Project Glasswing: 10,000+ critical bugs found by Claude Mythos in a month
Anthropic's May 26, 2026 update on Project Glasswing reports that ~50 partners have used Claude Mythos Preview to find more than 10,000 high/critical-severity vulnerabilities, including 271 latent bugs patched in Firefox 150 — and lays out a controlled-access model for a frontier offensive capability.
What is this?
On May 26, 2026 Anthropic published Project Glasswing: An initial update. One month into the program, the company reports that roughly 50 partner organisations have used Claude Mythos Preview — an unreleased frontier model with strong offensive-cyber capabilities — to find more than 10,000 high- or critical-severity vulnerabilities in systemically important software. Several partners report that their internal rate of bug-finding has gone up by more than 10x.
The headline data point most defenders will recognise comes from Mozilla. In a May 7, 2026 Mozilla Hacks post, the Firefox security team disclosed that 271 latent vulnerabilities identified with Mythos Preview were patched in Firefox 150, including 180 high-severity and 80 moderate-severity bugs. Three of those are explicitly credited to Claude in Mozilla’s advisory: CVE-2026-6746, CVE-2026-6757, CVE-2026-6758. Cloudflare reports 2,000 bugs (400 high/critical) found across its critical-path systems with a false-positive rate the team considers better than human testers.
Project Glasswing’s launch partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. Claude Mythos Preview is not generally available; Anthropic has stated it intends to release Mythos-class models publicly once safeguards are judged adequate.
How it works
Mythos Preview is not a security-specific scanner. It is a general-purpose frontier model whose coding capabilities have crossed a threshold that, per Anthropic, qualifies as offensive-cyber-capable. The UK AI Safety Institute’s pre-deployment evaluation reports the model completing a 32-step corporate-network attack simulation in 3 out of 10 attempts and chaining multiple small flaws into end-to-end intrusions.
Partners do not point Mythos at their codebase and wait. Mozilla’s writeup describes a codebase-specific agentic harness that wraps Mythos plus other frontier models with the project’s build system, test scaffolding, and triage conventions. Bugs flow through human review before they reach a patch queue.
Stage What runs What it produces
--------------------- ------------------------------ --------------------------------
Harness setup Project-specific tools, build Per-target agent scaffolding
graph, test runners
Agentic scan Mythos Preview + supporting Candidate findings with reasoning
frontier models trace and reproducer attempt
Filter / dedupe Pipeline rules + lightweight Signal-only finding queue
LLM triage
Human triage Mozilla / partner security Confirmed bugs, CVE decisions,
team review fix planning
Patch + release Standard release process Firefox 150 / advisory entriesThe signal-to-noise improvement matters. Until late 2025, AI-generated bug reports submitted to open-source projects were largely slop — plausible-looking, often wrong, costly to triage. Two things changed: the underlying models gained the ability to verify their own claims with code, and projects like Mozilla learned to steer, scale and stack models inside a harness that reflects their codebase rather than treating the LLM as a black-box scanner. Anthropic reports a ~90% true-positive rate after triage on its internal open-source scan of 1,000+ projects, with 23,019 raw issues narrowed to 6,202 high/critical vulnerabilities, on track to surface ~3,900 high/critical OSS bugs once review concludes. One concrete example from the update: Mythos found a flaw in wolfSSL and constructed an exploit that would let an attacker forge certificates and impersonate a bank or email provider — disclosed and patched under coordinated disclosure.
No exploit code or payload is reproduced here. The Anthropic update, the Mozilla Hacks post, the SecurityWeek and Help Net Security writeups, and Simon Willison’s May 7 link blog entry are the canonical references.
Why it matters
Three properties make this moment qualitatively different from previous “AI for AppSec” cycles.
First, scale with quality. Ten thousand high-severity bugs in one month is roughly an order of magnitude above what the partner organisations were finding before. The Cloudflare comparison — false-positive rates better than experienced human testers — is the metric that flips the project from “interesting” to “operationally adopted”.
Second, the same model finds and weaponises. Mythos identified and built a working exploit chain for the wolfSSL certificate-forgery bug, and the UK AISI evaluation shows multi-step intrusion behaviour. Anthropic’s own framing in Project Glasswing’s launch page is explicit: the program exists because models with this capability will soon be developed by multiple companies, and no one has yet shipped safeguards strong enough to release them publicly. The defensive use case is real; so is the dual-use risk.
