Anthropic’s Project Glasswing Unveils 10,000+ High-Critical Vulnerabilities in First Month

Anthropic’s Project Glasswing, launched in April 2026, has identified over 10,000 high- or critical-severity vulnerabilities across open-source software in its first month, according to a report from Kamal Shah, a LinkedIn contributor. The initiative, which leverages an unreleased model called Claude Mythos Preview, has sparked debate about the evolving landscape of AI-driven cybersecurity.

Key Findings from Project Glasswing

Project Glasswing’s initial findings highlight a significant scale of vulnerabilities. The initiative scanned over 1,000 open-source libraries and uncovered 6,202 high- or critical-severity issues. Of these, 1,752 were validated by independent security firms, with 90.6% confirmed as valid true positives. Notable results include:

• Cloudflare: Identified 2,000 bugs, with a false positive rate surpassing human testers.
• Mozilla: Found 10x more vulnerabilities in Firefox 150 compared to Firefox 148.
• Patching Efforts: 2,100+ vulnerabilities were patched via Claude Security within three weeks.

The data underscores AI’s growing role in accelerating vulnerability discovery. However, the report also notes a critical bottleneck: while detection has improved, the pace of patching has not kept up. “The bottleneck has shifted from finding vulnerabilities to patching them,” according to the LinkedIn post.

Implications for Cybersecurity

Anthropic’s findings signal a structural shift in cybersecurity. The firm argues that AI capabilities like Claude Mythos Preview will soon be widely available, lowering the cost of both attacks and defenses. This raises concerns about the readiness of organizations to respond to threats at machine speed.

“Organizations that can’t match machine-speed discovery with machine-speed response will be exposed,” the report states. The initiative’s success also highlights the need for improved collaboration between AI developers and security teams to address the backlog of unpatched vulnerabilities.

Challenges and Criticisms

Despite the progress, questions remain about transparency. Anthropic has not released detailed vulnerability reports, citing proprietary concerns. Critics argue that without full disclosure, it is difficult to assess the true impact of the findings. “The refusal to share specifics undermines trust in the data,” a cybersecurity analyst noted in a separate commentary.

Additionally, the report’s focus on open-source software raises questions about the security of proprietary systems. While open-source projects benefit from community scrutiny, the findings suggest that even widely used commercial software may harbor significant risks.

What’s Next for AI in Cybersecurity?

As AI tools like Claude Mythos Preview become more accessible, the cybersecurity industry faces a pivotal moment. The success of Project Glasswing could set a new standard for vulnerability management, but it also highlights the urgent need for systemic improvements in patching processes.

For now, the initiative serves as a cautionary tale: even with advanced AI, the human element of cybersecurity remains critical. Organizations must invest in both technology and workforce training to keep pace with evolving threats.