Anthropic's Mythos finds 10,000+ vulnerabilities, flags security bottleneck

Anthropic's cybersecurity system flags over 10,000 vulnerabilities in weeks, highlighting a growing gap between rapid AI-driven discovery and slower patching and disclosure processes

Anthropic has said that its AI-driven cybersecurity system, Claude Mythos Preview, has identified more than 10,000 high- and critical-severity vulnerabilities across widely used software systems within weeks. The update, shared as part of the company’s Project Glasswing initiative, suggests that the limiting factor in cybersecurity is no longer the discovery of vulnerabilities, but the ability of the ecosystem to process and fix them.

 

“Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it’s limited by how quickly we can verify, disclose, and patch,” the company said.

What is Anthropic’s Mythos

Anthropic’s Mythos is a frontier AI model that has not yet been released publicly. It is capable of analysing software behaviour, identifying vulnerabilities, and in some cases autonomously discovering exploit paths within complex systems. Anthropic has described Mythos as a tightly restricted and carefully monitored system, given the advanced nature of its capabilities and the potential risks associated with misuse.

 

The company is currently providing limited access to some of these capabilities through Project Glasswing, where select organisations are testing and integrating the system under controlled conditions.

What has Mythos discovered so far

Under Project Glasswing, Anthropic has worked with around 50 partner organisations, including companies maintaining critical infrastructure software. According to the company, most partners have individually identified hundreds of high- or critical-severity vulnerabilities within their own systems.

 

In aggregate, this has crossed 10,000 vulnerabilities, while several partners reported that their bug discovery rates increased by more than 10 times after using the system, according to Anthropic.

 

Cloudflare, for instance, identified around 2,000 bugs across its systems, including 400 classified as high or critical severity.

 

A significant portion of this discovery effort has been focused on open-source software. Anthropic said it has scanned over 1,000 open-source projects and identified more than 23,000 vulnerabilities in total, of which 6,202 were initially classified as high or critical severity.

Some of these vulnerabilities are non-trivial. In one case, the system identified a flaw in a widely used cryptography library that could allow attackers to forge digital certificates and impersonate trusted websites, highlighting the depth of analysis the model is capable of.

The patching pipeline is struggling to keep up

While discovery has accelerated, the remediation pipeline has not. According to Anthropic, the current system requires a multi-step process before a fix is rolled out. This typically includes steps such as:

• Reproducing and validating the issue
• Assessing severity
• Coordinating disclosure with maintainers
• Designing and testing patches
• Rolling out fixes

Each of these steps requires human intervention and coordination.

 

Data from Anthropic’s own disclosure pipeline highlights the scale of the gap. Of over 23,000 vulnerabilities identified, only a fraction have been formally reported to maintainers, fewer have been acknowledged, and just 97 vulnerabilities had been patched upstream at the time of reporting.

 

Even when prioritised, fixing high-severity vulnerabilities takes time. The report notes that, on average, such bugs take around two weeks to patch.

 

This creates a structural imbalance: vulnerabilities can now be found in minutes or hours, but fixing them still operates on a multi-day or multi-week timeline.

Faster discovery creates a widening risk window

There is typically a lag between vulnerability discovery and patch deployment, governed in part by coordinated disclosure norms that allow developers time to fix issues before they are made public.

 

However, as discovery accelerates, this lag becomes more significant. Anthropic noted that long delays between discovery, patch creation, and deployment can leave systems exposed for extended periods.

 

This concern is compounded by the fact that similar capabilities may not remain restricted. Anthropic said models with comparable cybersecurity capabilities are likely to become more widely available in the near future, increasing the risk that attackers could use them to identify and exploit vulnerabilities at scale.

 

Earlier this month, Google reported what it described as its first confirmed case of a zero-day exploit being developed with the help of AI tools, indicating that such a shift may already be underway.

Industry response is beginning to adapt

Anthropic said software companies are beginning to increase the volume and frequency of patches. For instance, some vendors have released significantly larger patch updates than usual, while others have accelerated vulnerability response cycles.

 

The company is also pushing tools aimed at reducing the gap between discovery and remediation. These include systems such as Claude Security, which can scan codebases for vulnerabilities and generate suggested fixes, as well as tools for automating parts of the triage and reporting process.