Anthropic launched Project Glasswing on April 7, 2026, and gave a restricted group of partners access to Claude Mythos Preview — a model specifically designed to autonomously discover and exploit software vulnerabilities. In the weeks that followed, the model identified more than 10,000 high- and critical-severity vulnerabilities in widely deployed software. It found zero-days in every major operating system. It found them in every major web browser. It autonomously identified and fully exploited a 17-year-old remote code execution flaw in FreeBSD that allowed unauthenticated root access from anywhere on the internet. It found a critical vulnerability in wolfSSL with a CVSS score above 9.1.
Anthropic reported 1,596 verified findings directly to software maintainers. Ninety-seven have been patched. Eighty-eight security advisories have been published.
Claude Mythos remains restricted to approximately 50 vetted partners. It will not be released to the public.
That is the correct decision, and the gap between what the model found and what has been patched is the most important number in this story.
What Claude Mythos Preview Actually Does
Claude Mythos Preview is not a vulnerability scanner in the conventional sense. Traditional vulnerability scanning tools — automated checkers like Nessus, Qualys, or Tenable — identify known vulnerabilities by matching against databases of existing CVEs. They are pattern-matchers. Mythos is a different category of capability.
The model performs autonomous vulnerability research: it reads source code, understands program logic, identifies edge cases in memory management and input handling, generates working proof-of-concept exploits to confirm exploitability, and operates without human guidance on the specific vulnerabilities it pursues. The FreeBSD example is illustrative of this distinction. The RCE vulnerability Mythos identified had existed in the codebase for 17 years. It was not in any CVE database. It had not been identified by any automated scanner or previous security audit. Mythos found it, confirmed it was exploitable, and generated a working exploit that demonstrated full root access from an unauthenticated remote user.
That is not a scanner. That is an autonomous security researcher operating at a scale and speed that no human team can match.
Project Glasswing: The Defensive Framing
Anthropic structured Project Glasswing as a defensive consortium. The access list reads like a who’s who of critical software infrastructure: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. These are the companies whose software and infrastructure, if successfully attacked, would affect hundreds of millions of users and trillions of dollars in financial activity.
The theory of the project is straightforward: if AI can autonomously find zero-days at scale, the question is not whether they will be found — it is whether defenders or attackers find them first. Project Glasswing is an attempt to systematically front-run the attacker cohort by giving defenders priority access to the same capability that offensive actors will eventually develop independently.
CISA’s new 72-hour cyber incident reporting rule, which now covers approximately 300,000 companies across critical infrastructure sectors, becomes substantially more significant in a world where AI-enabled zero-day discovery is available. The reporting mandate assumes that incidents will occur. The Project Glasswing approach attempts to reduce the attack surface before incidents happen — two complementary postures that together describe what enterprise cybersecurity strategy looks like in the AI era.
Anthropic’s stated position, delivered alongside the Glasswing announcement, was blunt: no company currently has sufficient safeguards to defend against the full capability of what Mythos can do. That is not a marketing statement. It is a factual claim about the gap between what AI-enabled offensive capability can achieve and what the current state of enterprise security infrastructure is equipped to handle.
The Patch Rate Problem
The most consequential number in the Project Glasswing results is not the 10,000+ vulnerabilities identified. It is the 97 that have been patched.
Anthropic reported 1,596 verified, high-quality findings to software maintainers. Six weeks later, 97 patches exist. That is a 6% patch rate on confirmed, critical-severity vulnerabilities in widely deployed software. The remaining 94% of reported vulnerabilities remain unpatched in production software running on devices and servers worldwide.
The reason is not negligence by maintainers. The reason is capacity. The open-source software ecosystem runs on volunteer maintainers who are already overwhelmed by normal issue volume. A sudden influx of 1,596 high-quality, confirmed, critical vulnerability reports — each requiring analysis, reproduction, fix development, testing, and coordinated disclosure — represents years of work arriving simultaneously. The maintainers of FreeBSD, wolfSSL, and the dozens of other affected projects do not have the engineering bandwidth to process what Mythos generated in weeks.
This creates a genuinely novel security risk. The vulnerabilities are now known to Anthropic and its 50 Glasswing partners. They are known to the maintainers who received the reports. They are not yet patched. And the same AI capability that identified them is not under Anthropic’s exclusive control for long — adversarial actors will develop comparable capability, either independently or by fine-tuning less safety-constrained models on vulnerability research data.
The window between “vulnerability found by defenders” and “vulnerability patched in the wild” is the attack surface that Project Glasswing inadvertently created by operating faster than the patching ecosystem can process.
Why Restricting Access Is the Correct Decision
The instinctive critique of Anthropic’s decision to restrict Mythos is that it concentrates a powerful capability in a small group of companies — many of them Anthropic’s commercial partners or investors — and withholds it from the broader security research community, which might patch vulnerabilities faster if it had access.
That critique misreads the risk surface. The security research community is not a monolithic defensive actor. It includes researchers who responsibly disclose, researchers who sell findings to governments, researchers who operate in gray markets for zero-day exploits, and actors who are straightforwardly malicious. Releasing Mythos into that environment is not “giving defenders access to a powerful tool.” It is releasing an autonomous exploit generation capability into a population that includes people who will use it offensively.
