The findings, disclosed after the initiative’s first month of operation, mark a pointy escalation in AI-assisted vulnerability discovery throughout software program utilized in working programs, browsers, cloud platforms, open-source tasks and monetary infrastructure. Anthropic has restricted wider entry to Mythos Preview whereas giving chosen know-how firms, banks and safety groups managed use of the mannequin for defensive testing.
Venture Glasswing was launched on April 7, 2026, as a coalition constructed round essential software program safety. Its launch companions embrace Amazon Net Companies, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Basis, Microsoft, NVIDIA and Palo Alto Networks. Greater than 40 further organisations concerned in essential software program infrastructure have additionally been given entry underneath the programme.
The size of the discoveries has put stress on a long-standing weak level in cybersecurity: the hole between discovering flaws and fixing them safely. Anthropic says many companions have every discovered a whole bunch of high- or critical-severity weaknesses, whereas a number of have reported greater than a tenfold rise in bug discovery charges. Cloudflare, one of many collaborating firms, recognized hundreds of bugs throughout critical-path programs, with a whole bunch rated excessive or essential.
The disclosure has been dealt with cautiously as a result of most of the vulnerabilities are nonetheless shifting by coordinated remediation channels. Normal trade observe permits time for maintainers to evaluate, patch and distribute fixes earlier than technical particulars are made public. That conference is now being examined by AI programs that may generate vulnerability studies far quicker than human groups can validate them.
Open-source software program is a central concern. Anthropic says Mythos Preview has scanned greater than 1,000 open-source tasks that underpin web infrastructure and company programs. The mannequin estimated 6,202 high- or critical-severity vulnerabilities amongst 23,019 findings throughout all severity ranges. Unbiased safety corporations assessed 1,752 of the high- or critical-rated findings, with 90.6 per cent judged legitimate and 62.4 per cent confirmed as excessive or essential.
These numbers level to each promise and pressure. A excessive true-positive fee would make AI a robust software for defenders, notably for under-resourced open-source maintainers. But even legitimate findings create operational stress, requiring replica, severity evaluation, disclosure studies, patch design and launch coordination. A number of maintainers have already requested for slower disclosure as a result of they lack capability to soak up the quantity of studies.
One case concerned wolfSSL, a extensively used open-source cryptography library deployed throughout billions of gadgets. Mythos Preview recognized a certificate-forgery flaw that might have allowed an attacker to host a convincing pretend model of a financial institution or electronic mail supplier web site. The vulnerability has been patched and assigned CVE-2026-5194, with fuller technical evaluation anticipated after safer deployment of fixes.
Monetary regulators are watching carefully. Anthropic is predicted to temporary the Monetary Stability Board on cyber vulnerabilities recognized by Mythos, following concern that the identical capabilities used to search out flaws for defenders might ultimately be utilized by adversaries in opposition to banks and different establishments with complicated legacy programs. The watchdog’s curiosity indicators that AI-assisted exploit discovery has moved from a technical safety challenge into the realm of systemic threat oversight.
The mannequin has additionally been examined in opposition to superior cyber ranges. The UK’s AI Safety Institute discovered Mythos Preview to be the primary mannequin to finish each of its multistep cyberattack simulations finish to finish. Unbiased benchmarks have additionally positioned it forward of different programs in exploit growth duties, reinforcing considerations that the road between defensive tooling and offensive functionality is narrowing.
Anthropic has framed the programme as a managed try to present defenders a bonus earlier than comparable capabilities turn out to be broadly accessible. Mythos Preview is accessible solely as a gated analysis preview, with entry by chosen cloud and platform channels. The corporate has dedicated as much as $100 million in utilization credit and $4 million in donations to open-source safety organisations to help the initiative.
Safety executives concerned in Glasswing have described the shift as a structural change slightly than a routine product enchancment. Their concern is that attackers will ultimately use comparable programs to compress the time between vulnerability discovery and exploitation. For defenders, the speedy problem is to improve triage, patch administration and asset visibility shortly sufficient to maintain tempo.
The findings additionally complicate the economics of software program safety. Conventional bug bounty programmes, code audits and penetration assessments are costly, episodic and restricted by human labour. AI programs that may scan giant codebases repeatedly could decrease discovery prices, however they might additionally flood maintainers with complicated studies that require scarce skilled evaluation. The bottleneck is shifting from detection to verification and restore.
