On May 22, Anthropic released a one-month progress report on Project Glasswing, officially disclosing for the first time the safety performance of its internal cutting-edge model, Claude Mythos Preview. Since the project’s launch last month, Anthropic and roughly 50 partners have utilized Mythos Preview to scan critical foundational software; together they’ve identified over 10,000 vulnerabilities rated as high-risk or critical severity. For many partners, the rate of vulnerability discovery has increased more than tenfold compared to previous methods. Notable examples include Cloudflare, which found 2,000 vulnerabilities in its core systems—400 of which are high-risk/critical—while maintaining a lower false-positive rate than manual testing; Mozilla, which detected 271 vulnerabilities in Firefox 150, a figure exceeding ten times the results achieved when using Claude Opus 4.6 to test Firefox 148. The UK AI Safety Institute (AISI) confirmed that Mythos Preview is the first model capable of fully covering both of its simulated cyberattack scenarios end-to-end. Additionally, Mythos Preview helped a partner bank identify and block a fraudulent wire transfer worth $1.5 million.
In separate open-source software scans led solely by Anthropic, over 2.3 million potential vulnerabilities were flagged across more than 1,000 projects; 6,202 of these were deemed high-risk or critical severity. Independent security audits of sampled findings revealed a 90.6% true-positive rate, with 62.4% qualifying as high-risk/critical severity—a total expected to approach 3,900 after full verification. One publicly documented case involves a certificate forgery flaw (CVE-2026-5194) discovered in the wolfSSL encryption library. The report highlights that the primary bottleneck has now shifted from ‘discovery’ to ‘remediation’: open-source maintainers are severely overburdened, with some even requesting Anthropic slow down disclosure efforts. Currently, it takes an average of two weeks to patch high-risk vulnerabilities; meanwhile, Microsoft and Palo Alto Networks have seen substantial spikes in patch releases. Anthropic warns that ‘models offering comparable cybersecurity capabilities will soon become widely available,’ offering guidance for defenders adapting to this new phase while outlining plans for future public releases of Mythos-class models.