Artificial intelligence safety startup, Anthropic, recently shared the first results of a new program called Project Glasswing. Launched in April 2026, the defensive initiative tests a highly capable, unreleased AI model named Claude Mythos Preview to find security weaknesses in the software.
Huge Number of Flaws Discovered in Free Software
Initial data shows the AI is fast at finding flaws. In just one month, Anthropic and its 50 restricted partners identified more than 10,000 high- or critical-severity security gaps across major software systems.
Anthropic also used the tool to check over 1,000 open-source software projects. This refers to free, public code under the hood of billions of everyday devices. Over 23,000 total potential bugs were spotted, and to cross-verify the findings, six independent security research firms examined the data. External experts confirmed 1,726 real flaws, including around 1,000 high-risk issues. Anthropic believes the final count of severe bugs will reach 6,200 as checking continues.
One major discovery happened inside wolfSSL, an open-source security library used by five billion smart gadgets and routers to encrypt data. The AI discovered a critical certificate forgery flaw, now officially catalogued as CVE-2026-5194. It has a high severity rating of 9.3 out of 10, though the research firm Red Hat rates it a maximum 10.
The AI even built a mock attack demonstrating how cybercriminals could exploit this flaw to forge digital identities and host fake bank websites that appear perfectly real to regular users.
Tech Companies Face a Huge Fix-It Backlog
Finding flaws is now much quicker than fixing them, creating a backup for human teams. While the average time to patch a bug is two weeks, several tech companies are using the data to clean up their applications:
Cloudflare found 2,000 bugs across its systems.
- Mozilla fixed 271 flaws in its Firefox 150 web browser, a massive jump from what older AI tools found in Firefox 148.
- Palo Alto Networks, Microsoft, and Oracle are rolling out fixes much faster than their usual speed.
- Apart from software testing, the AI helped a partner bank stop a fraudulent 1.5-million-dollar wire transfer after an unknown hacker took over a customer’s email and made spoof phone calls.
Because this AI model is powerful, Anthropic is keeping it private to prevent threat actors from using it offensively. However, the company plans to expand the program to the UK and US governments while humans work on patching the thousands of security gaps already found.
