Anthropic flags 10,000 vulnerabilities

Anthropic has started to put hard numbers around a security effort it launched in April, and those numbers help explain why the company’s “Mythos” model is getting fresh attention. In an initial update on Project Glasswing published May 22, Anthropic said Claude Mythos Preview had helped partners identify more than 10,000 high- and critical-severity vulnerabilities since the program began in April. That update matters because Mythos has so far been framed less as a general-purpose consumer model than as a tightly controlled cyber system. Anthropic said Glasswing gives selected organizations early access to Mythos Preview for defensive security work, with launch partners including Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA and the Linux Foundation. The company also tied the program to outside funding and infrastructure relationships. (anthropic.com) Anthropic said in April that it would commit up to $100 million in usage credits and $4 million in donations to open-source security organizations, while OpenSSF said on March 17 that Anthropic was among the companies backing $12.5 million in grants managed through Alpha-Omega and the Open Source Security Foundation. Separately, CNBC reported on May 21 that Anthropic was in talks to use Microsoft’s Maia 200 chips through Azure servers. (anthropic.com) ### Where did the 10,000-vulnerability figure come from? Anthropic’s own May 22 update is the clearest source for the number. The company said Glasswing participants had identified more than 10,000 vulnerabilities rated high or critical severity since April, and said the findings span software used across critical infrastructure and the broader internet. Anthropic has not publicly released a full project-by-project breakdown yet. (anthropic.com) The company said it plans to disclose more detail once patches for the discovered vulnerabilities are widely deployed, a sign that much of the evidence remains under coordinated disclosure. ### What has Anthropic actually shown so far? Mozilla is one of the few named partners to provide a concrete example. Anthropic said Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview, compared with far fewer findings in an earlier Firefox cycle using Claude Opus 4.6. (anthropic.com) The UK AI Security Institute supplied another benchmark. Anthropic said the institute reported Mythos Preview was the first model to solve both of its cyber ranges end to end, meaning the model completed multistep simulated attacks rather than isolated tasks. (anthropic.com) ### Why is OpenSSF money part of this story? Anthropic said the bottleneck is no longer just finding flaws but processing them. (anthropic.com) In its Glasswing materials, the company said the $4 million donation would support open-source security organizations handling triage and remediation, alongside the larger pool of usage credits for participating defenders. OpenSSF’s March 17 announcement gives the broader funding context. (anthropic.com) The foundation said Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft and OpenAI were contributing to a $12.5 million grant pool to strengthen open-source security through Alpha-Omega and other initiatives. ### So is Mythos becoming a public product? (anthropic.com) Code references and third-party reports suggest Anthropic is broadening access, but the company has not announced a general public launch for Mythos. Anthropic’s public materials still describe Mythos as “Preview” access inside Project Glasswing, and say the company will share more once patches are in place. Anthropic has, however, been explicit about the model’s capability level. (openssf.org) In a separate risk report, the company said Mythos Preview could identify and exploit zero-day vulnerabilities across major operating systems and browsers during testing, which helps explain the tighter deployment model. ### What do Microsoft’s Maia talks add? CNBC reported on May 21 that Anthropic and Microsoft were discussing access to Azure servers powered by Microsoft’s Maia 200 accelerator. (anthropic.com) Microsoft has used Maia chips in its own data centers but has not broadly offered them to outside customers, CNBC said. If those talks produce a deal, Anthropic would gain another compute option as it expands high-cost security workloads. (anthropic.com) Anthropic has said it will provide more detail on Glasswing’s results after discovered vulnerabilities are patched and deployed, making that disclosure the next concrete milestone to watch. (anthropic.com) (cnbc.com)