A's Project Glasswing Achieves Initial Success: Mythos Uncovers 10,000 Critical Vulnerabilities in 30 Days, Even Intercepts $1.5M in Wire Fraud! Facing a Blizzard of Reports, Human Programmers Plead for Mercy: "Stop Finding Them! We Can't Possibly Fix Them All!"
Just now, Anthropic released another piece of news that has shocked the global tech and security circles.
The first-month battle report for "Project Glasswing" has been officially announced!
In this secret operation, Anthropic deployed its next-generation top-tier large language model—Claude Mythos Preview—for the first time.
In just 30 days, partnering with about 50 global internet giants and critical infrastructure software developers, it unearthed over 10,000 high-risk or critical-level software vulnerabilities in one go!
Even more terrifying, it can not only find vulnerabilities but also automatically construct "end-to-end" attack chains.
In a real business scenario at a partner bank, it even successfully intercepted a $1.5 million wire fraud attempt!
Instantly, the entire security community was thoroughly shaken.
Some security experts even exclaimed in despair on X: "The foundation of the internet has been turned upside down by AI... We might really be done for!"
The Crazy 30 Days
Global Tech Giants Experience Firsthand: How Terrifying is Mythos?
In April 2026, Anthropic secretly launched Project Glasswing. The name symbolizes the hope of making the world's most important closed-source and open-source software transparent and secure.
The first batch to join the plan comprised about 50 critical infrastructure software developers.
After they gained testing access to Claude Mythos Preview, within just one month, the entire industry's worldview was shattered.
Let's look at this dazzling battle report—
Cloudflare reported that in their extremely critical core-path systems, Mythos dug up 2000 vulnerabilities in one go! Among them, 400 were high-risk or critical-level.
Even more outrageous, Cloudflare's security team exclaimed: This AI's false-positive rate is even lower than that of top-tier human security testers.
In the testing of Mozilla's latest Firefox 150 browser, Mythos fixed 271 high-risk vulnerabilities in one go.
This number is over 10 times the vulnerabilities previously found using Opus 4.6 in Firefox version 148!
OpenBSD's reported results are downright spine-chilling: Mythos unearthed a bug hidden in the OpenBSD codebase for a full 27 years!
Moreover, the model didn't even need human intervention; it constructed a complete vulnerability exploitation chain itself.
The UK AI Safety Institute offered official endorsement. They confirmed that Mythos Preview is the world's first AI model capable of end-to-end, fully compromising the double-network test environment they set up.
In practical defense, Mythos also demonstrated its prowess.
At a partner bank, a hacker group had successfully infiltrated a client's email and used AI voice-cloning technology to make a fraudulent call.
At the critical moment when the $1.5 million wire transfer was about to be sent, the Mythos model, through real-time analysis of the abnormal behavior chain, instantly saw through the scam and forcibly blocked the transaction!
"We human security experts look like primitives holding spears, watching an F-22 fighter jet fly overhead," a security researcher participating in the internal testing lamented on X.
Billions of Exposed Devices Worldwide Saved by Mythos!
However, Mythos also triggered a productivity crisis.
In the past, the core bottleneck in cybersecurity was discovering vulnerabilities. Finding a high-risk zero-day vulnerability could take top white-hat hackers weeks or even months.
Now, Claude Mythos has driven the cost and time of finding vulnerabilities to "infinitely close to zero."
Anthropic used it to scan over 1,000 core open-source projects underpinning the global internet. The results are hair-raising—
A total of 23,019 vulnerabilities were discovered, including 6,202 high-risk or critical vulnerabilities assessed by Mythos!
To ensure it wasn't the AI "rambling," Anthropic collaborated with six globally renowned independent security research firms for manual cross-verification.
The result proved: The AI's true positive rate (i.e., the vulnerability actually exists) was as high as 90.6%! Ultimately, 1,094 were confirmed as undeniable high-risk or critical vulnerabilities.
Open-source vulnerability dashboard, showing vulnerabilities of all severity levels
Here, an extremely typical case must be mentioned—wolfSSL.
wolfSSL is a famously prominent open-source cryptography library, used by billions of devices worldwide (including IoT devices, routers, smart cars, etc.).
However, before Mythos, wolfSSL's defenses were like paper. Mythos not only discovered an extremely hidden logic vulnerability but even wrote a set of attack code itself!
Using this code, hackers could arbitrarily forge digital certificates, creating incredibly realistic bank websites or email login pages with no flaws.
If this vulnerability hadn't been discovered and reported for repair by Mythos in advance, once exploited by the black market, the consequences would be unimaginable.
Billions of devices worldwide were actually running exposed on the edge of danger. This time, Mythos pulled them back.
Epic Reversal: Finding Bugs is No Longer the Bottleneck, Fixing Them Is!
