AI Finds Bugs Faster Than They Can Be Patched
Anthropic says its experimental cybersecurity AI has already uncovered more than 10,000 high- or critical-severity vulnerabilities across some of the world’s most important software systems, highlighting what could become one of the biggest challenges facing cyber security in the AI era.
Project Glasswing
The findings come from Project Glasswing, a restricted cybersecurity initiative launched by Anthropic to help protect critical software infrastructure before increasingly capable AI systems can be used by attackers.
At the heart of the programme is Claude Mythos Preview, a specialised version of Anthropic’s AI designed specifically for vulnerability discovery, software analysis, and cyber defence tasks.
Unlike publicly available AI models, Mythos Preview has only been made available to around 50 carefully selected partners, including organisations responsible for maintaining and defending some of the world’s most important digital infrastructure.
According to Anthropic, those partners have collectively used the system to find “more than ten thousand high- or critical-severity vulnerabilities across the most systemically important software in the world” in just one month.
The Scale Of What Was Found
Anthropic says its partners have identified more than 10,000 high- or critical-severity vulnerability candidates. Of those, over 1,700 have already been verified as genuine security flaws, while more than 1,000 have been confirmed as high- or critical-severity vulnerabilities.
The company says it’s also been using Mythos Preview internally to scan more than 1,000 open-source software projects that underpin large parts of the internet.
So far, Anthropic says the model has identified 6,202 potential high- or critical-severity vulnerabilities within those projects alone. After detailed assessment by independent security researchers, 1,094 have already been confirmed as genuine high- or critical-severity flaws.
One example involved a serious vulnerability in wolfSSL, a widely used cryptographic library deployed across billions of devices. Anthropic says Mythos Preview discovered a flaw that could have allowed attackers to forge digital certificates and impersonate legitimate online services. The vulnerability has since been patched.
Finding Bugs Is No Longer The Bottleneck
Perhaps the most important aspect of the announcement is that Anthropic believes the economics of cybersecurity may now be changing thanks to AI.
Historically, security teams struggled to find vulnerabilities quickly enough, but now the company believes the opposite problem is emerging.
As Anthropic explains: “Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it’s limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI.”
In other words, AI may be becoming so effective at discovering software flaws that human security teams cannot process, investigate, and fix them quickly enough.
Industry-Wide
That concern appears to be reflected across the industry. For example, Anthropic points to reports from Microsoft that patch volumes are expected to continue rising, while Oracle has already accelerated its patching schedules. The company also says Cloudflare found 2,000 bugs across critical systems while using Mythos Preview, including 400 classified as high- or critical-severity. Mozilla reportedly found more than ten times as many vulnerabilities in one Firefox testing cycle compared with earlier testing using conventional methods.
More Than Just Vulnerability Hunting
Anthropic says Mythos Preview has also shown value beyond traditional vulnerability discovery.
For example, one banking partner reportedly used the system to identify and prevent a fraudulent $1.5 million wire transfer after attackers compromised a customer email account and used spoofed phone calls to support the fraud attempt.
The company argues this demonstrates how advanced AI could increasingly act as a defensive force multiplier, helping cyber defenders analyse vast quantities of information far more quickly than human analysts alone.
However, Anthropic is also being careful about how widely it releases these capabilities.
The company has not made Mythos Preview publicly available because it believes safeguards remain insufficient to prevent misuse.
As Anthropic notes: “At present, no company, including Anthropic, has developed safeguards strong enough to prevent such models from being misused and potentially causing severe harm.”
Why This Matters
The announcement seems to highlight a broader change taking place across cybersecurity.
For years, security professionals worried about attackers using AI to create phishing campaigns, malware, and social engineering attacks. Increasingly, attention is turning towards AI-assisted vulnerability discovery, where software flaws can be found at unprecedented speed and scale.
Anthropic itself acknowledges the challenge directly, saying: “The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity.”
That challenge becomes even more significant if similar capabilities become widely available across the industry.
Although Anthropic has restricted access to Mythos Preview, the company openly states that models with comparable capabilities are likely to emerge elsewhere and eventually become more broadly accessible.
What Does This Mean For Your Business?
For businesses, the most important takeaway here is that vulnerability discovery is accelerating rapidly, which means the value of slow patching cycles is diminishing just as quickly.
Many organisations still spend weeks or months testing and deploying updates, particularly in operational technology, manufacturing, healthcare, and other environments where change control is complex. As AI systems become better at uncovering vulnerabilities, those delays could create increasingly attractive opportunities for attackers.
Anthropic is urging organisations to focus on fundamentals such as faster patch deployment, stronger network configurations, multi-factor authentication, and comprehensive security logging. Those recommendations are not new, but the urgency behind them is growing because AI is dramatically reducing the effort required to find weaknesses in software.
The wider message is that AI is changing the balance between attackers and defenders. For now tools such as Mythos Preview may provide what Anthropic describes as an “asymmetric advantage” for defenders. The question facing the cyber security industry is how long that advantage will last once similar capabilities become widely available.
