✅ PROJECT GLASSWING: ONE-MONTH UPDATE
Source: Anthropic, May 22, 2026
Model: Claude Mythos Preview (unreleased)
HEADLINE
Finding bugs is no longer the bottleneck. Patching them is.
Anthropic and ~50 partners have been using Mythos Preview to hunt vulnerabilities in critical software. After one month, the security ecosystem is struggling to keep up with the volume of valid findings.
SCALE OF FINDINGS
- 10,000+ high/critical-severity vulnerabilities surfaced across partners in one month
- Partners reporting 10x increases in bug-finding rate
- Cloudflare: 2,000 bugs (400 high/crit), false-positive rate beating human testers
- Mozilla: 271 vulns fixed in Firefox 150, 10x the Firefox 148 run with Opus 4.6
- Industry patch volumes spiking: Palo Alto 5x normal, Microsoft and Oracle accelerating
EXTERNAL VALIDATION
- UK AI Security Institute: first model to solve both cyber ranges end-to-end
- XBOW: "significant step up" over all existing models, unprecedented token-for-token precision
- Top performer on ExploitBench and ExploitGym (new academic benchmarks)
OPEN-SOURCE SCAN RESULTS
- Projects scanned: 1,000+
- Total vulns flagged: 23,019
- Estimated high/critical: 6,202
- Triaged so far: 1,752
- True positive rate: 90.6%
- Confirmed high/critical: 62.4%
- High/crit disclosed: 530
- Patched: 75
- Public advisories: 65
Notable: wolfSSL certificate forgery exploit (CVE-2026-5194), now patched. Would have let attackers host convincing fake bank/email sites.
Maintainers are asking Anthropic to slow disclosures. Capacity is the binding constraint.
WHAT'S PUBLIC VS. HELD BACK
Mythos-class models are NOT being released. Anthropic says safeguards aren't strong enough.
Available now:
- Claude Security (public beta, Enterprise) - 2,100 vulns patched in 3 weeks using Opus 4.7
- Cyber Verification Program for legit security pros
- Tooling release on request: scanning harness, threat model builder, shared skills
- Cisco open-sourced its Foundry Security Spec
IMPLICATION FOR DEFENDERS
The find-vs-fix gap is the new attack surface. Mythos-class capability will proliferate to other labs soon. Anthropic's advice:
- Software developers: shorten patch cycles, push updates aggressively
- Network defenders: shorten patch testing and deployment timelines
- Lean on NIST/NCSC critical controls (MFA, hardened defaults, comprehensive logging) so security doesn't depend on any single patch landing in time
WHAT'S NEXT
- Expanding Glasswing to additional partners including US and allied governments
- General release of Mythos-class models conditional on stronger safeguards
19
4 comments
✅ PROJECT GLASSWING: ONE-MONTH UPDATE
skool.com/ai-automation-society
Learn to get paid for AI solutions, regardless of your background.
Leaderboard (30-day)
1
🔥
+7096
2
🔥
+4873
3
+4183
4
🔥
+2489
5
+1115
Powered by