Ten thousand critical bugs in thirty days. That’s the number Anthropic reportedly produced through Claude Mythos Preview’s first full deployment cycle inside Project Glasswing, and if the primary source were accessible for independent verification, it would be the most significant single data point in AI-assisted cybersecurity to date. Even with the qualification that Anthropic’s progress report couldn’t be confirmed at the source URL, the capability claim is corroborated. Anthropic’s security research division documents Mythos Preview running “a thousand runs through our scaffold” on a single critical OpenBSD vulnerability before surfacing it. That’s not a press release number. That’s a methodology description.
The question isn’t whether the capability is real. It’s who controls what happens next.
The Capability Layer: What Mythos Preview Actually Demonstrated
Autonomous vulnerability discovery isn’t new. What’s new is scale. According to Anthropic’s progress report, Claude Mythos Preview scanned more than 1,000 open-source projects, reportedly identifying approximately 6,202 high- or critical-severity vulnerabilities within that subset alone. The total figure across all project categories reportedly exceeds 10,000.
All of these figures carry a significant qualification: Anthropic’s primary announcement URL was unavailable for direct verification at publication time. Every metric here is attributed to Anthropic’s own reporting. That caveat matters for the specific numbers. It doesn’t change the structural claim, which is corroborated independently.
What Mythos Preview demonstrated, per the red.anthropic.com methodology documentation and the UK AISI’s prior “Cooling Tower” benchmark evaluation, is an agentic system capable of sustained, high-volume code auditing at a depth that requires thousands of iterative runs per target. The part nobody mentions in the coverage of the vulnerability count: the human security researcher doing this work manually would need weeks per project. Mythos did 1,000+ projects in a month.
Cost and resource requirements for Mythos Preview aren’t disclosed. Access is restricted to the Glasswing partner coalition. There’s no API, no inference pricing, no public benchmark leaderboard entry.
The Coordination Problem: Why the Bottleneck Has Moved
Scale breaks disclosure. This is the structural claim the progress report supports, and it’s more important than any specific vulnerability count.
Standard responsible disclosure works at human research pace. A security researcher finds a critical vulnerability, contacts the vendor, waits 90 days, publishes if unpatched. The entire ecosystem is built around that cadence, one finding, one researcher, one vendor, one negotiation. Glasswing’s model produces findings faster than any prior disclosure framework was designed to handle.
Anthropic has reportedly committed to a phased expansion: vetted partner coalition first, then U.S. and allied governments, then broader availability. That sequencing is a direct response to the coordination problem. You don’t release a system that finds 10,000 critical bugs per month until you have a coordination infrastructure that can absorb the disclosure volume.
The part that’s unresolved: that infrastructure doesn’t yet exist at the required scale. Cloudflare reportedly found 2,000 bugs across its critical-path systems, 400 classified as high or critical, per figures included in Anthropic’s progress report. No independent Cloudflare confirmation of these figures was available at publication time. If accurate, that’s one partner’s triage queue. Multiply across 50 organizations.
Even a single coalition partner’s intake is a significant operational challenge. The disclosure burden doesn’t fall on Anthropic. It falls on the receiving organization’s security team – coordinating CVE filings, prioritizing patches, notifying downstream users, managing embargo timelines. Patch velocity in production infrastructure hasn’t increased proportionally to Mythos’s discovery velocity. That gap is where vulnerabilities live.
Disputed Claim
Warning
A minor CVE attribution discrepancy between Anthropic's progress report and Palo Alto Networks' PSIRT portal is unresolved. At 10,000+ reported vulnerabilities, even small attribution errors compound into material triage failures, a CVE attributed to the wrong component gets patched in the wrong place. Neither organization has publicly addressed the discrepancy.
The Stakeholder Map: Who Controls What
The Glasswing access architecture has four tiers, and security teams’ position within it determines what they can and can’t see.
Tier 1, Anthropic. Controls Mythos Preview, the scanning infrastructure, and the decision of what gets scanned. Sets the terms of coalition membership. Owns the disclosure timeline architecture. Has reportedly committed to expanding access to governments before general release.
