Project Glasswing is Anthropic's 50-partner effort to point a frontier cyber model at the world's most important software before attackers do — and the first month's number is 10,000 critical bugs.
On 22 May 2026, Anthropic published the initial update on Project Glasswing, a defensive coalition built around Claude Mythos Preview, the company's frontier model with autonomous vulnerability-discovery capabilities. In thirty days, Glasswing partners surfaced more than 10,000 high- or critical-severity flaws in widely used software — 6,202 of them across over 1,000 open-source projects, with subsequent triage validating 1,752 of them at a 90.6% true-positive rate. The story picked up by The Hacker News on 23 May is the most consequential cybersecurity dispatch of 2026 so far.
What Project Glasswing actually did
Glasswing is small by headcount and enormous by reach. Anthropic gave roughly fifty named partners — Cloudflare, Mozilla, Microsoft, Oracle, Palo Alto Networks, Cisco, XBOW, the UK's AI Security Institute, the Open Source Security Foundation's Alpha-Omega project, plus a handful of unnamed banks and labs — early, exclusive access to Claude Mythos Preview. Mythos is a model tuned for cyber: it reads code, runs harnesses, follows traces, and surfaces vulnerability candidates without a human prompting every step. Partners then ran Mythos against the codebases that hold the modern internet together.
The output, by the numbers Anthropic published: 23,019 total vulnerabilities (all severities) in open-source projects scanned; 6,202 estimated high- or critical-severity flaws across more than 1,000 open-source projects; 530 high- or critical-severity bugs already disclosed to maintainers under standard 90-day coordinated-disclosure terms; 75 of those patched; 65 given public advisories. Cloudflare alone found around 2,000 bugs, including 400 high- or critical-severity ones. Mozilla patched 271 vulnerabilities in Firefox 150 during its Mythos run — Anthropic reports that is more than ten times what the prior generation of AI tools surfaced.
Buried in the same report is one named CVE that should make every TLS vendor cold-sweat: a critical flaw in WolfSSL, tracked as CVE-2026-5194, which could enable certificate forgery attacks. WolfSSL is in cars, payment terminals, IoT devices, and embedded systems where patch cadence is measured in years, not weeks.
💡The shift is throughput
Glasswing did not invent a new class of vulnerabilities. Glasswing surfaced the volume of vulnerabilities that have always been there, hidden behind the rate at which a human auditor can read a codebase. The new variable is throughput.
The disclosure bottleneck is the new story
Anthropic's framing of the result is more important than the count itself. Until Mythos, finding a vulnerability was the slow step in defensive cybersecurity — armies of researchers, bug-bounty hunters, and red teams pushed against the rock of software complexity, and the rock won most weeks. Mythos changes the slope. Finding is now fast. Verifying, disclosing, and patching is now slow. The bottleneck has moved.
Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it's limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI.
— Anthropic, Project Glasswing initial update (https://www.anthropic.com/research/glasswing-initial-update)
The downstream consequences are real and uncomfortable. A 530-bug disclosure queue is not 530 emails to maintainers; it is 530 separate triage cycles, severity assessments, patch verifications, vendor-coordination calls, and CVE entries — each one a unit of human attention. Most open-source projects are sustained by a handful of unpaid maintainers in different time zones. Asking that pipeline to absorb a tenfold increase in legitimate, valid, high-severity bug reports is asking it to break. Anthropic acknowledges as much, and is paying six independent security research firms to do the triage that maintainers cannot.
Why the offence-defence balance is what to watch
The optimistic read on Glasswing is straightforward: defenders got the tool first. Anthropic has a policy of holding Mythos Preview inside a vetted partner programme rather than shipping it to the open market, precisely to give the defensive side a head start before the attacking side gets parity. The pessimistic read is that the head start is measured in months, not years, and the asymmetry will end.
Mythos-class capability will diffuse. Some labs will train comparable models openly; others will leak; criminal operators will replicate enough of the capability to matter. When that diffusion completes, every codebase Glasswing has not yet scanned becomes a target, and every codebase Glasswing has scanned becomes a race between patch deployment and exploit weaponisation. The window between disclosure and patch — the long-tail of unpatched servers, embedded systems, and legacy applications — is where the actual harm lives.
I have argued before that agent safety is an ecosystem property, not a model property. Glasswing is the security version of the same argument. The model is the catalyst; the ecosystem — maintainers, vendors, regulators, the patch-deployment pipeline — is what determines whether the catalyst makes the world safer or more dangerous.
What this means for boards and CISOs
For any organisation that runs software — which now means every organisation — the Glasswing report is not abstract research. It is a forward-looking notice. The patch backlog is about to grow. The CVE feed is about to grow. Severity scores will skew toward "critical" because the cheap finds at the top of the iceberg are getting cleaned out fast, and the deeper bugs Mythos surfaces are the structural ones. Three concrete shifts follow.
