In a striking demonstration of AI’s growing cybersecurity prowess, Anthropic’s unreleased model ‘Claude Mythos’ has uncovered more than 10,000 high- or critical-severity software vulnerabilities in just 30 days. The revelation underscores a fast-emerging reality: artificial intelligence is now spotting security holes far quicker than developers can plug them, putting immense strain on an already overstretched global security ecosystem.
The update comes a month after the frontier AI lab announced Project Glasswing, a sweeping initiative to harden the world’s most critical software against attacks from increasingly capable AI systems. While the model itself isn’t publicly available yet, early results shared by Anthropic’s partners paint a picture of both extraordinary defensive potential and a daunting triage bottleneck.
A Tenfold Leap in Bug Discovery
Anthropic says that organizations building and maintaining software for core internet infrastructure and other essential services have seen their bug-finding rates multiply by more than a factor of ten when using Claude Mythos.
- Cloudflare detected 2,000 bugs in its critical path systems, 400 of which were high or critical severity. The security team reported a false-positive rate that was actually better than what human testers typically achieve.
- Mozilla managed to find and patch 271 vulnerabilities in Firefox 150 while testing a preview version of Mythos. To put that in perspective, that’s over ten times the number of bugs they discovered in Firefox 148 using the previous top-tier model, Claude Opus 4.6.
- The UK AI Security Institute noted that Mythos was the first model to successfully run through their full cyber attack simulations from start to finish. In a real-world application with a partner bank, the system intercepted and prevented a fraudulent $1.5 million wire transfer in real time.
Open-Source Ecosystems Under the Microscope
Beyond enterprise partners, Anthropic turned Mythos loose on the open-source world, scanning over 1,000 projects that underpin large swaths of the internet. The sweep uncovered 6,202 high- or critical-severity vulnerabilities. From that pool, a careful assessment of 1,752 bugs by six independent security research firms validated that 90.6% were true positives, and 62.4% were confirmed as genuinely high or critical severity.
The numbers are staggering, but they only tell half the story. The real challenge lies in what happens after the AI flags a flaw.
The Great Triage Bottleneck
Identifying a vulnerability is just the beginning. Anthropic describes a meticulous, multi-step triage process: first, either the lab’s own experts or external cybersecurity firms confirm that the reported issue is real and gauge its severity. Next, they check if a fix already exists, then carefully draft a detailed report for the maintainers responsible for the code.
This is where the system starts to creak. Many open-source maintainers are already drowning in low-quality, AI-generated bug reports. Some have explicitly asked Anthropic to slow down the flood of disclosures so they have enough time to write and test patches. On average, a serious vulnerability found by Mythos takes around two weeks to fix.
Anthropic estimates it has so far responsibly disclosed 530 serious vulnerabilities, with another 827 in the queue waiting to be reported. Of those disclosed, 75 have been fixed and 65 have received public security advisories — a small dent in an enormous pile.
A Double-Edged Sword
The speed of AI-driven discovery is a dream for defenders, but it also reshapes the threat landscape. Security teams now face a scenario where machines can pinpoint thousands of hidden weaknesses in the time it takes a human to organize a single patch. The gap between “finding” and “fixing” isn’t just a logistical headache — it’s a growing security risk that aggressive actors could exploit if the same technology falls into the wrong hands.
Anthropic’s Project Glasswing is, at its core, an attempt to bridge this chasm by working hand-in-hand with the developer community. The early numbers prove that the technology works astonishingly well. Whether the human side of the equation can keep up, however, remains an open question — one that the entire cybersecurity world will be watching closely.
