On 22 May 2026, Anthropic published an initial update on Project Glasswing, an effort to use frontier AI to find and fix vulnerabilities in critical software. The company reported that in roughly one month, an unreleased model called Claude Mythos Preview, working with about 50 partners, helped find “more than ten thousand high- or critical-severity vulnerabilities” across systemically important software.
Anthropic backed the headline number with a more carefully scoped open-source figure. Scanning more than 1,000 open-source projects, Mythos Preview flagged an estimated 6,202 high- or critical-severity issues, of which 1,587 were confirmed as valid true positives after independent assessment. The framing is significant: Anthropic argues that AI coding models have reached a point where they can match or exceed all but the most skilled human researchers at discovering exploitable flaws, a capability that cuts both ways for attackers and defenders.
This entry is tagged as an anecdote because the striking numbers come from the vendor’s own self-report rather than independent audit, and “vulnerabilities found” is a metric that rewards volume. Still, the direction is the point. If a single model can surface thousands of real, severe flaws in a month, organizations face both a powerful new defensive tool and the prospect that adversaries will run the same playbook. The practical takeaway is to treat AI-driven vulnerability discovery as a near-term reality in security planning, not a future hypothetical.