Skip to content
analysis16 min read

Anthropic Just Found 10,000 Zero-Days In One Month — And Patching Just Became The Bottleneck

Anthropic published Project Glasswing's first month: Claude Mythos Preview found 10,000+ high or critical vulnerabilities across ~50 partners. 90.6% precision. The bottleneck moved from finding bugs to patching them.

Author
Anthony M.
16 min readVerified May 24, 2026Tested hands-on
Anthropic Project Glasswing Initial Update May 22 2026 — Claude Mythos Preview found 10,000+ high or critical severity vulnerabilities in one month across roughly 50 partners and 1,000+ open-source projects, strategic analysis by ThePlanetTools
Anthropic Project Glasswing Initial Update — Claude Mythos Preview crossed 10,000+ high or critical vulnerabilities in one month. The bottleneck moved from discovery to patching.

On May 22, 2026, Anthropic published the first public update on Project Glasswing, the cybersecurity initiative it launched roughly one month earlier built around Claude Mythos Preview, its closed frontier model. In the first month, Mythos Preview found over 10,000 high or critical severity vulnerabilities across approximately 50 partners and 1,000+ open-source projects. Cloudflare alone reports 2,000 bugs, 400 of them high or critical. Mozilla found 271 new vulnerabilities in Firefox 150. The UK AI Security Institute said Mythos is the first model to solve both of its cyber ranges end-to-end.

This is the first time Anthropic has put numbers behind the closed-coalition argument it has been making since Mythos preview was unveiled in April. The framing matters: the company is no longer asking the policy world to trust a thesis. It is publishing throughput.

TL;DR — What changed on May 22, 2026

  • Over 10,000 high or critical severity vulnerabilities found across partners in roughly one month, the period covering Project Glasswing's first month of operation.
  • Open-source scanning: Mythos Preview surfaced an estimated 23,019 total vulnerabilities across 1,000+ projects, of which an estimated 6,202 were high or critical. Of 1,752 findings sampled and assessed by security firms, 1,587 (90.6%) were valid true positives and 1,094 (62.4%) confirmed high or critical.
  • Disclosure pipeline: 530 high or critical bugs reported to maintainers, 1,129 unvetted findings shared, 75 patched and 65 with public advisories so far. 827 confirmed vulnerabilities are still pending disclosure.
  • Cloudflare: 2,000 bugs, 400 of them high or critical. The company says the false positive rate is better than its human testers.
  • Mozilla Firefox 150: 271 new vulnerabilities versus Firefox 148 when scanned by an earlier Claude generation. Same code base, new model, new floor.
  • UK AI Security Institute: Mythos Preview is the first model to solve both of AISI's cyber range simulations end-to-end.
  • XBOW: calls Mythos Preview a "significant step up over all existing models" and credits it with "absolutely unprecedented precision" on a token-for-token basis on the XBOW web exploit benchmark.
  • 10x or more bug-finding rate reported by several partners.
  • Palo Alto Networks: its latest release shipped more than five times its usual number of patches.
  • Microsoft: forecasts that the number of new patches it releases will keep "trending larger."
  • Average time to patch a Mythos-found high or critical bug: two weeks.
  • Anthropic's editorial framing for the milestone — a one-line shift in the cybersecurity equation: "Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it's limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI."

For context: when Anthropic announced Project Glasswing in April 2026 and locked Mythos Preview behind a four-hyperscaler coalition (Apple, Microsoft, Google, Amazon at the founding), critics inside the industry, including OpenAI's leadership, called the closed model "fear-based marketing." One month later, Anthropic answered with a number. Ten thousand.

What is Project Glasswing

Project Glasswing is Anthropic's cybersecurity initiative, announced in April 2026 alongside the Mythos preview unveil. It is the formal program through which Anthropic gives selected partners — Anthropic says "approximately 50" — access to Claude Mythos Preview for offensive security work: vulnerability discovery, exploit verification, patch generation, and threat modeling.