Tier 2, Coalition Partners (approximately 50 organizations, per Anthropic). Named partners reportedly include Microsoft, Amazon, CrowdStrike, Palo Alto Networks, and JPMorgan Chase. These organizations receive Mythos-generated findings on their own infrastructure and participate in the coordinated disclosure process for open-source vulnerabilities their products depend on. The governance structure behind this coalition was mapped when Glasswing launched in May 2026; the progress report is the first data on what that governance produced operationally.
Tier 3, Government Recipients (forthcoming, per Anthropic). U.S. and allied governments are reportedly the next expansion target before any general release. This tier doesn’t exist in the current architecture, it’s a stated commitment, not a deployed system. What it signals is that Anthropic views government-level vetting as a prerequisite for the next phase of Mythos deployment. The architecture of restricted AI access Anthropic has built treats governments as a trust tier above commercial partners but below Anthropic itself.
Tier 4, Everyone Else. Security teams not inside the coalition have no path to Glasswing findings, no visibility into what Mythos has scanned, and no coordination channel for vulnerabilities in their infrastructure that Mythos may have already found. This is the tier that matters most for practical planning, because it’s the largest, and it’s the most exposed.
The Contested Question: Restricted Access or Two-Tier Ecosystem?
Not everyone accepts the premise that restricted access is the right architecture.
Independent security researchers at Vidoc Security Lab reproduced findings consistent with Anthropic’s Mythos capability claims using publicly available models. Their position, reported in coverage of Project Glasswing, frames the restricted-access model as a policy choice rather than a technical necessity, suggesting the capability for AI-driven vulnerability discovery doesn’t require gated access to exist in the wild.
This is a legitimate counterpoint with real consequences. If public models can approximate Glasswing’s discovery capability, the closed coalition model doesn’t prevent AI-powered offensive vulnerability research. It just prevents coordinated disclosure. Threat actors operating outside any ethical disclosure framework don’t need a Glasswing invitation to run automated vulnerability scanning at scale.
There’s also an unresolved data quality issue. A minor discrepancy in CVE attribution between Anthropic’s progress report and Palo Alto Networks’ PSIRT portal hasn’t been publicly addressed. At the volume Glasswing operates, even minor attribution inconsistencies create material triage problems, a CVE attributed to the wrong component gets patched in the wrong place. Both organizations should issue clarification before the figures are treated as definitive.
Who This Affects
What to Watch
What Security Teams Outside the Coalition Should Do
Three things, in priority order.
First: build the intake process now. AI-generated CVE disclosures are coming from inside and outside any vetted partnership. Security teams that wait until they receive one to build a triage workflow will be behind on day one. The relevant operational question isn’t “are we in the Glasswing coalition?”, it’s “do we have a process for handling a bulk AI-generated vulnerability disclosure if one arrives?”
Second: inventory your open-source dependencies. The 6,202 figure reportedly covers open-source projects, not proprietary codebases. If your infrastructure depends on open-source components, Glasswing may have already surfaced findings that will eventually reach you through CVE databases, even if you’re not a coalition partner. Check your software bill of materials against any CVEs that emerge from Glasswing’s findings as they’re published.
Third: watch the government expansion announcement. When Anthropic moves to Tier 3, U.S. and allied government access, the coalition’s coordinated disclosure scope will expand significantly. That expansion will likely come with formal disclosure timelines and notification protocols. Understanding those protocols in advance is better than learning them under a 90-day embargo clock.
TJS Synthesis
Project Glasswing’s first progress report confirms what the access architecture always implied: AI-powered vulnerability discovery at scale is not a research demo. It’s a production system operating inside critical infrastructure right now, with a coordination overhead that the security industry’s existing disclosure frameworks weren’t designed to absorb.
The restricted-access model is Anthropic’s answer to a real problem. It’s also creating a secondary problem, a two-tier vulnerability ecosystem where coalition members get coordinated remediation timelines and everyone else gets CVE database entries after the fact.
Security teams outside the coalition have one actionable move before the government expansion announcement: treat the next phase as a planning horizon, not a wait-and-see event. The operational infrastructure for AI-generated vulnerability intake needs to exist before the volume justifies building it. At Glasswing’s reported pace, the volume is already there.