Anthropic published its first progress update on Project Glasswing on May 22, 2026, reporting that its Claude Mythos Preview model and roughly 50 partner organizations identified more than 10,000 high- or critical-severity vulnerabilities in systemically important software during the program's first month.
Of the initial flagged issues, 6,202 were classified as high or critical across more than 1,000 open-source projects. Subsequent expert review confirmed 1,726 as valid true positives, of which 1,094 were rated high or critical. Notable findings included a 27-year-old remote crash flaw in OpenBSD, a 16-year-old flaw in FFmpeg, and CVE-2026-5194, a WolfSSL vulnerability scored CVSS 9.1.
Partner outcomes were significant. Cloudflare found 2,000 bugs in its own systems, 400 of them high or critical, while Mozilla fixed 271 Firefox vulnerabilities, a roughly tenfold increase over its experience with an earlier Claude model.
Anthropic is maintaining a 90-day coordinated disclosure policy, so specific details stay private during remediation. Analysts noted the update's central implication: the bottleneck in AI-assisted security has shifted from finding vulnerabilities to fixing them.