Third, a new governance pattern is being tested in public. Anthropic chose neither full release nor full secrecy. Mythos Preview is distributed under a restricted-access program to a small set of critical-infrastructure partners, with public progress updates. Whether that scales — to allied governments, to the broader open-source ecosystem, to mid-size vendors who do not have a Cisco-sized security team — is the policy question of the next twelve months.
Defenses
There is no single mitigation for an AI capability of this class. The defensive playbook for the rest of the ecosystem, drawn from the Mozilla, Anthropic and Cloudflare reports above:
- Assume an offensive-capable model exists outside your fence. Treat the threat model as if a non-Glasswing actor will have something Mythos-class within 12-24 months. Memory-safety classes (use-after-free, OOB read/write), TOCTOU, and crypto-misuse remain the high-yield targets the Firefox advisory called out.
- Migrate hot paths to memory-safe languages. Firefox 150’s most dangerous Claude-found bugs were UAFs in DOM and WebRTC components. Rust/other safe-by-construction adoption in browser, kernel and protocol-parsing code is the only structural defence — every other control just buys time.
- Invest in your own AI-assisted review pipeline. Vendors that do not have access to Glasswing partners can still run open frontier models inside a project-specific harness. The Mozilla blueprint — codebase semantics in the prompt, model output filtered through deterministic checks, humans only review post-filter — is reproducible without Mythos-class capability.
- Stand up coordinated-disclosure capacity for AI-volume reports. A maintainer used to processing 1-2 advisories a quarter cannot absorb 271 in one release. Open-source projects should refresh security.txt, expect bulk advisories, and consider pre-allocated CVE blocks with their CNA.
- Push for clarity on AI-attributed CVEs. Mozilla credited Claude on 3 of >40 CVEs in Firefox 150. The community needs an explicit convention for crediting AI-assisted discovery, validating reproducibility, and distinguishing “AI found it” from “AI wrote it for the attacker”.
- Watch the access-control model itself. Restricted programs like Glasswing are a governance experiment. Defenders inside critical infrastructure who are not partners should ask their vendors whether (and how) AI-assisted hardening is being applied to the software they depend on.
- Do not rely on the model staying gated. Anthropic has said publicly it intends to release Mythos-class models once safeguards are ready, and equivalent capability will emerge at other labs regardless. Plan for the day the gate opens.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Anthropic update | Project Glasswing: An initial update | 2026-05-26 | ~50 partners, 10,000+ high/critical vulns |
| Mozilla writeup | Mozilla Hacks | 2026-05-07 | 271 vulns in Firefox 150 (180 high, 80 moderate) |
| Public credits | Firefox 150 advisory | 2026-05 | CVE-2026-6746, CVE-2026-6757, CVE-2026-6758 |
| Cloudflare contribution | Anthropic update | 2026-05-26 | 2,000 bugs / 400 high-or-critical |
| Open-source scan | Anthropic update | 2026-05-26 | 23,019 raw, 6,202 high/critical, ~90% TP |
| Worked example | wolfSSL cert-forgery | 2026-05 | Found + exploit constructed by Mythos |
| Pre-deployment eval | UK AISI | 2026-04 | 32-step network attack, 3/10 success |
| Distribution model | Project Glasswing | 2026-04 onward | Restricted partner access only |
The single-headline reading of this story — “AI found 10,000 bugs” — under-sells what is actually being tested. Project Glasswing is the first attempt by a frontier lab to ship an offensive-capable model into the defensive supply chain without shipping it to everyone. Whether that model of controlled release becomes the norm, or whether it gets overtaken by the next equivalently capable release elsewhere, will shape AppSec for the rest of the decade.
Sources
- → https://www.anthropic.com/research/glasswing-initial-update
- → https://www.anthropic.com/glasswing
- → https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
- → https://simonwillison.net/2026/May/7/firefox-claude-mythos/
- → https://www.helpnetsecurity.com/2026/05/26/anthropic-project-glasswing-update/
- → https://www.securityweek.com/claude-mythos-finds-271-firefox-vulnerabilities/
- → https://www.schneier.com/blog/archives/2026/04/claude-mythos-has-found-271-zero-days-in-firefox.html