Anthropic’s Project Glasswing AI Finds Over 10,000 Serious Software Vulnerabilities

Anthropic has announced that its AI-powered cybersecurity initiative, Project Glasswing, has found more than 10,000 high- or critical-severity vulnerabilities in widely used software within roughly its first month of operation. The company launched the project in early April 2026 using Claude Mythos Preview, a model it describes as its most capable yet for coding and agentic tasks — but one it’s not making available to the general public.

The scale of what’s been found is striking. Among the flaws uncovered were a 27-year-old vulnerability in the OpenBSD operating system and a 16-year-old bug in FFmpeg, the open-source multimedia framework used in countless apps and services. Both had gone undetected by traditional automated tools for years.

A Coalition of Tech Giants

Project Glasswing isn’t Anthropic working alone. The initiative brings together more than 40 organisations, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. It’s a rare show of cross-industry cooperation on a shared security problem.

Anthropic has committed up to $100 million — around £80 million to £82 million — in model usage credits so that partners can run Mythos Preview for defensive security scanning. On top of that, the company is putting around £3.2 million to £3.3 million in direct funding into open-source security organisations: around £2 million goes to Alpha-Omega and the Open Source Security Foundation through the Linux Foundation, with a further roughly £1.2 million to the Apache Software Foundation.

The targets are the software that underpins modern digital life — every major operating system, web browsers, and core infrastructure components that millions of organisations and individuals rely on every day.

What Claude Mythos Preview Can Do

Anthropic describes Mythos Preview as capable of analysing and modifying complex software autonomously, finding and helping to fix security flaws at a scale no human team could match. The model scored 83.1% on the CyberGEE vulnerability reproduction benchmark and 93.9% on the ISWE agent coding benchmark — both figures Anthropic says outperform its previous Claude models. These are company-reported results, and no independent benchmark body has yet verified them.

Access to Mythos Preview is tightly controlled. Only Project Glasswing partners and a limited set of organisations responsible for critical software infrastructure can use it. Anthropic says this is deliberate: the model is too powerful and carries too much dual-use potential to be released openly. Indicative post-research pricing is set at $25 per million input tokens and $125 per million output tokens — positioning it firmly as a premium, specialist tool.

Anthropic says every vulnerability publicly disclosed through Project Glasswing has been reported to software maintainers and patched before any public announcement — following the coordinated disclosure process that the security community regards as best practice.

Praise, and Some Caution

The initiative has drawn broad support from the tech and security industries. But not everyone is entirely comfortable.

Some security researchers and digital-rights advocates have raised concerns about concentrating such powerful vulnerability-finding capability in a small group of large technology companies. There are questions about transparency — specifically, who decides which vulnerabilities get found, prioritised, and fixed, and under what oversight. There are also questions about the headline numbers themselves. Anthropic’s figure of “more than ten thousand” serious vulnerabilities is self-reported and has not been independently audited.

The dual-use concern is real too. Even if Mythos Preview is currently restricted to defensive work, similar techniques could in theory be replicated or stolen and turned to offensive purposes by state or criminal actors. It’s a tension Anthropic acknowledges — it’s the stated reason access is so restricted.

Open-source maintainers face a more practical worry. A sudden wave of vulnerability disclosures, however well-intentioned, means more patches to write, test, and ship, often by volunteers with limited time and resources.

The Bigger Picture

Project Glasswing arrives against a backdrop of growing anxiety about software supply-chain security. Incidents like the SolarWinds compromise and the Log4Shell vulnerability showed just how much damage a single flaw in a widely used component can cause. The UK’s National Cyber Security Centre has repeatedly warned that state and criminal actors are actively hunting for exactly these kinds of bugs in common software and open-source libraries.

Traditional vulnerability discovery — human researchers and automated fuzzing tools — has limits. Anthropic’s claim is that Claude Mythos Preview can go further, faster, and find classes of bugs that existing methods miss. A 27-year-old flaw sitting undetected in OpenBSD is hard to argue with as a proof of concept.

The UK Government’s Cyber Security Strategy and the NCSC’s guidance both stress securing software supply chains and timely patching. Under the UK’s Network and Information Systems Regulations, operators of essential services — energy, transport, health, digital infrastructure — must manage cyber risk, which includes applying security updates promptly. Project Glasswing feeds directly into that pipeline.

What This Means for Kent Residents

Every device running a major operating system or web browser — which covers most households, businesses, schools, and public bodies across Kent — stands to benefit as patches flow from Project Glasswing’s findings. Organisations such as Kent County Council, Medway Council, and NHS Kent and Medway Integrated Care Board all rely on mainstream commercial and open-source software, and improved security in those platforms reduces the risk of ransomware attacks and data breaches affecting local services. The NCSC advises everyone — individuals and organisations alike — to apply security updates promptly and enable automatic updates where possible, since some of those updates may now trace back to vulnerabilities Anthropic’s AI helped uncover. Kent’s IT teams should keep a close eye on vendor security advisories from Microsoft, Apple, browser developers, and Linux distributions in the months ahead.