First, asset inventories matter more than ever. You cannot patch what you do not know you have. Boards should be asking when the last full software bill of materials was generated, and how confident the security team is that it covers third-party libraries, embedded systems, and shadow IT. Second, disclosure-response capacity becomes a budget line. The expectation that vulnerability triage is a low-frequency, ad-hoc activity is over; teams need playbooks, on-call rotation, and rehearsed coordination with vendors. Third, the procurement question shifts. Buying software now means buying the maintainer's capacity to absorb a Mythos-grade disclosure queue. If your vendor cannot triage at speed, your exposure is their exposure.
The Anthropic-and-the-state story underneath
Glasswing did not appear in isolation. Anthropic briefed the Financial Stability Board on Mythos cyber risk on 18 May, four days before the partner update. The UK's AI Security Institute sits inside the Glasswing partner roster. Microsoft, Cisco, Palo Alto Networks, and Oracle — four firms with major government and critical-infrastructure exposure — are all in the room. The pattern is consistent: a private lab is steering a defensive coalition that has the operational character of a national-security programme, with selective state participation rather than state direction.
That structure is novel, and it has not been politically resolved. The lab gets to decide who is in the coalition, what the disclosure timeline is, and which findings flow first to which partners. The state gets a seat but not the chair. Defenders inside the coalition get an enormous capability lift; defenders outside it get whatever Mythos finds in their software after a 90-day patch window. The fairness of that distribution will be a 2026 governance debate, not a 2027 one.
Frequently Asked Questions
These are the questions security leaders, board members, and open-source maintainers have been asking since Anthropic published the initial Glasswing update. Short answers follow, drawn from the Anthropic announcement and the corroborating press coverage.
What is Project Glasswing?
In short, Project Glasswing is Anthropic's coalition of about fifty cybersecurity, infrastructure, and policy partners working together to find and patch critical software vulnerabilities at scale using Claude Mythos Preview. The answer, simply put, is that Glasswing is a private defensive programme with the operational character of a national-security effort. The key is that partners get early, exclusive access to a frontier cyber model so they can patch widely used software before the same capability reaches attackers.
How does Claude Mythos Preview find vulnerabilities?
Mythos accepts source code, build environments, and existing fuzz harnesses as inputs. According to Anthropic, the model reads the code, follows execution traces, generates and runs test cases, and surfaces candidate vulnerabilities without a human prompting every step. Research from the partner cohort shows a 90.6% true-positive rate on the 1,752 candidates independently assessed so far. Data from Mozilla's Firefox 150 work reveals a tenfold improvement over the prior generation of AI security tools.
Why is the disclosure bottleneck the real story?
Software security has historically been gated by how quickly humans could find new bugs. According to Anthropic, that gate has moved. Analysis of the first thirty days shows the limit is now how quickly humans can verify, disclose, and patch the volume of valid findings that an AI model generates. Evidence from the 530-bug disclosure queue and the six independent triage firms Anthropic has retained demonstrates that the maintainer ecosystem is the new pinch point, not the discovery layer.
Who is in the Glasswing partner programme?
Glasswing partners named in the update include Cloudflare, Mozilla, Microsoft, Oracle, Palo Alto Networks, Cisco, XBOW, the UK's AI Security Institute, the Open Source Security Foundation's Alpha-Omega project, and one unnamed bank. In other words, the coalition spans cloud, browser, operating system, network security, open-source ecosystem, and state-level cyber defence. Each partner runs Mythos against the code they care about and feeds findings back into the coordinated-disclosure pipeline.
What are the real risks of the Glasswing approach?
Analysis of the programme reveals three durable risks. First, the maintainer-capacity risk: open-source projects sustained by unpaid volunteers cannot absorb a tenfold increase in valid bug reports without burning out or missing critical patches. Second, the diffusion risk: Mythos-class capability will reach attackers within months, and any codebase outside the Glasswing coalition becomes a soft target during the diffusion window. Third, the governance risk: a private lab steering a defensive programme of this scale, with selective state participation rather than state direction, is a novel arrangement that has not been politically resolved. Each risk is structural, not cosmetic.
Glasswing is the first concrete demonstration that frontier intelligence can be pointed at the software stack of the modern world and produce volume the human pipeline cannot currently absorb. The throughput problem is solved. The verification, disclosure, and patch problems are now the only problems that matter, and they are still human problems. That is the shape of the next cybersecurity decade — and it is also why the .person Protocol's insistence on dignified, accountable AI is not a philosophical luxury but an operational requirement.
Related on humphreytheodore.com:
