By name: glasswing-vulnerability-discovery description: AI-powered vulnerability discovery methodology from Anthropic's Project Glasswing - using frontier models (Mythos Preview) to find critical security vulnerabilities in open-source and enterprise software. version: 1.0.0 author: Anthropic Research date: 2026-05-22 source: https://www.anthropic.com/research/glasswing-initial-update category: cybersecurity tags: [cybersecurity, vulnerability-discovery, ai-security, frontier-models, mythos] activation_keywords: [glasswing, vulnerability discovery, mythos preview, AI security testing, frontier red team]
Project Glasswing: AI Vulnerability Discovery
Methodology from Anthropic's Project Glasswing (May 2026) using Mythos Preview AI model to discover critical security vulnerabilities at unprecedented scale.
Core Concept
Project Glasswing uses frontier AI models (Mythos Preview) to scan software for vulnerabilities. Within one month, partners found 10,000+ high/critical vulnerabilities - a 10× increase in bug-finding rate.
Results Summary
| Metric | Value |
|---|---|
| Total vulnerabilities found | 10,000+ |
| Partner bug-finding rate increase | 10× |
| Open-source vulnerabilities scanned | 6,202 high/critical (estimated) |
| True positive rate (triaged) | 90.6% |
| High/critical confirmed | 62.4% |
Partner Examples
- Cloudflare: 2,000 bugs (400 high/critical), false positive rate better than human testers
- Palo Alto Networks: 5× increase in patches
- Microsoft: Continued trending larger patches
- Oracle: Multiple times faster vulnerability fixing
Vulnerability Disclosure Process
Follows industry convention:
- 90 days after discovery
- 45 days after patch becomes available
- Allows end users to update before exploitation risk
Key Vulnerability Types Found
- Critical Infrastructure: Internet infrastructure software
- Cryptographic Libraries: wolfSSL exploit construction
- Enterprise Systems: Cloud service vulnerabilities
- Open-Source Projects: 1,000+ projects scanned
Implementation Pattern
AI Vulnerability Scanning Workflow
1. Identify critical software targets
2. Run Mythos Preview scan
3. AI estimates severity (low/medium/high/critical)
4. Triage by independent security researchers
5. Validate true positives (90.6% rate achieved)
6. Confirm severity classification
7. Follow 90-day disclosure timeline
8. Patch deployment tracking
Exploit Construction Example
For wolfSSL vulnerability:
- Mythos Preview constructed working exploit
- Demonstrated actual exploitability
- Confirmed severity rating
Security Research Integration
- Six independent security research firms for triage
- Human validation required before disclosure
- Collaborative approach with software maintainers
Limitations and Considerations
- Disclosure Lag: Cannot detail findings until patches deployed
- False Positives: 9.4% false positive rate requires human triage
- Scale Challenge: Limit now is verification/disclosure speed, not discovery
- Responsible Disclosure: Must balance security vs. end-user protection
Non-Security Applications
Mythos Preview also useful for:
- Fraud detection (prevented $1.5M wire transfer fraud)
- Real-time security monitoring
- Attack pattern recognition
Deployment Considerations
- Patch deployment speed now matters more than discovery speed
- Coordination with security teams essential
- Standard disclosure timelines apply
External Evidence
- External testers report Mythos Preview effectiveness
- ExploitBench and ExploitGym evaluations confirm performance
- Frontier Red Team blog validation
Recommendations
- For critical infrastructure: Use AI scanning for proactive security
- For open-source maintainers: Expect increased vulnerability reports
- For enterprises: Plan for accelerated patch cycles
See Also
adversarial-testing-framework- AI adversarial testingagentic-coding-security- Security for agentic AIred-teaming- Red team methodology
Extracted from Anthropic Research: Project Glasswing (May 2026)