The architecture is closed by design. Mythos Preview is not available through the public Claude API. It is accessed through Glasswing partners under a Trusted Access for Cyber-style envelope, which Anthropic has explicitly contrasted with OpenAI's broader Daybreak coalition that launched May 11 with 20+ partners and a publicly available GPT-5.5 Cyber variant. The strategic disagreement is real, and we have covered both sides in depth — see our analysis of OpenAI Daybreak as the direct response to Anthropic Glasswing and Mythos and Claude Mythos going dark behind Project Glasswing.

The May 22 update is the first time Anthropic has translated the "closed coalition" thesis into operational metrics: how many vulnerabilities found, how many valid, how many patched, how fast.

Cloudflare reports 2000 bugs 400 high or critical found by Anthropic Claude Mythos Preview through Project Glasswing in one month, false positive rate better than human testers — ThePlanetTools analysis
Cloudflare's Glasswing throughput — 2,000 bugs, 400 of them high or critical. False positive rate beats human testers.

The numbers, broken out

Open-source scanning: 23,019 estimated, 1,587 validated, 90.6% precision

Anthropic and partners ran Mythos Preview across more than 1,000 open-source projects. The model surfaced an estimated 23,019 candidate vulnerabilities, of which an estimated 6,202 are high or critical. Six independent security research firms then sampled 1,752 of those findings and assessed them.

The result of that audit is the precision number that matters: 1,587 of 1,752 sampled findings were valid true positives — 90.6% precision. Of those, 1,094 (62.4% of the sample) were confirmed as high or critical severity. Extrapolating the sampled rate against the full open-source set gives Anthropic's projection of approximately 3,900 true high or critical vulnerabilities in the open-source slice alone.

Why precision matters more than raw count: an automated vulnerability scanner that ships 90.6% true positives at the volume Mythos produces shifts the cost structure of triage. Maintainers do not get drowned in noise. Anthropic explicitly attributes the precision claim to the third-party security firms doing the audit, not to its own internal benchmarks.

Disclosure pipeline: 530 reported, 75 patched, 65 public advisories

Disclosure is where the system starts to break. Of the high or critical vulnerabilities found in open-source projects, 530 have been formally reported to maintainers. An additional 1,129 unvetted findings were shared. Only 75 are patched today. Sixty-five public advisories have been issued. 827 confirmed vulnerabilities are still pending disclosure.

Anthropic does not frame this as a process failure. It frames it as the new bottleneck. Quoting the update directly:

"Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it's limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI."

And, more pointed, on the open-source maintainer load:

"Indeed, several maintainers have told us they're currently severely capacity constrained, and some have even asked us to slow down our rate of our disclosures because they need more time to design patches."

That second quote is the most editorially loaded sentence in the entire update. A frontier lab has hit the wall where the slowest link in the cybersecurity chain is no longer model capability — it is unpaid human maintainers. The update does not yet announce a structural fix, but the diagnosis is now public.

Glasswing disclosure pipeline bottleneck flow 10000 found 530 reported 75 patched 65 advisories 827 pending disclosure Anthropic Mythos Preview May 22 2026 — ThePlanetTools
The Glasswing pipeline — discovery scales, disclosure does not. 827 confirmed high or critical findings are still waiting on capacity.

Cloudflare's 2,000 bugs and Firefox 150's 271 new vulnerabilities

Two partner numbers stand out from the May 22 update because they are concrete, comparable, and come from organizations with mature internal security programs.

Cloudflare: 2,000 bugs found by Mythos Preview across its critical-path systems in the Glasswing window. 400 of those are high or critical severity. Cloudflare's own team says the false positive rate is better than human testers. That is the headline operational claim of the entire update — an established security org rating the model above its in-house red team on signal quality, not just volume.

Mozilla / Firefox 150: 271 new vulnerabilities found in Firefox 150, compared with what an earlier-generation Claude found in Firefox 148. Same browser code base lineage, newer model, dramatically larger surface uncovered. Mozilla is one of the few partners where Anthropic provides a model-to-model delta on the same software, which is the cleanest signal in the document for measuring generational lift.

UK AISI and XBOW: external validation

The UK AI Security Institute reports that Mythos Preview is the first model to solve both of its cyber range simulations end-to-end. AISI is the UK's frontier-model evaluation body and is the most policy-relevant third-party endorsement in the update.

