Anthropic's Claude Mythos Finds 10,000+ Zero-Days in One Month: Project Glasswing Changes Security Forever

Security researchers spend careers chasing individual vulnerabilities. Bug bounty hunters celebrate finding dozens in a year. A talented red team might uncover a hundred critical flaws in a focused engagement. In May 2026, Anthropic's Claude Mythos Preview did something that no human team has ever done: it autonomously discovered more than 10,000 high- or critical-severity zero-day vulnerabilities across major operating systems, browsers, and critical open-source software — in a single month. The findings, published as part of Anthropic's Project Glasswing initial update, mark the clearest demonstration to date that AI has crossed the threshold from security tool to security force multiplier. The implications are not abstract. They are landing in production codebases right now.

What Project Glasswing Is — And Why It's Different

Project Glasswing is Anthropic's structured program to use AI models for large-scale security vulnerability discovery. Unlike ad-hoc AI security tooling — models used as smart grep tools to flag suspicious patterns in code — Glasswing deploys Claude Mythos Preview as an autonomous researcher: it reads code, reasons about attack surfaces, generates hypotheses about exploitability, writes proof-of-concept code, validates findings, and produces structured vulnerability reports with CVSS severity assessments. The program operates in close partnership with software maintainers. More than 50 organizations participated in the first phase, including Microsoft, Apple, Google, Cloudflare, NVIDIA, Cisco, and the Linux Foundation. This is not a red team exercise or a limited beta. It is a systematic, production-scale program targeting the most widely deployed software in the world.

10,000 Vulnerabilities in 30 Days: The Scale That Changes Everything

The headline number — 10,000 high- or critical-severity zero-days in one month — requires calibration to understand fully. These are not fuzzing artifacts, static analysis warnings, or theoretical code smell detections. Anthropic's methodology required Mythos to produce structured reports with sufficient detail for human reviewers to triage independently. False-positive rates in the disclosed results were reported to be lower than those of human security testers in comparable engagements. Cloudflare alone reported 2,000 findings in its codebase, with 400 rated high or critical severity. That is a single partner's contribution to one month of scanning. For comparison, the total number of CVEs assigned industry-wide in most recent full years has ranged between 25,000 and 30,000. Claude Mythos, operating autonomously against targeted codebases, produced the equivalent of roughly 40 percent of a full year's global CVE output in 30 days. That is not an incremental improvement over existing tooling. It is a category change.

Claude Mythos Doesn't Just Find Bugs — It Builds Working Exploits

The distinction between finding a vulnerability and proving it exploitable is not academic. Security triage depends on it. A crash due to a null pointer dereference in an obscure code path carries very different urgency than a remotely triggerable memory corruption flaw with a working exploit chain. Claude Mythos operates at the exploitability layer. CVE-2026-5194, a critical vulnerability in the wolfSSL cryptography library, illustrates this precisely. wolfSSL is embedded in tens of thousands of products, including IoT devices, automotive systems, industrial controllers, and enterprise networking hardware. Mythos did not simply flag the flaw. It engineered a working certificate-forgery exploit — demonstrating that an attacker could impersonate any TLS-authenticated service, bypass mutual authentication, and execute man-in-the-middle attacks against systems trusting wolfSSL's certificate validation. That is the difference between a bug report and a weaponized proof of concept. Mythos produced the latter, at scale, across categories of software that underpin critical infrastructure.

Mozilla and Cloudflare: What Real-World Results Look Like

Mozilla's participation in Project Glasswing produced the most comparable before-and-after data available. Firefox 150 was analyzed by Claude Mythos Preview. The finding count — 271 validated vulnerabilities — was approximately ten times higher than previous AI-assisted testing rounds using Claude Opus 4.6. Mozilla security engineers reported that the quality of Mythos findings was high enough to proceed directly from AI-generated reports to patch development in most cases, without a second human triage pass. Cloudflare's experience provided a different dimension of insight: the 400 high/critical findings in their codebase were accompanied by exploitability assessments and suggested remediation paths, not just bug descriptions. Mythos did not hand engineers a pile of crashes to sort through. It handed them a prioritized, actionable security backlog — the equivalent of a senior security engineer's analysis output, automated and operating continuously. The practical effect is that organizations running Mythos against their codebases are not just finding more bugs. They are getting bugs they can act on immediately.

The Patching Bottleneck: The New Crisis Nobody Planned For

The most consequential finding from Project Glasswing is not the discovery rate. It is the response rate. Of 1,596 vetted, high-confidence findings reported to open-source maintainers, only 97 had been patched upstream at the time of Anthropic's initial update. That is a 6 percent patch rate against vulnerabilities that Anthropic considers high or critical severity, already triaged, already validated, already accompanied by remediation guidance. The implication is uncomfortable but unavoidable: the open-source security ecosystem is structurally incapable of absorbing vulnerability discovery at AI scale. Maintainers are typically unpaid, part-time volunteers managing projects used by millions. Their capacity to review, test, and patch security reports is fixed and finite. AI-accelerated discovery has made that capacity mismatch visible at a scale that can no longer be papered over by community goodwill. The bottleneck is not finding bugs. It is having enough funded, skilled engineers to patch them faster than the attack surface expands. Until that changes, Glasswing-class programs create a troubling asymmetry: defenders know about the vulnerabilities, but attackers who independently discover them move faster than maintainers can respond.

The Dual-Use Dilemma: Why Mythos Won't Be Publicly Released

Anthropic was explicit in its Glasswing update: Claude Mythos Preview will not be made generally available. The reasoning is straightforward and the decision is defensible. A model capable of producing 10,000 validated zero-days per month, complete with working exploits, represents a capability that could fundamentally alter the threat landscape if deployed without adequate safeguards. The same autonomous research loop that benefits Mozilla and Cloudflare could, in the hands of a financially motivated threat actor or nation-state operator, produce an industrialized exploit pipeline at a cost and scale that would overwhelm any defensive posture. Anthropic's decision to gate Mythos behind structured partnerships — where targets are disclosed, findings are coordinated, and disclosure timelines are agreed — is the responsible deployment model given where the capability sits on the offense-defense balance. Other foundation model developers who have built similar capabilities face the same choice. How industry norms around responsible disclosure of AI security capabilities evolve over the next 12 months will have lasting consequences for the structure of the software security ecosystem.

What Security Engineers and Developers Should Do Right Now

For most development teams, the immediate practical response is not to wait for Mythos-class tooling to become available. It is to treat the Glasswing findings as a forcing function for security posture improvements that can be implemented now. First, teams should audit their dependencies for wolfSSL, any software in the Project Glasswing partner list, and any recently patched Firefox or Cloudflare components — the specific CVEs from Glasswing's first phase will begin appearing in public CVE databases as coordinated disclosure timelines expire. Second, teams responsible for open-source projects should evaluate whether current security review capacity is adequate given the coming increase in AI-generated vulnerability reports; bug bounty programs not resourced to handle significantly higher submission volumes will become bottlenecks. Third, organizations with meaningful threat models should take seriously the signal that AI-assisted exploit development is no longer a theoretical future risk. Nation-state adversaries and well-funded criminal organizations are not waiting for Anthropic to publish Mythos. The capability exists. Security investments that assume a pre-AI threat environment are now structurally underestimating the offense.