Anthropic published its first Project Glasswing update, detailing results from its unreleased Claude Mythos Preview model. In one month, roughly 50 partners found over 10,000 high- or critical-severity vulnerabilities in critical internet software.
Cloudflare found 2,000 bugs, 400 high- or critical, with a false positive rate it rates better than humans. Mozilla fixed 271 vulnerabilities in Firefox 150 — over ten times more than Firefox 148 with Claude Opus 4.6. The UK AI Security Institute reported Mythos Preview solved both its cyber ranges end to end. Anthropic also scanned 1,000+ open-source projects, finding 6,202 estimated high- or critical flaws among 23,019 total. One wolfSSL bug (CVE-2026-5194) let attackers forge certificates to spoof bank or email sites.
By the time of the first update, only 75 of the 530 high- and critical-severity vulnerabilities reported to maintainers had been patched, with the average fix taking about two weeks. Some open-source maintainers asked Anthropic to slow the pace of disclosures because they need more time to develop and deploy fixes. Anthropic is withholding Mythos-class models publicly, citing inadequate misuse safeguards.
Ten thousand critical vulnerabilities in one month. AI finds bugs faster than humans fix them. A company choosing not to release its best model tells you more about where AI capability stands than any benchmark ever could.