In April, Anthropic initiated Project Glasswing.
What Project Glasswing said it would do
Anthropic launched Project Glasswing as a program to let companies use its new model, Mythos, to "find and fix vulnerabilities in their own software." The rollout framed the technology as a tool for vulnerability discovery and remediation, a use case that can be helpful in principle and that Anthropic featured prominently in its communications about the model.
Claims versus coverage: a public relations success
The initiative has functioned, by the account in the update, as "a fantastic PR move." Many press outlets, the update notes, picked up Anthropic’s messaging and have "uncritically parroted" assertions that Mythos outperforms other models at finding software vulnerabilities. The status report explicitly contests that impression: the claim that "Mythos is better at finding software vulnerabilities than other models" is, the update says, "just not true."
Findings: lots of vulnerabilities, almost no patches
Anthropic’s Project Glasswing status report documents that the program is finding "a lot of vulnerabilities in software," and that "some of them are even dangerous." Yet a striking and concrete detail in the report is the follow-through—or lack of it: almost none of the discovered vulnerabilities has been patched. The report flags this gap between discovery and remediation as a conspicuous outcome of the effort.
Transparency problems: withheld data and the "trust us" posture
The update raises a straight-forward governance and evidence question: Anthropic, the report says, refuses to release the underlying details about what was found, instead adopting a posture the post summarizes as "just says 'trust us'." The author of the status update describes the published data as "fishy" and says they "don't understand" aspects of the dataset and its presentation. That combination—large counts of findings, minimal patching, and a refusal to share supporting detail—is presented in the report as a serious problem.
What this means for security teams, companies using Mythos, and press outlets
- Security teams and technologists: They will see a report that documents many detections but very low remediation and a lack of underlying evidence; the status update implies these teams need more concrete data before relying on Mythos’s comparative claims.
- Companies using Mythos for vulnerability scanning: Organizations that let the model analyze their code face a disconnect between results and fixes—the report notes many vulnerabilities were found but "almost none" patched—raising questions about whether the program produces actionable, remediable findings.
- Press outlets and readers: The update criticizes media coverage that "uncritically parroted" the claim that Mythos is superior; the report recommends skepticism and better scrutiny of vendor claims when details are withheld.
The record in the status report is plain: Project Glasswing can surface a substantial number of software flaws, including dangerous ones. But the program’s value is put into question by two linked facts reported by the update—almost none of those flaws have been patched, and Anthropic has not released the underlying detail that would allow independent verification. The status report frames that combination as both puzzling and problematic, and it rejects the simple narrative that Mythos is categorically better than competing models.
For now, then, the concrete takeaway from the published update is narrow and specific: Project Glasswing found many issues; few were fixed; the data underpinning those findings has not been released; and the report’s author flags the situation as "fishy" and not well explained. Readers and prospective users of Mythos are left with the precise, testable question the report emphasizes—where are the data and the patches?
