Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in

Anthropic recently disclosed the staggering initial results of Project Glasswing, a collaborative cybersecurity initiative. This project leverages advanced AI to secure critical infrastructure, preventing exploitation by malicious actors.

In its first month, the project leveraged the unreleased Claude Mythos Preview model to autonomously discover over 10,000 high- and critical-severity zero-day vulnerabilities across the world’s most critical software systems.

Anthropic partnered with over 50 major technology organizations, including Microsoft, Apple, Google, and Cloudflare, to deploy Claude Mythos Preview against highly targeted codebases. The model has demonstrated an unprecedented ability to not only identify flaws but also construct functional exploits autonomously.

Cloudflare reported finding 2,000 bugs, including 400 of high or critical severity, noting that the model’s false-positive rate outperforms human security testers.

Claude Mythos Preview Uncovers 10,000+ 0-Days

Independent evaluations confirm these capabilities across multiple environments. The UK’s AI Security Institute observed that Mythos Preview is the first model to fully solve its multistep cyberattack simulations, while Mozilla utilized the model to uncover and patch 271 vulnerabilities in Firefox 150, yielding ten times more findings than previous testing with Claude Opus 4.6.

Due to the severe dual-use risks associated with these autonomous exploit capabilities, Anthropic has withheld Mythos from public release, restricting its use to defensive consortium members.

Beyond proprietary enterprise systems, Anthropic directed Claude Mythos Preview to scan over 1,000 widely used open-source projects. A notable discovery was CVE-2026-5194, a critical flaw in the wolfSSL cryptography library.

Mythos Preview successfully engineered an exploit for this vulnerability that allowed for the forgery of security certificates, a vector that could enable attackers to spoof banking or email domains invisibly.

The sheer volume of discoveries has exposed a critical structural weakness in the software industry: the human capacity to triage, report, and patch vulnerabilities cannot keep pace with AI-driven discovery.

The initial scanning phase yielded 23,019 candidate findings. When 1,900 of these findings were reviewed by external security firms, 1,726 (90.8%) were confirmed as valid true positives.

Despite Anthropic reporting a total of 1,596 vetted findings directly to maintainers, only 97 vulnerabilities have been patched upstream to date, resulting in just 88 published security advisories. This massive drop-off highlights the severe capacity constraints faced by volunteer open-source maintainers who are now overwhelmed by high-quality AI vulnerability disclosures.

The industry is entering a transitional phase where the traditional 90-day coordinated vulnerability disclosure window poses new risks. Because Mythos-class models reduce the cost and time of zero-day discovery to nearly zero, the lag between discovery and widespread patch deployment offers a highly dangerous exploit window for threat actors.

Organizations are urged to move beyond relying solely on patching, adapting their network defenses by enforcing strict default configurations, mandating multi-factor authentication, and utilizing advanced behavioral analytics to reduce the mean time to detect (MTTD) post-breach activity.

To support the wider ecosystem while Mythos remains restricted, Anthropic launched Claude Security in public beta for enterprise clients. Utilizing the Opus 4.7 model, this tool has already assisted in patching over 2,100 corporate vulnerabilities.

Additionally, Anthropic is supplying its Cyber Verification Program partners with specialized skills, codebase-mapping harnesses, and automated threat model builders to streamline the triage process.

According to the initial results report, Anthropic is thinking about releasing Mythos-class models in the future.

Furthermore, coalition partners like Cisco have open-sourced resources such as the Foundry Security Spec to help global defenders build robust AI-assisted evaluation systems to manage the coming wave of vulnerability data.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.