, it and its partners have used Claude Mythos Preview to surface more than 10,000 high- or critical-severity vulnerabilities across what the company calls "the most systemically important software in the world." Anthropic says 6,202 of those are classified high- or critical-severity flaws impacting more than 1,000 open-source projects.

Project Glasswing grants a small set of approximately 50 partners early access to Mythos Preview, and Anthropic says the program is expanding to additional partners. The update was anchored by Anthropic's own "Project Glasswing: An initial update" post and covered by The Hacker News, Engadget, Benzinga, and Interesting Engineering. Every figure in the update is Anthropic's disclosure or a partner-reported number; none has been independently audited.

What Happened

Anthropic published "Project Glasswing: An initial update" on the May 23, 2026 cycle, the first time the company has attached hard numbers to the defensive AI initiative it announced about a month earlier. Anthropic says that since the launch, it and its partners have used Claude Mythos Preview — the company's frontier model for autonomously identifying vulnerabilities in widely used software — to surface more than 10,000 high- or critical-severity vulnerabilities across what Anthropic calls "the most systemically important software in the world." Anthropic says 6,202 of those are classified high- or critical-severity flaws impacting more than 1,000 open-source projects. These are Anthropic's own disclosed figures; no third party has audited them.

Project Glasswing grants a small set of approximately 50 partners exclusive early access to Mythos Preview, and Anthropic says the program is expanding to additional partners. Anthropic disclosed partner results alongside the headline numbers: Cloudflare reported finding about 2,000 bugs, 400 of them high or critical severity, and Mozilla reported 271 vulnerabilities found and fixed in Firefox 150 — more than ten times the count Mozilla found when it tested the prior Firefox version with Claude Opus 4.6. The Mozilla Firefox 150 result is not new news; it was the subject of The CyberSignal's earlier coverage and appears in this update as a callback. Anthropic frames the takeaway candidly: software-security progress used to be limited by how fast vulnerabilities could be found, and the company says it is now limited by how fast they can be verified, disclosed, and patched.

A Milestone Update, Not a First Introduction

Project Glasswing is not new, and Anthropic's update is best read as a milestone in a story The CyberSignal has been following for weeks. The initiative was already named and described in the published article Germany Warns China Is Close to an AI 'Superhacker', where Glasswing appeared as the "Western governance scaffolding" built to harden critical software before frontier AI hacking capability could be weaponized — an initiative bringing together major firms including Amazon, Apple, Google, Microsoft, and JPMorgan Chase. What changed on May 23 is not the existence of the program but the arrival of figures. Anthropic's earlier framing of Glasswing was a thesis: that gated model access, coordinated disclosure, and defender hardening lead time could blunt the offensive curve. The 10,000-plus number, as Anthropic presents it, is the company's claim that the thesis is now producing measurable output. It is still a vendor's account of its own program, and it should be read as one.

What Anthropic Says Mythos Found — and What the Numbers Do Not Mean

The figures Anthropic disclosed are striking, and they need careful handling. Anthropic says Glasswing has surfaced more than 10,000 high- or critical-severity vulnerabilities, with 6,202 classified high- or critical-severity flaws impacting more than 1,000 open-source projects. The word that matters is "surfaced." Surfacing a flaw is not the same as confirming it is exploitable, and "10,000 surfaced" is not "10,000 confirmed exploitable." Anthropic has not disclosed the false-positive rate of Mythos Preview's findings, how many of the 10,000-plus have actually been verified, disclosed, and patched rather than merely flagged, or whether any were exploited in the wild before patching. None of the figures has been independently audited. This is the same interpretive caution The CyberSignal applied to Mozilla's earlier Firefox 150 result, where nuanced analysis showed a hierarchy of flaws beneath a single large headline number rather than 271 uniformly critical zero-days. The honest framing is that Anthropic and its partners are reporting a very large volume of model-surfaced findings — a meaningful claim about scale, and a claim, not an audited fact.

The Bottleneck Just Moved

The most consequential line in Anthropic's update is not a number but a concession. Anthropic says software-security progress used to be limited by how fast vulnerabilities could be found, and that it is now limited by how fast they can be verified, disclosed, and patched. If AI-driven discovery genuinely produces flaws by the thousand, the hard problem stops being detection and becomes throughput — the verify-disclose-patch pipeline. That reframes the entire defender conversation. It is the operational counterpart to the warning Kevin Mandia, Alex Stamos, and Morgan Adamski delivered at RSAC about a velocity gap between machine-speed discovery and human-speed remediation. Anthropic's update is, in effect, the same point made from the discovery side: the company is candidly conceding that its own program has shifted the constraint onto the part of the system — verification, coordinated disclosure, patching — that remains slow, human-paced, and under-resourced at most organizations.

Scope and Impact

For CISOs and vulnerability-management leaders, the operative takeaway is patch-pipeline capacity. If AI-driven discovery is now producing vulnerabilities by the thousand — as Anthropic and its partners say it is — then the binding constraint on a defensive program is verification and remediation throughput, not detection. The practical work is to audit mean-time-to-remediate, KEV-deadline compliance, and regression-test bandwidth, and to plan for an elevated patch cadence. Expect a near-term surge in disclosures and patches for widely used open-source software as Glasswing findings are validated, and track which open-source projects receive Glasswing-driven fixes — by Anthropic's account, those are the projects being hardened first.

Several specifics remain unconfirmed, and this account does not imply otherwise. Independent verification of the 10,000-plus and 6,202 figures does not exist — they are Anthropic's and its partners' self-reported numbers. Anthropic has not disclosed how many of the surfaced flaws have been verified, disclosed, and patched versus merely flagged, the false-positive rate of Mythos Preview, the full list of the roughly 50 Glasswing partners, which specific "systemically important software" projects received the most findings, or whether any of the surfaced flaws were exploited in the wild before patching. For application-security and DevSecOps teams, the generational signal is worth noting separately: Mozilla reported that the Firefox 150 result was more than ten times the count found with the prior-generation Claude Opus 4.6, which — if it holds — suggests AI vulnerability discovery is improving fast enough that dependency-update and software-composition-analysis processes must keep pace with a faster-moving upstream. Treat large AI-driven disclosure batches as a planning input, not a surprise.

Glasswing does not sit in isolation. It is the defender-side data point in a cluster The CyberSignal has tracked all month — alongside Microsoft's MDASH and Palo Alto Networks' Mythos-assisted internal scan, OpenAI's launch of Daybreak, and F5's DepthFirst, which surfaced the 18-year-old NGINX Rift critical RCE in roughly six hours. And it is the mirror image of the attacker-side evidence: Google's GTIG documented the first AI-developed zero-day exploited in the wild, and the Dead.Letter Exim RCE touched off an AI-versus-human exploit race. Read together, the AI vulnerability-discovery race is now empirically bidirectional — and defender-side AI capability only helps if the verify-disclose-patch pipeline keeps pace, which is the bottleneck Anthropic's own update concedes.

Response and Attribution

The immediate response for vulnerability-management programs is to treat the Glasswing numbers as a forcing function for patch-pipeline capacity rather than as a headline to admire. Audit mean-time-to-remediate against an assumption of elevated disclosure volume, review regression-test bandwidth, and confirm KEV-deadline compliance processes can absorb a faster cadence of open-source patches. For application-security and DevSecOps teams, treat large AI-driven disclosure batches as an expected planning input: dependency-update, software-composition-analysis, and triage workflows should be sized for a faster-moving upstream, on the assumption that more open-source projects will ship AI-surfaced fixes in the coming months.

For threat-intelligence and strategy teams, Glasswing belongs in the same picture as the attacker-side capability Google's GTIG has already documented — the AI vulnerability-discovery race runs in both directions, and Anthropic's own framing concedes that defender-side AI capability only pays off if the verify-disclose-patch pipeline keeps pace. For policy-engaged CISOs, Glasswing remains the "Western governance scaffolding" model: gated model access, coordinated disclosure, and defender hardening lead time. The 10,000-figure update is, on Anthropic's account, evidence the model produces results and evidence of the scale of latent vulnerability in critical software. In board and regulator communication, the figures should be cited carefully — as Anthropic's disclosure and its partners' self-reported numbers, not as audited fact.

The CyberSignal Analysis

AI Solved Discovery — the Unsolved Problem Is Throughput

The most important thing in Anthropic's update is not the 10,000-plus figure; it is what that figure implies about where the hard problem now lives. For years, the limiting factor in software security was how fast vulnerabilities could be found. Anthropic's account of Project Glasswing — and the company is candid about this in its own framing — is that AI-driven discovery has effectively removed that limit, and that the binding constraint is now verification, coordinated disclosure, and patching. For defenders, that is the operative reframe. The investment that matters is not another scanner; it is patch-pipeline capacity — mean-time-to-remediate, regression-test bandwidth, KEV-deadline throughput. If discovery produces flaws by the thousand and remediation stays human-paced, the gap between the two is the new exposure. Anthropic surfaced the vulnerabilities; closing them is still the defender's job, and it is the job the numbers say is now the bottleneck.

Read the Numbers as a Vendor Disclosure, Not an Audited Fact

Every figure in this story — the 10,000-plus, the 6,202, the roughly 50 partners, Cloudflare's 2,000 and 400, Mozilla's 271 — comes from Anthropic or a Glasswing partner reporting on its own work. That does not make the numbers wrong, but it does make them claims rather than findings. No third party has audited them. "Surfaced" is not "confirmed exploitable"; a model-flagged vulnerability is a candidate, not a verified flaw, and Anthropic has not disclosed Mythos Preview's false-positive rate or how many of the surfaced flaws have actually been verified, disclosed, and patched. The earlier Firefox 150 coverage showed why this matters: a single large headline number can sit on top of a hierarchy of flaws of very different severity. CISOs briefing boards and regulators on Glasswing should carry the numbers forward with their attribution intact — as Anthropic's disclosure of its own program's output — and resist the compression that turns "Anthropic says it surfaced 10,000" into "there are 10,000 confirmed critical flaws."

The AI Vulnerability-Discovery Race Is Now Bidirectional

Project Glasswing is the defender-side entry in a ledger that now has columns on both sides. The CyberSignal has tracked the defensive cluster — Microsoft's MDASH, Palo Alto's Mythos-assisted scan, OpenAI's Daybreak, F5's DepthFirst and the 18-year-old NGINX Rift RCE — and the offensive cluster, including Google GTIG's first AI-developed zero-day exploited in the wild and the Dead.Letter Exim exploit race. Glasswing's 10,000-plus figure is the largest defender-side data point yet, but it does not change the structural picture: the same capability that lets Anthropic's partners surface flaws by the thousand is, in a different form, available to attackers. That is the strategic reason the verify-disclose-patch bottleneck is so consequential. Defender-side AI does not win the race on its own; it only helps if the slow, human-paced remediation pipeline behind it can keep up. Anthropic's update is useful precisely because it says so plainly — the company is conceding, in its own milestone announcement, where the unsolved problem still sits.

Sources