Anthropic Project Glasswing: Claude Mythos Preview Demonstrates Production-Scale AI-Driven Vulnerability Discovery

Anthropic published the first update from Project Glasswing on May 22, 2026, disclosing that its restricted Claude Mythos Preview model — deployed with approximately 50 partners including Microsoft, Apple, Google, and Cloudflare — found more than 10,000 high- and critical-severity vulnerabilities across critical software in its first month of operation. Partners reported bug-finding rates increasing by more than 10× over prior methods; Cloudflare alone found 2,000 bugs (400 high/critical) with a false-positive rate better than human testers. Mythos Preview can construct multi-stage exploit chains autonomously — chaining low-severity primitives into high-severity attacks — and generate working proofs of concept in a self-correcting loop. The UK AI Security Institute confirmed Mythos Preview is the first model to fully solve both of its multi-step cyberattack simulation ranges end-to-end. Anthropic launched Claude Security (Opus 4.7) in public beta for enterprises not in the restricted Glasswing consortium, which has already helped patch 2,100 corporate vulnerabilities.

This is the clearest empirical proof yet that AI-assisted vulnerability discovery has crossed a qualitative threshold: the bottleneck is no longer finding bugs but verifying, coordinating, and patching them faster than adversaries can weaponise the same capabilities. Organisations operating under quarterly-scan or monthly-maintenance-window patch regimes are structurally unprepared; Mandiant's M-Trends 2026 data cited in the disclosure shows attackers now exploit vulnerabilities an average of 7 days *before* patches are released. Because Mythos is withheld from general availability, defenders operating in the Glasswing consortium have an asymmetric advantage that will not last indefinitely as adversaries gain access to comparable open or Chinese-market models.

All enterprises should immediately review patch management SLAs against the 7-days-pre-patch exploitation baseline, prioritise Glasswing CVE disclosures (tracked via NVD) as they are made public over the coming 90-day coordinated disclosure window, and evaluate Anthropic's Claude Security public beta for assisted remediation. Financial services, healthcare, and critical infrastructure firms should brief boards that the disclosure rate of high-severity vulnerabilities will continue to increase materially for the remainder of 2026.