Anthropic's Claude Mythos security tool has now flagged approximately 23,000 potential vulnerabilities across open-source software, according to a report from eWeek. The figure represents a steady climb in the system's output since it first began attracting attention for AI-assisted code scanning, and it places Mythos among the more productive automated security tools operating in the open-source ecosystem today.
What Mythos Is Doing
Mythos is an AI-driven security scanning system built by Anthropic that analyzes open-source codebases for potential security weaknesses. Unlike traditional static analysis tools that rely on predefined rule sets, Mythos leans on Claude's language understanding to reason about code behavior and flag issues that pattern-matching tools might miss. The system has been running across a broad selection of open-source repositories, and its tally has now reached 23,000 flagged flaws across more than 1,000 projects.
Key Facts
- Mythos has flagged roughly 23,000 potential vulnerabilities in open-source software
- The tool covers more than 1,000 distinct open-source projects
- The system uses Claude's reasoning capabilities rather than static rule-based analysis
- Findings are being shared with project maintainers through coordinated disclosure processes
- The effort is part of Anthropic's broader Project Glasswing initiative
The scale of the effort reflects a deliberate push by Anthropic to apply its models to practical security work. The company has been expanding Mythos steadily, and earlier this year the tool crossed the 10,000 vulnerability threshold, a milestone that drew considerable attention in security circles. Reaching 23,000 flags in a relatively short window suggests the system is processing codebases at pace, though the quality and severity distribution of those findings matters as much as the raw count.
AI-assisted vulnerability detection is moving from proof-of-concept to production-scale tooling, with Mythos serving as one of the clearer examples of that shift in practice.eWeek analysis of Anthropic's Mythos program
Context and Coordination
The Mythos effort sits inside Project Glasswing, Anthropic's initiative for responsible vulnerability sharing. Project Glasswing was opened to partners earlier this year, allowing outside organizations to receive Mythos findings and coordinate disclosures with affected maintainers. That structure is important: dumping tens of thousands of potential flaws into public view without coordination would be harmful, so Anthropic has been working through established channels to notify project owners before details become public.
Anthropic has also been refining Mythos's focus. The Mythos 1 system was designed with Claude Code and security workflows specifically in mind, giving it sharper context when analyzing codebases that developers interact with directly through coding tools. That focus matters because vulnerabilities in widely used development dependencies can have outsized downstream impact compared with flaws in niche projects with limited adoption.
The 23,000 figure will likely keep rising. Anthropic has not indicated any ceiling on the number of repositories Mythos will scan, and the open-source software landscape is vast. The more pressing question for security researchers and maintainers is how many of those flagged issues represent genuine, exploitable vulnerabilities versus low-confidence alerts that require significant human triage. Automated tools at scale tend to generate noise alongside signal, and the value of a system like Mythos ultimately depends on the precision of its findings and the speed with which maintainers can act on them.
For the broader AI industry, Mythos represents a data point in the argument that large language models can contribute meaningfully to defensive security work, not just generate code. Whether that contribution proves durable as codebases grow more complex remains an open question, but the numbers coming out of Anthropic's program are hard to dismiss.
