AI Finds 10,000 Critical Vulnerabilities in One Month: What Project Glasswing Means for Enterprise Security

Anthropic's Project Glasswing has used the unreleased Claude Mythos Preview to surface over 10,000 high-severity vulnerabilities in a single month. Here is what enterprise security teams need to understand about this shift.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region4 min read
Cybersecurity analysts monitoring vulnerability scan dashboards in a dimly lit operations centre, representing AI-driven threat detection under Project Glasswing

Cybersecurity analysts monitoring vulnerability scan dashboards in a dimly lit operations centre, representing AI-driven threat detection under Project Glasswing

In a single month, an unreleased AI model found more than 10,000 high- or critical-severity vulnerabilities across the world's most important software. That is the headline from Anthropic's first public update on Project Glasswing, published on 22 May 2026, and for enterprise security teams, it signals a fundamental shift in how vulnerability discovery works at scale.

Project Glasswing was launched in early April 2026, giving approximately 50 trusted partners controlled access to Claude Mythos Preview, Anthropic's most capable and as-yet unreleased frontier model. The full scope of the initiative is outlined on the Project Glasswing page. The coalition includes AWS, Apple, Cisco, CrowdStrike, Google, IBM, JPMorgan Chase, Microsoft, Nvidia, and Palo Alto Networks, alongside around 40 organisations responsible for maintaining critical open-source infrastructure.

The mandate was straightforward: use the model to scan systemically important codebases and fix what it finds before adversaries can weaponise similar capabilities.

The early results are substantial. Most partners have individually identified hundreds of critical or high-severity vulnerabilities in their own systems. Cloudflare reported finding 2,000 bugs across critical-path systems, 400 of which were rated high or critical severity, with a false positive rate that its own engineers considered better than human testers. Several partners noted that their bug-detection rate had improved by more than a factor of ten.

External evaluations independently support these claims. The UK's AI Security Institute confirmed that Mythos Preview is the first model to solve both of its cyber range simulations, which are multistep cyberattack environments, end to end. Mozilla used the model to uncover 271 vulnerabilities in Firefox 150, more than ten times the number found in the preceding version using Claude Opus 4.6. Security platform XBOW described the model's precision as "absolutely unprecedented on a token-for-token basis."

Beyond proprietary systems, Anthropic has used Mythos Preview to scan more than 1,000 widely deployed open-source projects. Of the vulnerabilities it flagged, 90.6% proved to be genuine true positives after independent review by six external security research firms. One notable example is a critical flaw discovered in wolfSSL, an open-source cryptography library used by billions of devices. The vulnerability would have allowed an attacker to forge certificates and operate convincing fake websites for banks or email providers. It has since been patched and assigned CVE-2026-5194.

What the findings also reveal is a structural problem with the current disclosure and patching pipeline. Finding vulnerabilities at this scale is now feasible. Fixing them is not keeping pace.

On average, patching a high- or critical-severity bug discovered by Mythos Preview takes two weeks. Some open-source maintainers, already stretched, have asked Anthropic to slow the rate of disclosures because they lack the capacity to process reports quickly enough. Of the 530 high- or critical-severity bugs disclosed to maintainers so far, only 75 have been patched at the time of writing. Less than 1% of Mythos Preview's total findings are currently resolved.

The bottleneck is human. Verification, coordinated disclosure, patch design, and deployment all require skilled engineers and time. Frontier AI has dramatically compressed the discovery phase without yet solving the remediation phase.

For enterprise security leaders, the practical implications are immediate. Anthropic has laid out the priorities clearly: developers should shorten patch cycles and make security fixes available faster. Network defenders should accelerate patch testing and deployment timelines, enforce multi-factor authentication, harden default network configurations, and maintain comprehensive logs for detection and response. These recommendations align with guidance from organisations including the National Institute of Standards and Technology and the UK's National Cyber Security Centre.

Anthropic has also launched Claude Security in public beta for Enterprise customers, a tool that scans codebases for vulnerabilities and proposes fixes. In its first three weeks, it was used to patch over 2,100 vulnerabilities in enterprise environments. Separately, a Cyber Verification Program now allows qualifying security professionals to use Anthropic's models for penetration testing and red-teaming without certain default safeguards.

The broader significance of Project Glasswing is not simply what it found. It is that models capable of comparable performance will soon be more widely available, whether through Anthropic or other AI developers operating in the space. The window in which defenders hold an asymmetric advantage over attackers using similar tools is not permanent.

Organisations operating in regulated sectors, including financial services and critical national infrastructure across the Gulf and the wider MENA region, would do well to treat this not as a distant technology story but as a prompt to review their own vulnerability management programmes, patch cycles, and detection capabilities now.

The question is no longer whether AI will change the economics of cybersecurity. It already has.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

AI in CybersecurityThreat IntelligenceEnterprise SecurityVulnerability ManagementGCC Cyber RiskOpen Source SecurityCritical Infrastructure ProtectionGulf Cyber Security NewsMENA Cyber NewsEmerging Security Technologies