Anthropic's Mythos finds 10,000+ vulnerabilities, flags security bottleneck

Anthropic’s AI-driven cybersecurity system, Claude Mythos Preview, has identified more than 10,000 high- and critical-severity vulnerabilities across widely used software systems within weeks. The findings, shared under the Project Glasswing initiative, reveal that the current bottleneck in cybersecurity is not vulnerability discovery but the slower process of verification, disclosure, and patching. Mythos, an unreleased frontier AI model, analyzes software behavior and autonomously discovers vulnerabilities, including exploit paths in complex systems. Anthropic restricts access to its capabilities, currently offering limited testing through Project Glasswing to around 50 partner organizations, including critical infrastructure providers. Partners reported a 10x increase in bug discovery rates, with Cloudflare alone identifying 2,000 bugs, including 400 classified as high or critical severity. The system also scanned over 1,000 open-source projects, uncovering 23,000 vulnerabilities, of which 6,202 were high or critical severity. One notable flaw involved a widely used cryptography library, where Mythos detected a vulnerability allowing attackers to forge digital certificates and impersonate trusted websites. Despite rapid detection, remediation remains slow. Anthropic’s data shows that of the 23,000 vulnerabilities identified, only a fraction were formally reported, acknowledged, or patched upstream, with just 97 fixes applied. High-severity bugs typically take two weeks to patch, creating a structural imbalance between AI-driven discovery and human-led remediation. The findings underscore a widening risk as vulnerabilities are found in minutes or hours, but fixes still require multi-day or multi-week timelines. Anthropic’s Project Glasswing aims to address this gap by accelerating vulnerability disclosure and patching through controlled collaboration with industry partners.