Anthropic's Project Glasswing has identified 23,019 software vulnerabilities across more than 1,000 open-source projects using Claude Mythos Preview, the company's autonomous vulnerability discovery model introduced in April 2026. Of these findings, 6,202 are classified as high or critical severity, representing a significant contribution to securing critical software infrastructure.
Mythos Preview Demonstrates Advanced Exploit Chain Capabilities
Claude Mythos Preview extends beyond basic vulnerability scanning, demonstrating sophisticated exploit development capabilities. In one notable case, the model combined four independent bugs into an exploit chain that successfully bypassed both browser renderer and operating system sandboxing. The model also created a remote code execution exploit targeting FreeBSD's NFS server using a complex 20-gadget ROP (Return-Oriented Programming) chain, showcasing capabilities that rival expert security researchers.
Project Glasswing Secures Critical Software Systems
Project Glasswing represents Anthropic's initiative to use AI to help secure critical software and prepare the cybersecurity industry for practices needed to stay ahead of attackers:
- 10,000+ critical vulnerabilities: More than 10,000 high or critical-severity issues identified in critical software systems
- 1,000+ projects scanned: Comprehensive analysis across major open-source projects
- Enterprise partnerships: Current access granted to AWS, Apple, Cisco, Google, JPMorgan Chase, and Microsoft
- Government collaboration: Partnership with US and allied governments to expand the initiative
General-Purpose Model Strength Drives Security Capabilities
According to Anthropic, Claude Mythos Preview's cybersecurity prowess stems from its broader capabilities as a general-purpose frontier model. The company states that "a model that can deeply understand and modify complex software is also one that can find and fix its vulnerabilities," emphasizing that security strength emerges from comprehensive software understanding rather than specialized training.
Controlled Rollout Addresses Dual-Use Concerns
Anthropic intends to make Mythos-class models generally available only after developing stronger safeguards. This controlled rollout reflects the company's awareness of dual-use risks, as vulnerability discovery capabilities could potentially be misused by malicious actors. Current access remains limited to vetted enterprise and government partners.
Key Takeaways
- Claude Mythos Preview identified 23,019 total vulnerabilities, including 6,202 high or critical severity issues
- The model demonstrated advanced capabilities by creating a 20-gadget ROP chain exploit for FreeBSD's NFS server
- Project Glasswing has scanned over 1,000 open-source projects as of May 2026
- Current partners include AWS, Apple, Cisco, Google, JPMorgan Chase, Microsoft, and US/allied governments
- Anthropic plans to expand access only after developing stronger safeguards to address dual-use risks