XBOW, an independent commercial security platform, called Mythos Preview a "significant step up over all existing models" on its web exploit benchmark, and added that the model provides "absolutely unprecedented precision" on a token-for-token basis. The token-for-token framing matters because XBOW runs its benchmark across many frontier and open-weight models, and is one of the rare third parties with comparable evaluation methodology across labs.

Enterprise-scale: Palo Alto Networks, Microsoft, Oracle, Cisco

Palo Alto Networks: its latest release shipped more than five times the usual number of patches, driven by Glasswing-sourced findings.

Microsoft: forecasts that the number of new patches it ships will keep "trending larger." Microsoft is the largest software publisher in the world; that forward statement carries weight on what the next several patch cycles will look like industry-wide.

Oracle: "finding and fixing vulnerabilities multiple times faster," per Anthropic's update.

Cisco: contributed its Foundry Security Spec to the program — a partner contribution rather than a partner finding, but worth noting because it indicates the partnership flows in both directions, not just Anthropic-to-partner data delivery.

Several partners reported a 10x or more bug-finding rate compared with their prior tooling. That is the single most replicated claim across the update and it is the rate-of-discovery number that ultimately matters for industry adoption.

Strategic read — what the May 22 update actually does for Anthropic

This is the part where editorial judgment, not the source paper, is doing the work. The update lands at a moment when the closed-coalition narrative was under live attack.

It gives Anthropic ammunition against the "fear-based marketing" critique

In late April, Sam Altman called Anthropic's Mythos rollout "fear-based marketing" — we covered that in our piece on Altman's brutal takedown of Claude Mythos. The closed-coalition framing was hard to defend on substance because the substance — what the model was actually doing — was confidential to partners.

Ten thousand high or critical vulnerabilities in one month, 1,587 validated true positives, and a third-party 90.6% precision rate is the kind of operational artifact that is difficult to dismiss as marketing. Anthropic did not respond to Altman with a press release. It responded with a metric.

It reframes the OpenAI Daybreak coalition comparison

OpenAI's Daybreak launch on May 11 ran on the explicit narrative of breadth — 20+ partners, GPT-5.5 Cyber publicly available, an EU regional overlay, a Codex Security agentic add-on. Anthropic's update on May 22 implicitly reframes the comparison from breadth to throughput. Forty extra partners do not automatically equal ten thousand extra vulnerabilities; the model and its access conditions matter.

The question this update raises — and intentionally leaves open — is whether Daybreak partners are running comparable workloads at comparable precision, and whether OpenAI will publish equivalent throughput numbers. As of May 24, OpenAI has not.

It anchors the AISI relationship into the policy narrative

The UK AI Security Institute calling Mythos Preview "the first model to solve both of our cyber ranges end-to-end" is the line that travels farthest into policy circles. AISI is the working model for the kind of frontier evaluation body that the EU AI Office is building toward. Anthropic now has a named, attributed, on-record AISI endorsement on cyber capability — and that endorsement is going to be cited in every regulatory hearing on closed-vs-open frontier release for the rest of the year.

The bottleneck problem — what Anthropic does not yet solve

The most honest passage in the update is the maintainer-capacity admission. Some open-source maintainers have explicitly asked Anthropic to slow down disclosures because they cannot keep up. Anthropic's framing — that the problem is now patching, not finding — is technically accurate. But the implied next step is unaddressed in the May 22 document.

There are three plausible structural moves:

  1. Anthropic funds the patch side directly — paid maintainers, fix-side credits, or sponsored security engineering programs targeted at the most fragile critical-path open-source projects. The update does not commit to this.
  2. Anthropic ships an autonomous patch agent on top of Mythos Preview — close the loop from discovery to verified patch within the Glasswing partner envelope. The OpenAI Daybreak launch shipped Codex Security as exactly this kind of inner-loop agent. Anthropic does not yet have a publicly-named equivalent inside Glasswing.
  3. Anthropic throttles its own discovery rate — the option that some partners are reportedly requesting. This is the only one in Anthropic's strategic interest to avoid, because the discovery-rate-of-10x is the marketing artifact of the program.

