Skip to content
Tech News
← Back to articles

Project Glasswing: An Initial Update

2026-05-22 | original
read original more articles
Why This Matters

Project Glasswing highlights the transformative potential of AI in cybersecurity by rapidly identifying thousands of vulnerabilities in critical software, emphasizing the need for faster verification and patching processes. This initiative underscores the importance of proactive defense strategies in an era where AI capabilities can both threaten and protect digital infrastructure.

Key Takeaways

Last month, we launched Project Glasswing, our collaborative effort to secure the world’s most critical software before increasingly capable AI models can be turned against it.

Since then, we and our approximately 50 partners have used Claude Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities across the most systemically important software in the world. Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it’s limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI.

In this post, we discuss what we’ve learned about this critical challenge for cybersecurity in the first weeks of Project Glasswing. We focus on the early public evidence of Mythos Preview’s performance, on the initial results of our effort to scan thousands of open-source software projects, and on what this progress means for cyberdefenders today. We also cover what to expect next from Project Glasswing, and how we’re thinking about releasing Mythos-class models in the future.

Our early results

Our approach to discussing Mythos Preview’s findings

The software industry’s longstanding convention is to disclose new vulnerabilities 90 days after they’re discovered (or, if a patch is created before the 90 days is up, around 45 days after the patch becomes available). This allows time for end users to update their software before a vulnerability can be exploited by attackers. Our own Coordinated Vulnerability Disclosure policy takes this approach.

However, this means that disclosed vulnerabilities are a lagging indicator of the accelerating frontier of AI models’ cyber capabilities: we’re not yet at the point where we can fully detail our partners’ findings with Mythos Preview without putting end users at risk. Instead, we provide illustrative examples of the model’s performance, along with aggregate statistics on our progress to date. Once patches for the vulnerabilities that Mythos Preview has discovered are widely deployed, we’ll provide much more detail about what we’ve learned.

Evidence from our partners and external testers

Project Glasswing’s initial partners build and maintain software that is fundamental to the functioning of the internet and other essential infrastructure. Fixing flaws in their code reduces risk for the many other organizations that rely on it, and therefore reduces risk for billions of end users.

After one month, most partners have each found hundreds of critical- or high-severity vulnerabilities in their software. Collectively, they’ve found more than tens thousand. Several have told us that their rate of bug-finding has increased by more than a factor of ten. For instance, Cloudflare has found 2,000 bugs (400 of which are high- or critical-severity) across their critical-path systems, with a false positive rate that Cloudflare’s team considers better than human testers.

... continue reading

Explore topics: project glasswing claude mythos ai vulnerabilities software security cyberdefenders
Related:
Firefox AI guardrails arrive for mobile
Project Glasswing: what Mythos showed us
The Boring Stuff Is Dangerous Now
Security researchers, aided by Anthropic's Mythos, claim to have breached macOS
AI Drives Cybersecurity Investments, Widening 'Valley of Death'

© 2026 GoKawiil

About | Editorial Policy | Contact