As Project Glasswing progressed, a bizarre phenomenon never before seen in cybersecurity history was born.
"The bottleneck of cybersecurity is no longer finding vulnerabilities. The current bottleneck is: the speed at which humans can fix vulnerabilities is far outpaced by the speed at which AI discovers them."
For open-source community maintainers, this is simply a nightmare.
Anthropic's vulnerability reports flew like snowflakes to major open-source communities. The authors are already overwhelmed.
"Stop digging! Please, slow down! We really can't fix them fast enough!"
According to Anthropic, several open-source maintainers recently sent "pleading" emails asking them to slow down the pace of vulnerability disclosure due to severe manpower shortages.
Even with detailed reports, human programmers still need an average of two full weeks to fix a single high-risk vulnerability.
Currently, out of the 1,129 vulnerabilities Anthropic submitted to open-source authors, only 75 high-risk ones have been successfully patched. The current security ecosystem is severely overloaded!
Fight Fire with Fire: Anthropic's Defense
Since humans can't keep up with fixing them, fight fire with fire.
Anthropic decisively unveiled its "Defender Toolkit" plan.
First is the heavy-weight launch of Claude Security.
This is an automation marvel built specifically for Claude Enterprise customers. Its logic is: I not only help you find vulnerabilities in your codebase, but I also directly write the fix patches for you.
Within just three weeks of launch, enterprise customers have already used Opus 4.7 to fix over 2100 vulnerabilities at lightning speed!
Next is the "Network Verification Program."
Anthropic now allows professional white-hats, penetration testers, and red/blue teams to legally and compliantly lift certain "security restraints" on the Claude model for legitimate vulnerability research and test range activities.
More interestingly, Anthropic directly open-sourced a "BUG-finding pipeline."
1 Customized Instructions (Skills): Teach you how to keep the AI focused for deep code review.
2 Automation Framework (Harness): A command system enabling Claude to automatically traverse massive codebases, clone sub-agents for parallel scanning, automatically triage vulnerabilities, and generate reports.
3 Threat Model Builder: Simply throw your code in, and the AI automatically identifies the system's most vulnerable "soft spots," prioritizing them for defense.
Internet giant Cisco also stepped forward, announcing the open-sourcing of the "Foundry Security Spec" system to build security assessment defenses similar to Mythos.
From now on, it will be: AI finds vulnerabilities, then AI generates patches, with humans only responsible for final review.
This is the ultimate future form of cybersecurity.
The Sword of Damocles: When Will Mythos Be Publicly Released?
So, when exactly will Claude Mythos be officially released to the public?
Anthropic's current stance remains very cautious.
They state that once "more powerful, higher-level safety guardrails" are built, Mythos-level models will inevitably be pushed for full public release!
It cannot be released now because it is simply too dangerous.
As the XBOW test report states: Mythos Preview achieves "generational leaps ahead of all existing models" in web vulnerability exploitation benchmarks, even demonstrating "absolutely unprecedented precision" in every single token generation.
Anthropic is very clear that currently, no company in the world possesses security mechanisms strong enough to 100% ensure this model won't be abused.
If Mythos's API were made public today, tomorrow global hacker groups, and even some extremist organizations, could mass-produce thousands of zero-day exploitation tools at extremely low cost.
Ordinary people's computers, hospital systems, power grid control centers would face a catastrophe!
Anthropic's recommendations are:
1 Shorten the patch cycle! Shorten the patch cycle! Shorten the patch cycle! Don't hoard updates for a month; use existing AI tools (like Opus 4.7) to push security fixes to users as soon as possible.
2 Enforce upgrade policies. Developers must make updates as effortless as possible for users to install; for those who stubbornly refuse to upgrade, enforce network disconnection. Return to security fundamentals.
3 Strengthen multi-factor authentication (MFA), harden default configurations, maintain detailed logs.
The Calm Before the Storm
One month, collaboration with over 50 giants, 10,000+ critical vulnerabilities, intercepting $1.5M in wire fraud... These are just the initial results of Claude Mythos Preview flexing its muscles.
Right now, human programmers are experiencing the birth pangs—being inundated by AI reports, patching bugs that have lurked for 20-30 years.
But as Anthropic envisions—
"After navigating these risks, an exhilarating world beckons: one where humanity's important code will be forged to be a hundred times more robust than today's, and hacker attacks will become an exceedingly rare historical footnote."
Let us silently thank those AIs tirelessly reviewing hundreds of millions of lines of code.
It's quite possible that it just blocked a potentially fatal nuclear blast for you.
References:
https://x.com/AnthropicAI/status/20579091025425495
This article is from the WeChat public account "AI New Wisdom," author: ASI Revelation, editor: Aeneas Moses
