Artificial intelligence (AI) corporations Anthropic used the AI model "Claude Mythos Preview" to find more than 10,000 high-risk, critical security vulnerabilities in major software worldwide in just a month.
According to the industry on the 25th, Anthropic on the 22nd disclosed early results of "Project Glasswing" on its research blog.
Project Glasswing is a collaborative effort to strengthen the security of major software before high-performance AI models like Mythos Preview are misused for cyberattacks. A vulnerability refers to a weakness in software that hackers can exploit to break into systems or exfiltrate information.
Anthropic has been working with major corporations and institutions, including Microsoft (MS) and Apple, to examine major software using Mythos Preview. In the process, more than 10,000 high-risk, critical vulnerabilities have been found so far.
Cloudflare found 2,000 bugs in its core systems, 400 of which were high-risk or critical. The web browser operator Mozilla also used Mythos Preview to find and fix 271 vulnerabilities in Firefox 150. That is more than 10 times larger than when Firefox 148 was examined with the prior model "Claude Opus 4.6." Some partners said their bug discovery speed has increased more than tenfold since adopting Mythos Preview.
A large number of vulnerabilities were also found while reviewing open-source projects. Anthropic said it analyzed more than 1,000 open-source projects and found 23,019 vulnerabilities, of which it estimated 6,202 to be high-risk or critical.
Of these, 1,752 classified as high-risk or critical were re-verified by external security firms and others, and 1,587 were confirmed as actual vulnerabilities. In other words, 90.6% of the sample was real vulnerabilities.
External evaluations also emerged. The U.K. AI Safety Institute evaluated Mythos Preview as the first model to solve from start to finish two test environments that simulated multi-stage cyberattacks. Security platform XBOW also said Mythos Preview far outperformed prior models in web vulnerability attack performance evaluations.
Anthropic assessed that the speed of AI vulnerability detection is outpacing human verification and patching. The company said, "In the past, how quickly new vulnerabilities could be found determined progress in software security, but now the key is how quickly the large volume of vulnerabilities found by AI can be verified, disclosed, and patched."
However, Anthropic remains concerned that Mythos-class AI models could be misused by attackers and has not yet released them to the public. The company said it believes safety measures to prevent misuse are not yet sufficient and explained that it plans to expand participation in Project Glasswing in cooperation with key partners.