An AI model found more than 10,000 high- or critical-severity vulnerabilities in essential software in roughly 30 days. Some of those bugs had been hiding in plain sight for nearly three decades.
Project Glasswing, launched by Anthropic on April 7, 2026, uses an unreleased AI model called Claude Mythos Preview to autonomously scan codebases for security flaws.
Bugs that outlived their creators
Among the thousands of vulnerabilities discovered, two stand out for sheer absurdity of scale. The AI found a 27-year-old remote crash vulnerability in OpenBSD, an operating system literally built around security as its core philosophy. It also flagged a 16-year-old flaw in FFmpeg, the widely used multimedia framework, that had managed to evade detection by over five million automated tests.
The project didn’t just find old bugs, either. Thousands of previously unknown zero-day vulnerabilities were identified across all major operating systems and web browsers.
Cloudflare, one of the project’s partners, offered a concrete look at the numbers from its own internal collaboration. The company reported roughly 2,000 bugs detected through the partnership, with 400 of those classified as high or critical severity. The false-positive rate was notably lower than traditional detection methods.
So far, only one vulnerability has been publicly disclosed with a formal CVE identifier: CVE-2026-4747.
The consortium behind the curtain
Core consortium partners include AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, NVIDIA, Palo Alto Networks, Broadcom, the Linux Foundation, and JPMorgan Chase. IBM joined the group on May 19, 2026.
Anthropic has allocated up to $100 million in compute credits for the project, along with $4 million in grants directed at open-source security groups. The stated goal is defensive: find the vulnerabilities before AI-powered offensive tools do.