Anthropic finds 10,000 vulnerabilities

Anthropic said on May 22 that partner organizations using its unreleased Claude Mythos Preview model had identified more than 10,000 software vulnerabilities in a month, expanding on a cybersecurity initiative the company launched in April. The company disclosed the figure in an initial update on Project Glasswing, its program to use frontier AI models for defensive security work. Anthropic also said it would make the tools it and its partners used with Mythos Preview available on request to qualifying customer security teams. The update offered one of the clearest public examples yet of a frontier model being positioned as a narrowly defined enterprise security product rather than a general-purpose assistant. ### Where did the 10,000-vulnerability figure come from? Anthropic said the number came from work by Project Glasswing partners that used Mythos Preview to examine software at scale over a one-month period. In the same update, the company said disclosed vulnerabilities were a lagging indicator because it could not yet fully detail partners’ findings without increasing risk to end users. Anthropic instead published aggregate statistics and a smaller set of examples. (anthropic.com) Anthropic’s public materials describe Project Glasswing as a coalition effort focused on critical software and open-source infrastructure. The company named Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks as launch partners, and said it had also extended access to more than 40 additional organizations that build or maintain critical software infrastructure. (anthropic.com) ### What has Anthropic actually confirmed so far? Anthropic said partners had confirmed 1,094 high-severity vulnerabilities across more than 1,000 open-source projects, while only 97 had been patched as of the update. The company’s security site separately says work underlying its commercial security offering surfaced more than 500 previously unknown vulnerabilities in widely used open-source software. Those figures suggest Anthropic is distinguishing between the broader pipeline of findings and the smaller subset that has been validated and remediated enough to discuss publicly. (anthropic.com) Anthropic’s red-team research site said engineers without formal security training had asked Mythos Preview to find remote-code-execution vulnerabilities overnight and received working exploits by the next morning. The company launched Project Glasswing, it said, both to help secure critical software and to prepare the industry for stronger model capabilities in cyber offense and defense. ### What is Anthropic opening up to customers now? (anthropic.com) Anthropic said it is making “the tools that we and our partners have used with Mythos Preview” available to qualifying customers’ security teams on request. The company said the goal was to make it easier to get strong performance from highly capable public models without extensive setup, indicating that some of the value lies in workflow, tooling and evaluation methods rather than model access alone. (red.anthropic.com) Anthropic’s product page for Claude Security says the offering is built on work from its Frontier Red Team, including capture-the-flag competitions, critical-infrastructure defense work with national laboratories and systematic vulnerability hunting in production code. That page frames the product around vulnerability detection and remediation rather than broader autonomous cyber operations. ### How does this connect to government and classified use? (anthropic.com) The New York Times reported on May 22 that U.S. intelligence agencies including the CIA and NSA were seeking more advanced chips and infrastructure to deploy the latest AI models on classified systems. Separate reporting from Bloomberg and other outlets in April said White House officials were preparing rules for AI deployment by national security agencies and weighing wider federal access to Anthropic’s Mythos model. (anthropic.com) Anthropic has not publicly tied the Glasswing update to any government contract in the materials reviewed here, but the reporting places the company’s cyber work alongside active U.S. government interest in frontier-model deployment for sensitive environments. Anthropic said in April that it was committing up to $100 million in usage credits and $4 million in donations to open-source security organizations through Project Glasswing. The next concrete step the company has named is customer access: qualifying security teams can now request the Glasswing tools Anthropic says it used with Mythos Preview. (anthropic.com) (nytimes.com)