Which path Anthropic takes in the next 30-60 days will tell us a lot about whether Glasswing scales as a self-sustaining cybersecurity ecosystem or stays a closed-coalition demonstration. In my view, the next update will be defined by the answer to one question: did Anthropic launch a patch-side companion product, or did it just publish another discovery throughput figure?

Glasswing vs Daybreak strategic comparison May 2026 — Anthropic closed coalition 50 partners 10000 vulnerabilities vs OpenAI Daybreak 20 partners open access GPT 5.5 Cyber, ThePlanetTools strategic analysis
May 2026 cyber-AI map — Glasswing closed throughput vs Daybreak open breadth. The bottleneck shifts strategy.

What to watch over the next 30 days

  • OpenAI Daybreak's first equivalent update. The natural response to Anthropic's number is a Daybreak throughput number. Watch for 20-partner aggregated stats on findings, patches, and false positive rate, especially against GPT-5.5 Cyber's publicly available variant.
  • An Anthropic patch-side product. If Glasswing's next visible move is a Mythos-powered autonomous patching agent, the closed coalition becomes a full inner-loop platform and the bottleneck argument collapses.
  • The 827 pending disclosures. Anthropic published the pending number publicly. That is a clock. Either advisories ship at a faster cadence or the bottleneck argument starts cutting the other way — against Anthropic itself.
  • Open-source maintainer funding. If a major foundation (the Linux Foundation, the OpenSSF, the OpenJS Foundation) announces matched funding specifically tied to Glasswing-sourced disclosures, that is the structural move that Anthropic's update points toward without yet committing to.
  • EU and US policy response. AISI's endorsement is the wedge that opens the policy conversation. Whether the EU AI Office cites Glasswing precision numbers in its first cyber-risk guidance is the leading indicator on whether closed coalitions become a sanctioned regulatory pattern.

The bottom line

Anthropic spent April under attack for closing Mythos Preview behind a four-hyperscaler coalition. On May 22 it answered with the number it could not previously publish: more than 10,000 high or critical vulnerabilities found in one month, 90.6% validation precision via third-party security firms, and named-attribution results from Cloudflare, Mozilla, Palo Alto Networks, Microsoft, Oracle, and the UK AI Security Institute.

The closed-coalition critique does not disappear. Whether closed access at this throughput is more societally valuable than open access at lower precision is still an open policy question — and it should be. But the May 22 update changes the terms of that argument. Anthropic is no longer defending an idea. It is defending a deliverable.

And the bottleneck has moved. The bug-hunting era is, on Anthropic's own framing, over. The patching era starts now — and that is a much harder problem to fund, scale, and ship through.

Frequently Asked Questions

What is Project Glasswing?

Project Glasswing is Anthropic's cybersecurity initiative, announced in April 2026 alongside the Claude Mythos Preview unveil. It is the formal program through which Anthropic gives selected partners — approximately 50, according to the May 22 update — access to Mythos Preview for offensive security work, vulnerability discovery, exploit verification, and patch generation. Mythos Preview is not available through the public Claude API; access is gated through Glasswing partner agreements.

How many vulnerabilities did Claude Mythos Preview find through Glasswing in one month?

According to the May 22, 2026 initial update from Anthropic, Claude Mythos Preview found more than 10,000 high or critical severity vulnerabilities across Glasswing partners in the program's first month of operation. The update specifies that 6,202 high or critical vulnerabilities were estimated across 1,000+ open-source projects alone, with 90.6% validation precision based on a third-party security firm audit of 1,752 sampled findings.

How many of the Glasswing-found vulnerabilities have been patched?

As of the May 22, 2026 update, only 75 of the 530 high or critical bugs reported to open-source maintainers have been patched. Sixty-five public advisories have been issued. 827 confirmed high or critical vulnerabilities are still pending disclosure. Anthropic explicitly states that the new bottleneck in cybersecurity is no longer finding vulnerabilities but verifying, disclosing, and patching them.

What did Cloudflare find with Claude Mythos Preview?

Cloudflare reports that Claude Mythos Preview, accessed via Project Glasswing, found 2,000 bugs across its critical-path systems in the first month — 400 of which are high or critical severity. Cloudflare's security team states that the false positive rate from Mythos Preview is better than its own human testers, which is the strongest operational claim in the entire May 22 update.

