Office Address
Seville, Spain
Seville, Spain
Phone Number
+(34) 624 816 969
Email Address
Available on Google Play
Seville, Spain
Seville, Spain
+(34) 624 816 969
by ForgeNEX Table of contents [Show]
Last April, Anthropic launched Project Glasswing, a cybersecurity initiative based on its Claude Mythos Preview model. Designed for launch partners to integrate into defensive operations, the project has revealed an unprecedented capability: AI can detect and exploit software vulnerabilities surpassing almost any human expert. With an investment of over $100 million in usage credits and $4 million in donations to open-source projects, Anthropic has marked a before and after in vulnerability detection.
According to Anthropic's update, Mythos Preview analyzed over 1,000 open-source projects that underpin much of the Internet. The result: 6,202 high or critical severity vulnerabilities, of which 1,752 were evaluated by six independent security firms. Of these, 90.6% (1,587) were true positives, and 62.4% (1,094) were confirmed as high or critical severity. This suggests that, at the current pace, the system will identify nearly 3,900 critical flaws in open source, in addition to those detected in Glasswing partners.
This finding aligns with what was discussed in our article AI Discovers Thousands of Critical Flaws: Is Your Company Ready for the New Patching Pace?, where we analyze how AI is transforming enterprise cybersecurity.
Maintainers face an avalanche of low-quality AI-generated bug reports, leading some to ask Anthropic to slow down the disclosure pace. So far, 530 high or critical severity flaws have been reported, with 75 fixed and 65 security advisories published. Anthropic attributes this low number to the 90-day period of its coordinated disclosure policy, possible fixes without public notification, and saturation of the security ecosystem.
The report notes that “the relative ease of finding vulnerabilities versus the difficulty of fixing them poses a major challenge for cybersecurity.” This bottleneck has shifted from detection to patch absorption capacity, as explored in Time Tracking and Clocking: Accurate Recording of Work Time per Project, where we highlight the importance of managing time in critical processes.
Glasswing's progress has led Anthropic to launch Claude Security in beta for enterprise clients and the Cyber Verification Program, which allows legitimate professionals to use its models without the usual restrictions. Mark Tauschek, analyst at Info-Tech Research Group, believes that limiting access to Mythos Preview is a clear sign that frontier AI has crossed a relevant threshold. However, he warns: “Being transparent about the problem is not the same as solving it.”
Organizations that manage patches on a quarterly cadence “operate with a significantly higher level of risk than very recently,” Tauschek adds. This resonates with what was discussed in Linus Torvalds Blasts the Myth of '99% of Code Written by AI', where automation without human oversight is questioned.
Kellman Meghu, CTO of DeepCove Cybersecurity, says the results do not surprise him: “AI accelerates detection, but fixing flaws remains slow and dependent on human intervention.” His company has had to accelerate patching processes and use language models to identify vulnerabilities. “The bottleneck has shifted from detection to the capacity to absorb patches,” he concludes.
David Shipley, CEO of Beauceron Security, warns that the headline of 10,000 vulnerabilities may be misleading: “Only 1,500 have been verified by humans, and the cost of identification remains opaque.” He asks how many tokens were consumed and how much compute was needed. Shipley advocates holding developers accountable for the software they create, a point also addressed in Vendor Neutrality Is Not Magic: A Real Look at the OpenTelemetry Ecosystem.
The operational pressure is immediate. Companies must rethink their defense-in-depth strategies and tighten patching SLAs. As Meghu notes, “We don't blindly trust models to operate autonomously; we have incorporated AI-assisted audits into our pipeline.” This digital transformation is key, as illustrated in Success Story: Digital Transformation in a Logistics Company.
Furthermore, data sovereignty becomes critical when using AI models in the cloud. In Data Sovereignty in the Cloud: Google Cloud and Telefónica Seal a Strategic Alliance to Protect, we analyze alliances like that of Google Cloud and Telefónica to protect critical information, a relevant aspect given the new patching cadence.
Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.