Anthropic's Mythos AI vulnerability detection model under Project Glasswing

For two decades, finding a software vulnerability has been the hard part. Disclosure, triage, and patching all queued behind a small population of skilled researchers turning over rocks. Mythos Preview broke that queue. In one month under Project Glasswing, defensive partners surfaced more than 10,000 high or critical severity vulnerabilities, with Cloudflare alone finding roughly 2,000 bugs across its codebase and 400 of those rated high or critical ^[1]. Mozilla reported 271 vulnerabilities in Firefox 150, more than ten times what the prior Claude Opus 4.6 found in Firefox 148 ^[1]. And the headline number is even larger: 23,019 total findings across more than 1,000 open-source projects, with 6,202 rated high or critical ^[1][2].

The interesting move is what Anthropic itself said in the initial update: "Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it's limited by how quickly we can verify, disclose, and patch the large numbers of vulnerabilities found by AI" ^[1]. The number that proves the point is downstream of discovery. Of approximately 530 high or critical bugs Anthropic and partners actually reported upstream to maintainers, only 75 have been patched with 65 public advisories ^[1]. That is roughly a 14% remediation rate against a steadily refilling pipeline. The bottleneck did not disappear; it migrated to a system that was already capacity-constrained — small open-source maintainer teams, regression test suites, coordinated-disclosure email threads, change-management boards. Defenders now have an oracle that returns flaws faster than the rest of their stack can absorb them.

Cloudflare's CSO Grant Bourzikas spent a month with Mythos and came back arguing the opposite of what the industry expected him to argue. The conventional reaction to AI-accelerated bug discovery is to compress patch SLAs — find faster, ship faster, pray the gap stays small. Bourzikas says that is exactly the wrong response. His piece on the Cloudflare blog records direct evidence: "We learned a version of this when we tried letting the model write its own patches and watched a few go out that fixed the original bug while quietly breaking something else" ^[3]. AI-generated patches are not always safe to ship blind, and the regression risk grows with SLA pressure because aggressive deadlines force teams to skip the tests that catch silent breakage.

His alternative framing is architectural: "The principle is to make exploitation harder for an attacker even when a bug exists, so that the gap between when a vulnerability is disclosed and when it is patched matters less" ^[3]. In other words, treat the disclosure-to-patch interval as permanent, then design the system so a known unpatched bug is hard to weaponize anyway — segmented networks, capability-restricted runtime sandboxes, default-deny service meshes, hardware-backed memory tagging, assumed-compromise telemetry. This is heretical because it concedes ground that the security industry has spent years denying: defenders cannot win the discovery race anymore, so they have to win a different race. R&D World captured the strategic horizon by reporting that defenders now have months, not years, to prepare for Mythos-class capabilities to proliferate beyond the Glasswing partner list ^[4]. If Bourzikas is right, the rest of the industry's patch-velocity dashboards are measuring the wrong thing.

The most uncomfortable counter-evidence against Glasswing's framing is not coming from skeptics or critics; it is coming from a competing model. On May 12, the startup Depthfirst announced that its task-specialized AI uncovered critical infrastructure flaws Mythos had missed — including an NGINX flaw dating to 2008 — at roughly one-tenth the cost ^[5]. CEO Qasim Mithani put it bluntly: "by optimizing the model architecture for specific tasks, the company can accomplish work that would cost $10,000 with Mythos using just $1,000" ^[5]. The same KuCoin report notes Depthfirst is matching its claim with a $5M Open Defense Initiative routing credits to smaller enterprises and open-source projects ^[5].

That reframes the whole story. Anthropic priced Mythos Preview at roughly $25 per million input tokens and $125 per million output tokens during the research preview, frontier-tier pricing well above current Claude rates ^[6]. The Glasswing report acknowledges that finding a 27-year-old OpenBSD vulnerability cost under $20,000 in autonomous runs ^[7]. Those are reachable numbers for a Fortune 500 security team and out of reach for the maintainers of widely-used libraries that ship with consumer devices at scale. If Depthfirst's economics generalize, the comparative-advantage story flips: the moat is not frontier capability, it is task-specialized cost structure, and the small projects that most need scanning are the ones most likely to be reachable by the cheaper option. Cybernews and others picked up the implicit critique that Anthropic's "too powerful to release" framing is partly a moat-building narrative ^[8]; the Depthfirst result puts a price tag on that suspicion. The same suspicion is the dominant frame on developer YouTube — the most-engaged critical review of the launch argues that the real moat is money rather than model capability and that Mythos's per-bug economics are uneconomical compared with bug-bounty programs. The institutional read on X has been less skeptical and more financial, treating Glasswing as a corporate-consortium story alongside named partners; that gap between developer skepticism and institutional acceptance is itself worth watching.

Beneath the headlines about new bugs is a structural problem that defenders are only starting to talk about. The Glasswing partners — twelve founding organizations including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus other defensive partners such as Cloudflare and Mozilla — are using Mythos right now to patch vulnerabilities that survived decades of human review (including the 27-year-old OpenBSD bug and a 16-year-old FFmpeg flaw that lived through millions of automated test runs) ^[7]. They will harden their stacks before Mythos-class capabilities go broad. Everyone else starts the race only when the model — or an equivalently capable open-weight successor — becomes generally available, and at that point attackers gain access at exactly the same moment defenders do.

This asymmetry is the loudest concern coming back from the developer community, and it is concrete. Anthropic has committed to eventually releasing Mythos-class models publicly once safeguards mature ^[9]. The Register report notes that, in the meantime, some open-source maintainers have asked Anthropic to slow disclosure pace, and that maintainers are also fielding low-quality AI-generated bug reports alongside legitimate Mythos findings, complicating triage ^[9]. The downstream effect is a long-tail patching problem: industrial controllers, smart-home hubs, and the wide install base of consumer devices that ship affected wolfSSL versions ^[2][10]rarely receive coordinated security updates, so upstream fixes do not translate into deployed protection. The cybersecurity subreddit captured the structural worry exactly: contributors there framed Glasswing as a 90-day head start for a few dozen organizations against a clock that starts the same day for attackers, with little capacity in the rest of the ecosystem to absorb the disclosure wave. OWASP founder Jeff Williams summarized the upstream doubt: "It's highly questionable that Anthropic will be able to limit the malicious uses of this model" ^[11]. Glasswing buys a head start for a few dozen organizations and hands the rest of the ecosystem a clock that is already counting down.