The zero-day exploit market has functioned for years on the economics of scarcity — a working exploit for a critical vulnerability in a major OS or browser can sell for hundreds of thousands of dollars because finding such vulnerabilities is hard and slow. Mythos makes that economics model obsolete. A public Mythos would collapse zero-day prices not by flooding the defensive community with information, but by flooding the offensive market with exploits that cost nothing to generate.
Anthropic’s broader enterprise strategy has consistently prioritised safety architecture as a competitive differentiator. The Glasswing restriction is consistent with that positioning: the company is making the judgment that the cost of misuse exceeds the benefit of broad access, and it is willing to accept the “concentrating power in large incumbents” critique to maintain that position. That judgment may be right. It may be that the only way to use a capability this dangerous beneficially is to control who has it.
The CVE Infrastructure Stress Test
Project Glasswing is also a stress test of the CVE system itself. The Common Vulnerabilities and Exposures database, managed by MITRE with CISA funding, is the global standard for vulnerability identification and tracking. The CVE assignment process was designed for a world where vulnerability discovery was human-paced — a few hundred high-quality reports per year from the global security research community might generate a few thousand CVEs.
Mythos generated thousands of vulnerabilities in weeks. The CVE numbering authority structure — which relies on CVE Numbering Authorities (CNAs) at individual companies to assign identifiers before coordinated disclosure — is not built for the throughput that AI-enabled discovery can produce. MITRE has been underfunded relative to CVE volume for years; a world where multiple AI systems simultaneously discover vulnerabilities at Mythos-scale throughput would require either a fundamentally restructured CVE process or an acknowledgment that the current system cannot track what is actually being found.
The 88 published advisories from Glasswing represent only the fraction of findings that have proceeded far enough through the disclosure-and-patch pipeline to be public. The 1,596 reported-to-maintainer findings have entered a process that was not designed for this volume, and the output rate — 97 patches in six weeks — suggests the process is already at capacity.
What This Means for Enterprise Security Teams
For enterprise security teams, the Project Glasswing results have two practical implications that operate on different timescales.
In the near term, the findings remind security teams that the patch backlog is not primarily a prioritisation failure — it is a capacity problem. Even with perfect knowledge of critical vulnerabilities, the speed at which patches can be developed, tested, and deployed in enterprise environments is constrained by change management processes, dependency chains, and operational risk tolerance. AI-enabled discovery accelerates the information side of the equation without accelerating the remediation side. The attack surface that exists in the gap is real and growing.
In the medium term, the capability Mythos demonstrates will not remain exclusive to Anthropic’s consortium. Competing AI labs are running comparable research programs. Nation-state cyber programs are almost certainly working on offensive AI vulnerability discovery. The question for enterprise security strategy is not whether AI-enabled zero-day discovery becomes broadly available, but when — and whether the defensive infrastructure and patching capacity exists to respond when it does.
The companies on the Glasswing access list — AWS, Apple, Microsoft, Google — have the engineering resources to process high-volume vulnerability reports and deploy patches at scale. The rest of the enterprise software ecosystem does not. The security gap that Glasswing is trying to close is not evenly distributed across the software supply chain, and the portions of the supply chain that are most exposed are not necessarily the ones with Glasswing access.
The Honest Statement Buried in the Announcement
Buried in Anthropic’s project documentation is a statement that deserves to be treated as a headline rather than a footnote: no company currently has sufficient safeguards to defend against what Claude Mythos can do.
That is not Anthropic hedging. It is the company that built the capability acknowledging that the attack surface it can expose exceeds the current state of defensive capacity. The implication is that even the Glasswing consortium members — who include the largest and most sophisticated software security operations in the world — are operating with meaningful unpatched exposure to AI-identified vulnerabilities.
The honest interpretation of Project Glasswing is that Anthropic built something that can find critical vulnerabilities faster than the industry can fix them, is distributing it to a restricted group of defenders to create as much lead time as possible, and is publicly acknowledging that the lead time may not be enough. That is a responsible way to handle a genuinely dangerous capability. It is also a sobering statement about where AI-enabled offensive security capability is relative to the defensive infrastructure meant to contain it.
The Bottom Line
Claude Mythos found 10,000 critical software vulnerabilities in weeks. Six percent of the confirmed findings have been patched. The model remains restricted to 50 vetted partners because releasing it publicly would hand an autonomous zero-day generation capability to a population that includes bad actors.
The patch rate — 97 out of 1,596 reported — is the number that should concern enterprise security teams and policymakers more than the total vulnerability count. It is not evidence that the security community is failing. It is evidence that AI-enabled discovery has outrun the capacity of the human infrastructure meant to respond to it.
Anthropic is right to restrict access. The problem is that restricting access is a delaying action, not a solution. The capability will diffuse regardless of what one company decides. The question that has not been answered — by Anthropic, by CISA, or by the broader security community — is what the infrastructure looks like that can actually process AI-scale vulnerability discovery at the patching speed it requires.
