Anthropic's Project Glasswing has revealed something important about the future of cybersecurity: AI can now find serious software vulnerabilities at a speed that traditional patching processes may struggle to match.
In just one month, Project Glasswing reportedly identified more than 10,000 high- or critical-severity vulnerability candidates. The project uses Claude Mythos Preview, an advanced AI model designed to support defensive cybersecurity work. Its purpose is not to help attackers, but to help organisations find and fix dangerous weaknesses before they can be exploited.
Project Glasswing is also not a small internal experiment. It brings together major technology and security organisations, including Amazon Web Services, Apple, Cisco, CrowdStrike, Google, Microsoft, NVIDIA, Palo Alto Networks, the Linux Foundation, and others. The goal is clear: use powerful AI carefully and defensively to strengthen critical software, infrastructure, and open-source projects.
More Than Just A Big Number
The headline number is impressive, but the details are more important. In its first month, Mythos analysed code across more than 1,000 open-source projects and flagged thousands of possible serious vulnerabilities. After human review, 1,726 of those findings were confirmed as real, exploitable flaws, with 1,094 classified as high or critical severity.
That matters because open-source software is everywhere. It sits inside web servers, cloud platforms, mobile apps, IoT devices, enterprise systems, network appliances, and industrial environments. When serious vulnerabilities exist in widely used open-source components, the impact can spread far beyond one company or one product.
One example highlighted was a critical WolfSSL vulnerability, identified as CVE-2026-5194 with a CVSS score of 9.1. The flaw could potentially allow attackers to forge certificates and impersonate legitimate services. For software used in IoT devices, networking equipment, and industrial systems, that kind of issue is not minor. It can affect trust in encrypted communication itself.
The Real Problem Is Patching
So far, Project Glasswing's findings have led to 97 upstream patches and 88 security advisories. That is real progress, but it also exposes the bigger problem.
Finding vulnerabilities is becoming easier and faster. Fixing them is still slow, complex, and dependent on human teams, maintainers, vendors, testing cycles, compatibility checks, and release processes. This creates a growing gap between discovery and remediation.
That gap is the real warning. AI can scan code, detect patterns, test assumptions, and surface weaknesses at a scale that human teams alone cannot match. But once those issues are found, someone still has to understand the flaw, write the patch, test it properly, release it, and make sure users actually apply the update.
This is where cybersecurity may face a major shift. The bottleneck is no longer only detection. Increasingly, the bottleneck is response.
AI Can Help Defenders, But It Also Raises Risk
Project Glasswing shows the positive side of AI in cybersecurity. Used responsibly, models like Mythos can help defenders identify dangerous flaws before attackers find them. They can support open-source maintainers, protect critical systems, and reduce the number of hidden vulnerabilities sitting inside widely used software.
But the same capability also creates concern. If an AI model can find vulnerabilities at this level, similar models could eventually be used by attackers as well. The ability to discover flaws quickly becomes dangerous if it is placed in the wrong hands without proper safeguards.
That is why Anthropic is limiting access to Mythos-class capabilities for now. The company has acknowledged that current safeguards are not yet strong enough to prevent large-scale misuse if such models were released openly. This is a serious point because once powerful vulnerability discovery tools become widely available, exploitation could become cheaper, faster, and easier.
Beyond Software Vulnerabilities
Interestingly, Project Glasswing is not only about scanning code. One reported use case involved a partner bank using Mythos to detect and stop a fraudulent US$1.5 million wire transfer. The attacker had compromised a customer's email account and attempted to authorise the transaction through spoofed phone calls.
In that case, the AI system identified the activity as suspicious and helped prevent the transfer. This shows that the same kind of AI reasoning can also support fraud detection, behavioural analysis, and real-time security monitoring.
That broader capability makes the technology more powerful, but also more sensitive. AI security tools may eventually become important across many areas, from software engineering to financial crime prevention.
Final Thoughts
Project Glasswing highlights both the promise and the pressure that AI is bringing into cybersecurity. On one hand, it shows that advanced AI can help defenders uncover serious vulnerabilities across huge amounts of code faster than ever before. That could make critical software safer if organisations can act quickly enough.
On the other hand, it also exposes a difficult reality: finding security flaws is becoming faster than fixing them. Unless patching, coordination, testing, and deployment processes improve, the industry may end up with more known vulnerabilities than it can realistically handle.
The future of cybersecurity will not only depend on better detection. It will depend on whether defenders can close the gap between discovery and repair before attackers learn to use the same tools at scale.
Comments