Anthropic shares ‘initial update’ on Mythos findings, says ‘there is a clear …’

Anthropic has released its first major update on Project Glasswing – a restricted, security-focused collaboration under which the artificial intelligence (AI) startup provided access to its powerful new AI model, Mythos Preview. Anthropic revealed in the initial findings that the the model has already uncovered “more than 10,000 high- or critical-severity vulnerabilities” across widely used software systems.“After one month, most partners have each found hundreds of critical- or high-severity vulnerabilities in their software. Collectively, they’ve found more than ten thousand. Several have told us that their rate of bug-finding has increased by more than a factor of ten. For instance, Cloudflare has found 2,000 bugs (400 of which are high- or critical-severity) across their critical-path systems, with a false positive rate that Cloudflare’s team considers better than human testers,” Anthropic said.According to the company, the volume of data generated has flipped the traditional security paradigm with the bottleneck in cybersecurity is no longer the difficulty of finding dangerous software bugs, but rather the limited capacity of human engineers to process, verify and patch them.“Models with similar cybersecurity skills to Mythos Preview will soon be more broadly available. There is a clear need for a larger effort across the software industry to manage the volume of findings that these models will generate,” Anthropic stated.Over the past several weeks, Anthropic has granted limited access to Mythos Preview to roughly 50 handpicked partner organisations, including top-tier tech companies and independent research firms. The AI model was deployed to scan more than 1,000 open-source software projects. During this initial trial, it flagged an estimated 6,202 high- or critical-severity vulnerabilities.To verify the accuracy of the AI, outside experts stepped in with independent security research firms reviewing a subset of 1,752 of these critical flags and analysis finding that 90.6% of the bugs flagged by Mythos were legitimate vulnerabilities. Furthermore, 62.4% were validated as genuinely high or critical risks.The real-world data from Anthropic’s corporate partners highlights the model's disruptive capabilities. Cloudflare reported that internal testing with Mythos uncovered roughly 2,000 software bugs, including 400 classified as high or critical severity. Crucially, Cloudflare noted that the AI engine produced significantly fewer “false positives” than conventional, human-led penetration testing.Mozilla utilised Mythos Preview to inspect its web browser code, successfully identifying and fixing 271 vulnerabilities in Firefox 150. Mozilla contrasted these results against earlier diagnostic runs using Anthropic's legacy model, Claude Opus 4.6, concluding that the new Mythos architecture is vastly more effective at hunting deep-seated code errors.However, Anthropic’s prowess also highlighted another limitation. While the technology represents a massive leap forward for digital defense, Anthropic warned that the industry is currently unprepared for an era where AI can find tens of thousands of flaws in seconds.“Currently, there's often a long lag between the discovery of a vulnerability, the creation of a patch for it, and the time when the patch is widely deployed by end users,” the company wrote, adding that without a massive structural overhaul in how software maintenance teams operate, the volume of automated findings risks overwhelming IT departments.