Anthropic’s latest AI model, Claude Mythos Preview, has autonomously identified over 10,000 high- and critical-severity zero-day vulnerabilities in critical software systems during its initial deployment in Project Glasswing. This collaborative cybersecurity initiative aims to secure essential infrastructure proactively.
Partnering with over 50 major technology organizations, including Microsoft, Apple, Google, and Cloudflare, Anthropic deployed Claude Mythos Preview against targeted codebases. The AI model demonstrated an unprecedented ability to not only identify flaws but also construct functional exploits autonomously. Cloudflare reported discovering 2,000 bugs, including 400 of high or critical severity, noting that the model’s false-positive rate outperforms human security testers.
Independent evaluations confirm these capabilities across multiple environments. The UK’s AI Security Institute observed that Mythos Preview is the first model to fully solve its multistep cyberattack simulations, while Mozilla utilized the model to uncover and patch 271 vulnerabilities in Firefox 150, yielding ten times more findings than previous testing with Claude Opus 4.6.
Due to the severe dual-use risks associated with these autonomous exploit capabilities, Anthropic has withheld Mythos from public release, restricting its use to defensive consortium members.
Beyond proprietary enterprise systems, Anthropic directed Claude Mythos Preview to scan over 1,000 widely used open-source projects. A notable discovery was CVE-2026-5194, a critical flaw in the wolfSSL cryptography library. Mythos Preview successfully engineered an exploit for this vulnerability that allowed for the forgery of security certificates, a vector that could enable attackers to spoof banking or email domains invisibly.
The sheer volume of discoveries has exposed a critical structural weakness in the software industry: the human capacity to triage, report, and patch vulnerabilities cannot keep pace with AI-driven discovery. The initial scanning phase yielded 23,019 candidate findings. When 1,900 of these findings were reviewed by external security firms, 1,726 (90.8%) were confirmed as valid true positives. Despite Anthropic reporting a total of 1,596 vetted findings directly to maintainers, only 97 vulnerabilities have been patched upstream to date, resulting in just 88 published security advisories. This massive drop-off highlights the severe capacity constraints faced by volunteer open-source maintainers who are now overwhelmed by high-quality AI vulnerability disclosures.
The industry is entering a transitional phase where the traditional 90-day coordinated vulnerability disclosure window poses new risks. Because Mythos-class models reduce the cost and time of zero-day discovery to nearly zero, the lag between discovery and widespread patch deployment offers a highly dangerous exploit window for threat actors.
Organizations are urged to move beyond relying solely on patching, adapting their network defenses by enforcing strict default configurations, mandating multi-factor authentication, and utilizing advanced behavioral analytics to detect and mitigate potential threats proactively.
Source: CyberSecurityNews.com
