Key Takeaways
- Claude Mythos Preview identified 271 vulnerabilities in Firefox compared to just 22 found by its predecessor, all patched in Firefox 150's release.
- Anthropic launched Project Glasswing, committing $100 million in usage credits to give major technology organizations access to Mythos Preview before public release, specifically to harden critical software before equivalent capabilities reach adversarial actors.
- One coalition partner reported that Mythos accomplished the equivalent of a full year of penetration testing in under three weeks.
- At the time of the April 2026 announcement, fewer than 1% of all vulnerabilities Mythos had found across critical infrastructure had been patched. AI has outpaced the industry's ability to absorb the results.
- The window between vulnerability discovery and exploitation has collapsed from months to minutes. The cybersecurity arms race is no longer between humans; it is between AI-augmented attackers and AI-augmented defenders.
When Mozilla handed Anthropic's newest AI model access to Firefox's codebase, the security team expected it to find issues.
They just didn’t expect the dizzying number of issues it found.
An early version of Anthropic’s Claude Mythos Preview found 271 vulnerabilities, more than twelve times what an earlier model had found in a previous evaluation.
“For a hardened target, just one such bug would have been red alert in 2025,” wrote Bobby Holley, Firefox’s CTO, “So many at once makes you stop to wonder whether it’s even possible to keep up.”
All of the vulnerabilities Mythos found were ones an elite human researcher also could have found, given enough time, resources, and patience.
Mythos didn’t invent a new class of attack. It did what the best security researchers do: read code, reason through it, and find where the implementation diverges from the intent.
It just did it faster, at a scale, and across a surface area that would have taken a human team months to cover.
Why Is AI Vulnerability Discovery a Fundamentally Different Threat?
Traditional security testing has two primary tools. Fuzzing bombards software with random inputs to find crashes. It is scalable and efficient, but it is blind to vulnerabilities that require logical reasoning to find, such as bugs where the code does not crash but behaves incorrectly under a specific sequence of conditions that no random input would naturally produce.
Elite human researchers find those bugs by reasoning through the source code. They understand the system's intended behavior, recognize where the implementation diverges from that intent, and follow the logical chain of what an attacker could do with that divergence. This approach is highly effective but slow, expensive, and bottlenecked by the scarcity of people with the skills to do it at the required level.
Frontier AI models now do what elite researchers do: reason through the source code to identify vulnerabilities, but at a speed and scale no human team can match. The security implication is direct: a gap between machine-discoverable and human-discoverable bugs favors the attacker, who can devote months of costly human effort to finding a single exploitable vulnerability.
In a nutshell, AI tools make it fast and cheap to discover exploitable weaknesses for defenders and attackers alike. It all comes down to who gets there first.
What Is Project Glasswing and Why Was the Model Restricted?
Anthropic did not release Claude Mythos Preview publicly, specifically because of the model's offensive capabilities. Mythos Preview can chain together multiple vulnerabilities, finding two or three bugs that individually produce limited impact and combining them into a sophisticated exploit.
It autonomously constructed browser exploits that escaped both the renderer and operating system sandboxes. It independently identified, then chained together, a set of vulnerabilities that ultimately achieved complete root access on Linux systems. It autonomously identified a 16-year-old vulnerability in a popular codec.
Anthropic has been explicit: these same capabilities make the model dangerous in the hands of adversaries. Rather than release it publicly, the company launched Project Glasswing, giving structured, monitored access to major technology organizations and critical infrastructure providers before the model becomes broadly available. The initiative is backed by $100 million in usage credits and $4 million in direct donations to open-source security foundations. One participating organization reported that the model accomplished the equivalent of a full year of penetration testing in under three weeks.
The logic behind the initiative is a race against time. AI capabilities of this kind will not remain exclusive to responsible actors indefinitely. The question is whether the world's most critical software gets hardened before equivalent capabilities reach actors who will not use them responsibly. Project Glasswing is the attempt to win that race.
Is Project Glasswing Solving the Problem or Just Describing It?
At the time of the April 2026 announcement, fewer than 1% of all vulnerabilities Mythos had found across critical infrastructure had been patched. The model generated findings faster than the ecosystem could act on them. AI has advanced the discovery side of the equation dramatically. It has not yet moved the remediation side at all, and patching still operates on human timelines while discovery now operates at machine speed.
This tension is not a reason to slow AI-driven security analysis. Unpatched known vulnerabilities are still substantially safer than undiscovered ones, because security teams can monitor for exploitation and respond. But it defines the next unsolved problem with precision.
