Anthropic says researchers and partners have found more than 23,000 vulnerabilities across more than 1,000 open-source projects since Project Glasswing and the Mythos model launched six weeks ago. Many devs aren’t happy, though, as they’re flooded with work now. This might change.
It definitely sounds impressive. Anthropic claims that more than a quarter (6,202) of the discovered bugs (23,019) are suspected of having a high or critical severity rating.
This, to the fast-growing AI company, confirms that those flaws are real issues and not just random remains of a typical vulnerability scanning.
“An encouraging world available to us”
“To be clear, we intend to continue scanning open-source code for some time, so we expect this number to rise,” Anthropic adds in an extensive blog post.
That’s just what Mythos, marketed by Anthopric as an AI model able to uncover thousands of software bugs across every major operating system and browser, has found in open-source code, by the way.
There’s also the tally of Project Glasswing’s partners, using Mythos before the model’s public release. According to Anthropic, they’ve collectively found more than 10,000 critical- or high- severity vulnerabilities.
For instance, Cloudflare has found 2,000 bugs (400 of which are high- or critical-severity) across its critical-path systems, with a false positive rate that Cloudflare’s team considers better than that of human testers.
“There’s an encouraging world available to us: one in which important code is hardened far better than it is today, and in which hacking is far less prevalent,” enthuses Anthropic.
Check if your data has been leaked
Indeed, Project Glasswing sounds super attractive to many governments, banks, or intelligence agencies that have all been trying to get their hands on Mythos in order to scan their own networks and patch them – before the baddies weaponize AI, find the same bugs, and exploit them.
Defenders swamped with more work
Not everyone is happy, though. Companies like Cloudflare, Amazon, or Nvidia are rich enough to deal with all those bugs by themselves and quickly, but many regular developers and defenders simply can’t sort through all the AI-written bug reports.
Anthropic itself admits in the blog post: “Several maintainers have told us they’re currently severely capacity constrained, and some have even asked us to slow down the rate of our disclosures because they need more time to design patches.”
In other words, people are just swamped, and it’s highly likely for us to soon see delays in patching the bugs due to long triage times. No patches, no safety, right?
Anthropic says not to worry and explains that the number of patches is relatively low for three reasons.
First, we’re still early in the 90-day window that’s set out in Anthropic’s Coordinated Vulnerability Disclosure policy, a longstanding convention in the industry: the firm expects many more patches to land soon.
“Second, we are likely to be undercounting patches because some vulnerabilities are patched without a public advisory: in those cases, we’re reliant on scanning for the patches ourselves using Claude,” said Anthropic.
“Third, the low volume of patches reflects a genuine problem: even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem.”
That’s to say the least. The relative ease of finding vulnerabilities compared with the difficulty of fixing them indeed amounts to a major challenge for cybersecurity.
So what are the solutions? According to Anthropic, software developers should simply shorten their patch cycles (as if that were so easy). Plus, network defenders should shorten their patch testing and deployment timelines.
Jacob Aron, senior editor at New Scientist, is pretty skeptical, writing on BlueSky: “Anthropic’s solution to the problem it has created is ‘idk guys, work harder I guess.”
Anthropic's solution to the problem it has created is undefinedidk guys, work harder I guess 🙃undefined
undefined Jacob Aron (@jjaron.bsky.social) May 23, 2026 at 12:34 AM
[image or embed]
Cybersec job postings up 11%
There’s light at the end of this AI-powered tunnel, however. A bit unexpectedly, demand for cybersecurity engineers is surging, numbers from LinkedIn and Glassdoor, a job search platform, show.
Despite widespread fears that AI may kill the human cybersecurity industry, cybersecurity job postings in the first quarter were up 11% from a year earlier.
The Cybernews community is talking about this. Be a part of the conversation.
As The New York Times puts it, hiring of security experts has surged as tech workers increasingly use AI to generate code, sometimes introducing bugs and vulnerabilities in the process. The hype around Mythos has also created uncertainty about potential risks.
“We’re going to need people to deal with the bug-pocalypse,” Lea Kissner, the chief information security officer at LinkedIn, told The New York Times.
“AI tools like Mythos suggest a possible alternative: What if finding every vulnerability in a piece of software were just as fast and easy as finding a few of them, thanks to automation?”
Josephine Wolff
“I don’t think we’re really going to understand how to do AI security in a sustainable, long-term way for at least several years.”
It is a little ironic for the cybersecurity industry to become an early example that AI can also help create jobs, not just automate everything, even though the current trend may be temporary, since AI is improving all the time.
Josephine Wolff, professor of cybersecurity policy at The Fletcher School at Tufts University, wrote recently in The San Francisco Standard that Mythos might be “the most powerful tool for cyber defense that we’ve perhaps ever possessed.”
In her piece, Wolff dismisses fears that humans might simply not keep up and suggests there could be an alternative to the cycle of releasing software, finding flaws that can be exploited by adversaries, and patching them.
“AI tools like Mythos suggest a possible alternative: What if finding every vulnerability in a piece of software were just as fast and easy as finding a few of them, thanks to automation?” writes Wolff.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked