Mythos model flags 10,000+ potential software vulnerabilities

Why it matters

Anthropic said on May 22 that its Project Glasswing initiative had flagged more than 10,000 high- or critical-severity vulnerabilities in roughly one month of work using Claude Mythos Preview. The company said the project paired the model with about 50 partner organizations scanning “systemically important software” used across critical infrastructure and widely deployed technology. Anthropic framed the output as candidate findings for defenders to validate and fix, not as a finished list of confirmed bugs. The disclosure came in an initial project update and in related reporting this week. ### Where did the 10,000 figure come from? Anthropic said the count came from Project Glasswing, a program it launched in April to test Mythos Preview inside a restricted defensive-security workflow. The company said partners used the model to scan both first-party code and open-source software that underpins large parts of the global attack surface. Anthropic said it committed up to $100 million in usage credits for the effort and $4 million in donations to open-source security organizations. (anthropic.com) Anthropic’s May 22 update said the model and its partners had found “more than ten thousand high- or critical-severity vulnerabilities” since launch. The company did not present that figure as 10,000 patched or fully confirmed defects; it described an accelerated discovery pipeline that still requires human review, triage and remediation. ### What exactly was Mythos doing inside Project Glasswing? (anthropic.com) Project Glasswing used Claude Mythos Preview for automated code review and vulnerability hunting in constrained settings run by named partner organizations, according to Anthropic. The launch-partner list on Anthropic’s project page includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. (anthropic.com) Anthropic said the model was being used as part of defensive security work rather than as a broadly available assistant. In a separate technical write-up, Anthropic said internal testing showed Mythos Preview could identify novel zero-days and build exploit components from them, which was one reason it chose a limited rollout through Glasswing instead of general release. ### Does “10,000 vulnerabilities” mean 10,000 confirmed bugs? (anthropic.com) Anthropic’s own wording suggests no. The company said Project Glasswing surfaced high- or critical-severity vulnerabilities, but the workflow depends on partner organizations and maintainers to verify findings, decide severity and issue fixes. NHK World, citing company disclosures, described the project as automated code review and triage that generated issues for human validation. (red.anthropic.com) That distinction matters because AI-assisted security systems often produce large pools of plausible findings before confirmation. Anthropic’s update emphasized discovery speed, while outside coverage said the process created a backlog for patching and follow-up by defenders and software maintainers. ### Why did Anthropic keep Mythos restricted? Anthropic said Mythos Preview showed unusually strong cybersecurity capabilities in internal evaluations. (anthropic.com) The company said the model could find complex vulnerabilities and, in some tests, chain exploit primitives into end-to-end attack paths, raising misuse concerns if released broadly without stronger safeguards. GovInfoSecurity reported on May 27 that Anthropic was expanding access to Mythos, but only through selected “critical partners,” including U.S. and allied-government users, rather than opening the model to the public. (anthropic.com) Anthropic also said its longer-term goal is to enable safer deployment of Mythos-class systems at scale. ### What happens next for Project Glasswing? (red.anthropic.com) Anthropic said the next phase is continued partner-led validation and remediation across critical first-party and open-source systems. The company said it would share lessons from the project with the broader industry, while maintaining the restricted-access structure around Mythos Preview. Anthropic’s public project pages say Glasswing remains a live effort involving major technology vendors, security companies and infrastructure maintainers. (govinfosecurity.com) Any broader release of Mythos-class capabilities, Anthropic said, will depend on additional safeguards and controlled deployment mechanisms. (anthropic.com 1) (anthropic.com 2)

Key numbers

• Anthropic said on May 22 that Project Glasswing used Claude Mythos Preview with about 50 partners to flag more than 10,000 high-severity vulnerabilities.
• Anthropic said on May 22 that its Project Glasswing initiative had flagged more than 10,000 high- or critical-severity vulnerabilities in roughly one month of work using Claude Mythos Preview.
• The company said the project paired the model with about 50 partner organizations scanning “systemically important software” used across critical infrastructure and widely deployed technology.
• Anthropic said it committed up to $100 million in usage credits for the effort and $4 million in donations to open-source security organizations.

What happens next

• Anthropic said on May 22 that its Project Glasswing initiative had flagged more than 10,000 high- or critical-severity vulnerabilities in roughly one month of work using Claude Mythos Preview.
• (anthropic.com) Anthropic’s May 22 update said the model and its partners had found “more than ten thousand high- or critical-severity vulnerabilities” since launch.
• The launch-partner list on Anthropic’s project page includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks.

Sources

• anthropic.com
• anthropic.com
• anthropic.com
• red.anthropic.com
• red.anthropic.com
• govinfosecurity.com

Quick answers