Office Address
Seville, Spain
Seville, Spain
Phone Number
+(34) 624 816 969
Email Address
Available on Google Play
Seville, Spain
Seville, Spain
+(34) 624 816 969
by ForgeNEX Anthropic has taken a giant leap in cybersecurity with Project Glasswing, an initiative based on its artificial intelligence model Claude Mythos Preview. Since its launch in April, this tool has analyzed over 1,000 open-source projects that underpin much of the internet, revealing a stark reality: AI has surpassed humans in detecting and exploiting software vulnerabilities. The results, presented late last week, show that Mythos Preview identified 6,202 high or critical severity vulnerabilities, of which 1,752 were evaluated by independent security firms. Of these, 90.6% turned out to be true positives, and 62.4% (1,094) were confirmed as high or critical severity. This suggests that, at the current pace, the system could identify around 3,900 critical vulnerabilities in open-source software, in addition to those detected in Project Glasswing partners.
Table of contents [Show]
Open-source project maintainers now face an avalanche of AI-generated bug reports, many of low quality. Anthropic estimates it has reported 530 high or critical severity flaws and expects to communicate another 827. However, only 75 have been fixed, and 65 security advisories have been published. The company attributes this to its 90-day coordinated disclosure policy, possible fixes without public notification, and the overload of the security ecosystem. As the report authors note, "the relative ease of finding vulnerabilities compared to the difficulty of fixing them poses a major challenge for cybersecurity."
Mark Tauschek, an analyst at Info-Tech Research Group, believes Anthropic's decision to limit access to Mythos Preview is a clear sign that frontier AI has crossed a relevant threshold. "The update confirms that the cost of discovering vulnerabilities has dropped dramatically. Organizations that manage patches on a quarterly cadence operate with significantly higher risk," he warns. Meanwhile, Kellman Meghu, CTO of DeepCove Cybersecurity, states that "finding flaws is now cheap, but fixing them remains slow and dependent on human intervention." David Shipley, CEO of Beauceron Security, notes that of the 10,000 reported vulnerabilities, only about 1,500 have been verified by humans, and questions the real cost of the operation: "How many tokens are consumed? I've heard figures around $500 per minute."
The main challenge is no longer finding vulnerabilities, but fixing them. Anthropic acknowledges that "the bottleneck is the human capacity to triage, report, and design patches." Meghu agrees: "What the update really shows is that the bottleneck has shifted from detection to the ability to absorb patches." His company has had to accelerate patching processes and tighten SLAs on critical dependencies. However, he warns that "we do not blindly trust models or agents to operate autonomously."
To address this situation, Anthropic has launched Claude Security in beta for enterprise clients and the Cyber Verification Program, which allows legitimate security professionals to use its models without the usual restrictions. As we noted in our analysis of OpenAI and Anthropic's strategy to dominate enterprise AI, these companies are deploying engineers on the front lines to integrate AI into security workflows.
The operational pressure is immediate. Organizations that rely on open-source software must rethink their defense-in-depth strategies. As discussed in our article on the new patching pace, the window between discovery and exploitation is constantly shrinking. Shipley concludes that the only long-term solution is to "hold developers accountable for the software they create."
Project Glasswing has demonstrated that AI can detect vulnerabilities at unprecedented speed and scale, but it has also highlighted the fragility of the open-source ecosystem. The ability to fix flaws has not kept pace, creating a new bottleneck. Companies must adapt by investing in more agile patching processes and AI tools that assist human teams without fully replacing them. As Meghu notes, "it's not a simple process."
Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.