Anthropic's Claude Mythos AI uncovers 10,000+ critical bugs in major software within a month

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software

Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most "systemically" important software across the world since the cybersecurity initiative went live last month. Project Glasswing is an effort led by the artificial intelligence (AI) company, as part of which a small set of about 50 partners have obtained access to Claude Mythos Preview, a frontier model with capabilities to find vulnerabilities in widely-used software. Of these vulnerabilities, 6,202 have been classified as high- or critical-severity flaws impacting more than 1,000 open-source projects. Subsequent analysis of these vulnerability candidates has identified that 1,726 are valid true positives. As many as 1,094 flaws are assessed to be either high- or critical-severity. One of the identified weaknesses is a critical flaw in WolfSSL (CVE-2026-5194, CVSS score: 9.1) that could allow an attacker to forge certificates and masquerade as a legitimate service. In all, these efforts have led to 97 findings being patched upstream and 88 advisories being issued. "The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity," Anthropic acknowledged. "Confronting this challenge successfully will make our software far safer than before." The development comes as software vendors are shipping more fixes than ever before, driven by a surge in AI-assisted vulnerability discovery, with Microsoft noting that the number of new patches it expects to release on a monthly basis to "continue trending larger for some time." Autonomous offensive security platform XBOW has described Mythos Preview as "a major advance" that's "substantially better than prior models at finding vulnerability candidates" and "adept at analyzing source code with a security mindset." Recent analyses have also found the model to excel at turning vulnerabilities into end-to-end attack chains. Mythos Preview's utility, Anthropic added, goes beyond finding security flaws. In one case, a Glasswing partner bank is said to have leveraged the AI model to detect and prevent a fraudulent $1.5 million wire transfer after an unknown threat actor breached a customer's email account and made spoof phone calls. Given that models with similar capabilities to Mythos could become broadly available in the near future, Anthropic is urging software developers to shorten their patch cycles and make security fixes available. It's worth mentioning here that Oracle has recently shifted to a monthly patch cycle to address critical security issues. "Network defenders should shorten their patch testing and deployment timelines," Anthropic said. "These include steps like hardening networks' default configurations, enforcing multi-factor authentication, and keeping comprehensive logs for detection and response." The AI company also said it has launched a Cyber Verification Program that allows security professionals to use its models without guardrails for legitimate purposes such as vulnerability research, penetration testing, and red teaming. This is similar to OpenAI's Daybreak, which also allows defenders to leverage GPT-5.5-Cyber for specialized workflows. Models like Mythos Preview and GPT-5.5-Cyber have yet to be released to the public owing to concerns that there currently exist no adequate safeguards to prevent their misuse at a large scale. "Glasswing helps the most systemically important cyber defenders gain an asymmetric advantage," it pointed out. "However, there is an urgent need for as many organizations as possible to shore up their cyber defenses. We hope that our generally available models, and the new tools, resources, and research we're providing to accompany them, will support those organizations to improve their cybersecurity posture."

Anthropic says Mythos has already found more than 10,000 vulnerabilities - Engadget

The company has published an update about Project Glasswing, a month after its launch. Anthropic has published an initial report for Project Glasswing, the cybersecurity initiative it launched in April that aims to prevent AI cyberattacks with, well, AI. The initiative is powered by Claude Mythos Preview, the company's unreleased model, which Anthropic says has already helped its partners find more than ten thousand vulnerabilities overall just a month after Glasswing's launch. In addition, it says most of its partners have "each found hundreds of critical- or high-severity vulnerabilities in their software" using the model. The company said that its partners' rate of bug-finding has increased by more than a factor of ten. Cloudflare found 2,000 bugs, 400 of which are high or critical in severity. Mozilla previously reported that it found and fixed 271 vulnerabilities in Firefox, 10 times more what it found in an older version of the browser using another Claude model. Microsoft's recent announcement that its patch releases will "continue trending larger for some time" is apparently because of the bugs it found through Mythos Preview. Anthropic also used Mythos Preview to scan 1,000 open-source projects over the past few months and found 6,202 high- and critical-severity vulnerabilities out of 23,019. While the company didn't include it in the report, a security research firm recently claimed that it found a way to breach macOS, an operating system known for having tight security, with help from Mythos' bug-finding capabilities. The company explained in its report that it hasn't released Mythos Preview to the public yet, because no company (including itself) has developed safeguards strong enough to prevent models like it from being misused. It intends to release "Mythos-class models" in the future, though, when those safeguards become available. For now, it's planning to work with partners like the US and other governments to expand the availability of Project Glasswing. That indicates that the company may be on its way to repairing its relationship with the US government. The company is already working with several partners at the moment, including Amazon Web Services, Apple, CrowdStrike, Google, JPMorganChase, NVIDIA and Palo Alto Networks, in addition to the others we've already mentioned. Anthropic is reportedly about to be profitable for the first time since it was founded in 2021. According to a recent report by the The Wall Street Journal, it's on track to post a revenue of $10.9 billion with an operating profit of $559 million for the quarter ending in June. The company doesn't expect to remain profitable in the quarters that will follow, however, as it intends to invest more money into computing resources and other expenses.

Anthropic's Project Glasswing Finds 'More Than 10,000' Critical Bugs, Expands To Additional Partners

Anthropic shared a sweeping update on Project Glasswing, saying its artificial intelligence-assisted security testing effort has already uncovered "more than 10,000 high-or critical-severity vulnerabilities" across widely used software systems. Several partner organizations reported that they saw an increase in bug discovery rates after integrating AI into their testing workflows, with some seeing gains of more than 10 times. The company cited results from Cloudflare, which said internal testing uncovered roughly 2,000 bugs, including 400 classified as high or critical severity, while producing fewer false positives than conventional human-led testing. Mozilla also identified and fixed 271 vulnerabilities in Firefox 150 during testing with Mythos Preview, a result the company contrasted with earlier runs using Claude Opus 4.6, stating that this new model is more effective. Anthropic noted that its Mythos Preview was even able to detect and prevent a fraudulent $1.5 million wire transfer after a threat actor compromised a customer's email account and made spoof phone calls. The company plans to publish a more detailed technical analysis of the vulnerability in the coming weeks. "There is a clear need for a larger effort across the software industry to manage the volume of findings that these models will generate. Currently, there's often a long lag between the discovery of a vulnerability, the creation of a patch for it, and the time when the patch is widely deployed by end users," the company wrote. Anthropic also noted that it plans to work with "critical partners," including the U.S. and allied governments, to expand Project Glasswing to additional partners. "In the near future, once we've developed the far stronger safeguards we need, we look forward to making Mythos-class models available through a general release," the company said. Photo: Shutterstock This content was partially produced with the help of AI tools and was reviewed and published by Benzinga editors. Market News and Data brought to you by Benzinga APIs To add Benzinga News as your preferred source on Google, click here.