VM Tech Solutions

Anthropic’s Project Glasswing shows AI vulnerability discovery outpacing human patch capacity

Anthropic's May 22, 2026 Project Glasswing update says Claude Mythos Preview helped about 50 partners find more than 10,000 high- or critical-severity vulnerabilities.

Anthropic published an initial Project Glasswing update on May 22, 2026 with a direct message: AI is shifting cybersecurity's bottleneck from finding vulnerabilities to verifying, disclosing, and patching them fast enough. That is a more important change than a single model benchmark.

Project Glasswing is Anthropic's collaborative effort to secure critical software before more capable AI models can be misused by attackers. Anthropic says roughly 50 partners have used Claude Mythos Preview in recent weeks to find more than 10,000 high- or critical-severity vulnerabilities.

The partner evidence is striking. Anthropic says most partners found hundreds of high- or critical-severity issues after one month, and several reported more than a 10x increase in bug-finding rate. Cloudflare found 2,000 bugs across critical-path systems, including 400 high- or critical-severity issues, with a false positive rate its team considered better than human testers.

The open-source scan is just as important. Anthropic says Mythos Preview scanned more than 1,000 open-source projects and estimated 6,202 high- or critical-severity vulnerabilities. After assessment by six independent security research firms and some Anthropic review, 90.6% of a triaged subset were valid true positives, while 62.4% were confirmed high or critical.

Those numbers should not be reduced to "AI replaces security teams." Anthropic's real point is almost the opposite: the new constraint is human capacity. Triage, reporting, patch design, deployment, and coordinated disclosure still require maintainers, vendors, and security researchers. Some maintainers have even asked Anthropic to slow disclosure because they need more time to design patches.

For companies, the lesson is that security workflows need redesign. AI can accelerate discovery, but without vulnerability classification, ownership, disclosure strategy, patch scheduling, and validation, more findings simply create a larger backlog. AI security capability is not the same as security outcome. Throughput across the whole process is what matters.

Project Glasswing is also a warning for every team deploying AI agents. The more agents can reach tools, codebases, and systems, the more mature permissions, auditability, and remediation need to become. Glasswing is not just a tool story. It is a stress test between AI discovery capacity and human governance capacity.

MODULE.002 //

More insights

Ideas on websites, AI automation, digital marketing, AI news, and VMTS updates.

AI News

Google uses Gemini to turn Search ads into product guidance in AI Mode

Google's May 20, 2026 ads update tests new Gemini-powered Search formats that make ads more conversational and more decision-oriented.

May 30, 2026
AI News

Microsoft Copilot Studio shifts enterprise agents toward governance, cost, and workflow control

Microsoft's May 11, 2026 Copilot Studio update focuses on agent governance, Agent 365, usage estimation, workflow agents, MCP tools, app actions, and evaluations.

May 19, 2026
AI News

OpenAI says Codex is moving from coding into broader knowledge work

OpenAI's June 2, 2026 report positions Codex as a productivity agent for reports, spreadsheets, presentations, research, analysis, workflow automation, and lightweight tools.

Jun 02, 2026