The organizations that will come out ahead are not just those that can find vulnerabilities at AI speed. They are the ones that can triage, validate, and deploy patches at a pace their engineering organizations can actually sustain.
Some security analysts have also noted that finding a vulnerability and operationalizing it as a working exploit remain meaningfully different challenges, and that this distinction currently provides defenders a window of advantage. But that window is narrowing as model capabilities advance. The operational discipline to act on findings at pace is being built now by organizations that take this seriously. Those who wait will build it under pressure.
Establishing the systems and processes that allow AI-generated security outputs to be absorbed and acted upon at scale is a critical operational hurdle. Success depends on building a robust governance framework that ensures autonomous security insights are translated into immediate, reliable action across the enterprise.
What Does This Mean for Enterprise Security Programs?
For most enterprise security teams, direct access to Mythos Preview is not available. But the shift it represents is relevant to every organization running software that people depend on.
The bar for adequate security testing has moved. If this model found 271 vulnerabilities in one of the most scrutinized and carefully maintained codebases in the world, then the security assumptions underlying most enterprise software estates need an honest reassessment. Legacy codebases that have not received aggressive scrutiny in years almost certainly carry vulnerabilities that traditional tools would never surface.
Open-source dependencies carry elevated risk.
The initiative's work has focused heavily on open-source infrastructure precisely because it underlies most modern systems, and its maintainers have historically lacked access to sophisticated security resources. Vulnerabilities found across operating systems and browsers will flow downstream into enterprise applications through shared dependencies before they are patched.
AI-generated code requires equivalent scrutiny.
As AI-assisted development becomes standard practice, code complexity that exceeds human comprehension increases an attacker’s advantage. Human-comprehensibility is not a coding preference; it is a security property. Organizations allowing AI-generated code into production without additional scrutiny are making an implicit risk trade-off that most have not explicitly evaluated.
Governance needs a higher priority.
Governance and auditability must be integrated from the start to ensure long-term compliance. Success depends on selecting architectural patterns that maintain clear traceability and defensibility, ensuring that systems remain comprehensible even as their operational complexity grows.
Learn More: The AI Architecture Spectrum
The Race Has Already Started
The optimistic reading of what Project Glasswing revealed is that defenders finally have access to a tool capable of finding hidden vulnerabilities before bad actors can exploit them.
The realistic reading is that the initiative has surfaced thousands of vulnerabilities across critical infrastructure, in an environment where they can be exploited faster than ever.
Both readings are true simultaneously, and the response to both is the same: move with urgency, build the operational discipline to find and fix bugs quickly, and treat the current window as the advantage it is.
The capabilities Mythos Preview embodies will proliferate. Organizations must use the available time to harden their systems, build defensible architectures, and make AI-driven security analysis actionable.
Frequently Asked Questions
Q: What is Project Glasswing?
Project Glasswing is an Anthropic initiative that provides structured, monitored access to Claude Mythos Preview to major technology organizations and critical infrastructure providers before the model becomes publicly available. The goal is to harden the world's most critical software against vulnerabilities before equivalent AI capabilities reach adversarial actors. Anthropic has committed $100 million in usage credits and $4 million in direct donations to open-source security foundations as part of the effort.
Q: What makes AI-driven vulnerability discovery different from traditional security testing?
Traditional tools like fuzzing probe code with random inputs and find crashes, but they miss vulnerabilities that require logical reasoning to reach. Elite human researchers find those bugs by reasoning through the source code, but the process is slow and the talent is scarce. Frontier AI models now do the same reasoning at machine speed and scale, finding entire categories of vulnerabilities that automated tools consistently miss and that human review would take months to surface.
Q: Why did Anthropic restrict access to Mythos Preview rather than releasing it publicly?
Mythos Preview can autonomously construct sophisticated exploits by chaining multiple vulnerabilities together without human guidance at any step. Anthropic has acknowledged that these capabilities could enable large-scale cyberattacks in the hands of adversaries. Project Glasswing is an attempt to ensure defenders benefit from these capabilities before equivalent tools reach actors who would use them offensively.
Q: What should enterprise security teams do right now in response to this shift?
Three priorities stand out. First, reassess security assumptions for legacy codebases; the discovery bar has moved, and traditional tools will not surface what AI now finds. Second, treat human-comprehensibility as a structural security requirement, not a style preference, especially in codebases with growing proportions of AI-generated code. Third, invest in the triage and remediation infrastructure that allows security findings to be absorbed and acted upon at pace, because the volume of AI-generated findings will only increase.
.webp)
.webp)
.png)