What did Mozilla find in Firefox 150?

Mozilla used Claude Mythos Preview to scan Firefox 150 and found 271 new vulnerabilities, compared with the prior baseline established when Firefox 148 was scanned by an earlier Claude generation (Claude Opus 4.6). The same code base lineage with a newer model produced a dramatically larger discovered vulnerability surface — the cleanest model-to-model delta in the May 22 update.

What is Claude Mythos Preview?

Claude Mythos Preview is Anthropic's frontier closed-access model, unveiled in April 2026. It is not available through the public Claude API. Access is restricted to Project Glasswing partners under a Trusted Access for Cyber-style agreement. Anthropic describes it as more powerful than Claude Opus 4.7 on cybersecurity tasks, and the May 22 Glasswing update is the first public throughput data on Mythos Preview's operational capabilities.

What did the UK AI Security Institute say about Mythos Preview?

The UK AI Security Institute (AISI) — the UK's frontier-model evaluation body — reports that Claude Mythos Preview is the first model to solve both of its cyber range simulations end-to-end. AISI's endorsement is the most policy-relevant third-party validation in the May 22 Glasswing update and will likely be cited in regulatory hearings on closed-versus-open frontier model release.

What did XBOW say about Claude Mythos Preview?

XBOW, an independent security platform, evaluates frontier models on its web exploit benchmark. XBOW called Mythos Preview a "significant step up over all existing models" and credited it with "absolutely unprecedented precision" on a token-for-token basis. XBOW is one of the few third parties with comparable evaluation methodology across labs, making this one of the most credible cross-lab comparisons in the update.

How does Glasswing compare to OpenAI Daybreak?

OpenAI launched Daybreak on May 11, 2026 as the direct response to Anthropic Glasswing and Mythos. Daybreak ships with 20+ partners, GPT-5.5 with Trusted Access for Cyber publicly available, and a Codex Security agentic add-on. Glasswing is closed by design, with approximately 50 partners and Mythos Preview not available through the public API. Anthropic's May 22 throughput numbers reframe the comparison from coalition breadth (Daybreak's advantage) to per-partner throughput at high precision (Glasswing's claimed advantage). OpenAI has not yet published equivalent operational throughput data.

Why are some open-source maintainers asking Anthropic to slow down?

According to the May 22 update, several open-source maintainers have told Anthropic they are "severely capacity constrained" and have asked Anthropic to slow down its rate of disclosure because they need more time to design patches. The volume and rate of valid high or critical findings from Mythos Preview now exceeds the patching capacity of some maintainer teams. This is the most editorially significant admission in the update because it identifies the new bottleneck in AI-assisted cybersecurity: unpaid human maintainer time.

What is the average time to patch a Mythos-found vulnerability?

According to the May 22 Glasswing update, the average time to patch a high or critical severity bug found by Claude Mythos Preview is two weeks. The quote from Anthropic states: "On average, a high- or critical-severity bug found by Mythos Preview takes two weeks to patch."

What happens next for Project Glasswing?

Three structural moves are plausible over the next 30-60 days: (1) Anthropic directly funds patch-side work and open-source maintainers; (2) Anthropic ships an autonomous patching agent on top of Mythos Preview to close the discovery-to-patch loop inside Glasswing, mirroring OpenAI Codex Security in Daybreak; (3) Anthropic throttles its own discovery rate at maintainer request. The May 22 update commits to none of these — but the framing makes the patch-side bottleneck the next public test for the program.

Sources

Editorial note: every numeric claim in this article is sourced verbatim from the Anthropic Project Glasswing Initial Update of May 22, 2026. Quotes are reproduced exactly as published by Anthropic. Strategic interpretation is editorial and labelled as such in context.

Related Articles

Was this review helpful?
Anthony M. — Founder & Lead Reviewer
Anthony M.Verified Builder

We're developers and SaaS builders who use these tools daily in production. Every review comes from hands-on experience building real products — DealPropFirm, ThePlanetIndicator, PropFirmsCodes, and many more. We don't just review tools — we build and ship with them every day.

Written and tested by developers who build with these tools daily.

Learn more about our team →See our testing setup →Read our editorial policy →