Anthropic’s Claude Mythos AI found more than 10,000 high- and critical-severity vulnerabilities in some of the world’s most widely used software, just one month after Project Glasswing launched.

Project Glasswing is Anthropic’s AI-powered cybersecurity initiative. Through it, roughly 50 partner organizations gained access to Claude Mythos Preview, a frontier AI model built to detect vulnerabilities in critical software. Anthropic disclosed the results on Friday, May 23, 2026.

Of all vulnerabilities found, 6,202 fall into the high- or critical-severity category, hitting more than 1,000 open-source projects. Researchers then confirmed 1,726 as valid true positives. Of those, 1,094 are high- or critical-severity. So far, partners patched 97 findings upstream and issued 88 security advisories.

One major find is a critical flaw in WolfSSL, tracked as CVE-2026-5194 with a CVSS score of 9.1. The vulnerability lets attackers forge certificates and impersonate legitimate services, putting systems that rely on the widely used cryptographic library at serious risk.

Offensive security platform XBOW called Mythos Preview a major advance. It rated the model substantially better than prior tools at finding vulnerability candidates and skilled at analyzing source code with a security mindset. Independent researchers also found it excels at turning discovered vulnerabilities into full end-to-end attack chains.

Mythos Preview also showed broader defensive utility. A Glasswing partner bank used the model to detect and stop a fraudulent $1.5 million wire transfer. A threat actor had breached a customer’s email account and made spoof phone calls to push the transaction through.

Software vendors are now shipping more patches than ever before, largely because AI tools find vulnerabilities faster. Microsoft expects its monthly patch volume to keep growing, while Oracle shifted to a monthly patch cycle to address critical issues more quickly.

Anthropic warned that models with capabilities similar to Mythos Preview could reach the public soon. Because of this, the company urged organizations to shorten patch cycles, harden default network configurations, enforce multi-factor authentication, and maintain comprehensive logs for detection and response.

To support legitimate security work, Anthropic launched a Cyber Verification Program. It lets verified security professionals use its models without guardrails for vulnerability research, penetration testing, and red teaming. OpenAI runs a similar program called Daybreak, which gives security professionals access to GPT-5.5-Cyber for defensive workflows.

Neither Mythos Preview nor GPT-5.5-Cyber is available to the public yet, as both companies say adequate safeguards against large-scale misuse do not yet exist.