Skip to main content
CybersecurityVulnerability Management

Anthropic's AI Model Uncovers 10,000 Software Vulnerabilities

Researcher in a lab setting working on a computer displaying lines of code.

“The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them,” Anthropic wrote — after a month of testing in which its Mythos models and Project Glasswing effort flagged more than 10,000 high- or critical-severity software vulnerabilities across systemically important code.

Project Glasswing and Mythos: a large-scale probe of critical code

Anthropic said Project Glasswing, launched roughly a month before this update, paired a frontier model family called Mythos with external partners and independent evaluations to scan widely used software. The company reported that partner submissions and independent checks showed the model could find many more issues than prior methods — shifting the central problem, Anthropic said, from discovery to verification and remediation.

Partner results: Cloudflare, an unnamed bank, Mozilla, and third-party platforms

Several partners reported dramatic jumps in discovery rates. Cloudflare identified 2,000 bugs across its critical-path systems, including 400 rated high or critical, and said Mythos’ false-positive rate compared favorably to human testers. An unnamed partner bank credited the model with helping detect and prevent a $1.5 million fraudulent wire transfer that followed a customer email compromise and spoofed phone calls.

Mozilla reported using the model to find and fix 271 vulnerabilities in Firefox 150 while testing Mythos — more than ten times the number found in Firefox 148 when an earlier Anthropic model was used. AI-powered security vendor XBOW called Mythos “a significant step up” on its web exploit benchmark.

Open-source scan: scale and confirmation rates

Anthropic said it had run Mythos over more than 1,000 open-source projects, flagging 23,019 potential vulnerabilities, of which 6,202 were estimated as high or critical. Of 1,752 high- or critical-rated findings that were reviewed either by six independent security research firms or by Anthropic itself, over 90% were confirmed as valid and over 62% were confirmed to be high or critical.

The company noted maintainers are already wrestling with low-quality, AI-generated bug reports. Anthropic said it tries to reproduce and assess each issue before reporting it, but at maintainers’ request it disclosed without further vetting in 1,129 cases; the model estimated 175 of those to be high or critical.

Verification, patching, and interim products: Claude Security and the Cyber Verification Program

Anthropic emphasized that discovery is only the first step. The company highlighted work to move findings toward remediation: it released Claude Security in public beta for enterprise customers and said Claude Opus 4.7 has been used to patch more than 2,100 vulnerabilities in three weeks. Anthropic also said it has launched a Cyber Verification Program for security professionals to help validate and triage findings.

Concurrently, Anthropic said it has not made Mythos-class models publicly available because “no company, including itself, has developed safeguards to prevent serious misuse.” The company said it plans to expand Project Glasswing with additional partners, including U.S. and allied governments, before any broader release of the underlying model.

What this means for cloud providers, open-source maintainers, and security teams

  • Cloud providers and large enterprises: rapid discovery is possible — Cloudflare found 2,000 bugs with 400 high/critical — but organizations will face a surge in triage and patching workload even if false positives remain relatively low.
  • Open-source maintainers: many projects received more reports; Anthropic disclosed 1,129 issues at maintainers’ request and noted an influx of low-quality, AI-generated bug reports that maintainers must filter or ask third parties to vet.
  • Security teams and vendors: verification capacity matters. Anthropic’s figures — over 90% validity among reviewed high/critical flags and more than 2,100 vulnerabilities patched with Claude Opus 4.7 in three weeks — suggest tooling plus verification programs may speed remediation, but the company itself framed human triage and patch deployment as the prevailing bottleneck.

Anthropic’s month-one accounting paints a crisp — and uncomfortable — picture: current AI can surface large volumes of real, high-severity flaws across internet-facing and open-source code, but the limiting factor is not what the model can find. It is what human teams can verify and fix. Anthropic’s stated next steps — expanding Glasswing with government and allied partners, running a Cyber Verification Program, and offering Claude Security for enterprises — aim to close that gap, while the company holds Mythos-class models back pending better safeguards.

Source: https://cyberscoop.com/anthropic-mythos-software-flaws-glasswing/