Anthropic — Project Glasswing Expands Mythos Preview to 200 Organizations, 10,000+ Vulnerabilities Found

AI relevance: Claude Mythos Preview is a purpose-built vulnerability-discovery model whose autonomous code analysis is being deployed across critical-infrastructure operators — the first large-scale example of frontier AI operating as a cyber-defense tool in production.

Key details

• Scale of expansion. Anthropic announced on June 2 that ~150 new organizations across 15+ countries joined Project Glasswing, bringing total participation to roughly 200 partners. Sectors include banking, healthcare, telecommunications, and energy.
• 10,000+ vulnerabilities found. The initial 50 partners — including Microsoft, Google, AWS, Apple, NVIDIA, Cisco, CrowdStrike, Palo Alto Networks, JPMorgan Chase, and the Linux Foundation — collectively identified more than 10,000 high- or critical-severity security flaws in widely used operating systems, browsers, and enterprise software.
• Controlled access, not public release. Anthropic deliberately withheld Mythos from public distribution due to dual-use concerns — the same capability that finds defensive patches could accelerate offensive exploitation. Access is limited to pre-screened organizations working on critical infrastructure.
• First CVE wave expected July 2026. The Project Glasswing coalition plans to publish a summary report and release corresponding CVE entries alongside patches in July, after months of coordinated vulnerability disclosure.
• India joins the cohort. A single-digit number of Indian government and private-sector organizations received access, including critical-infrastructure operators serving potentially 100+ million users.
• Anthropic's pause call. Alongside the expansion, Anthropic published "When AI builds itself," urging leading AI labs to consider slowing frontier development so societal structures and alignment research can keep pace.

Why it matters

Project Glasswing demonstrates that frontier AI models can now autonomously discover vulnerabilities at a scale that exceeds traditional human-led security audits. For AI security practitioners, this raises two urgent questions: how do we prepare for a wave of AI-discovered CVEs in our own dependency chains, and what guardrails are needed when AI systems capable of finding zero-days are deployed at scale?

What to do

• Monitor the July CVE wave from Project Glasswing partners — any widely used library or framework may receive new critical advisories.
• Review your own dependency scan pipelines; tools like OWASP's CVE Lite CLI can surface vulnerabilities before they become publicly disclosed exploits.
• If you operate critical infrastructure, consider whether controlled-access AI vulnerability scanning fits your security posture.

Sources

• LiveMint — Anthropic Mythos AI expands to India
• News18 — 5 Key Facts About Project Glasswing
• Cycode — Mythos Security Toolkit (CVE prep)
• GovTech — The Mythos Race and Glasswing's Expansion
• Wikipedia — Claude (language model) / Mythos timeline