Claude Mythos Preview Finds 10,000+ Zero-Days in Project Glasswing

Anthropic's Claude Mythos, currently in preview, has uncovered more than 10,000 zero-day vulnerabilities as part of a coordinated security research effort known as Project Glasswing, according to a report from CyberSecurityNews. The scale of the discovery has drawn attention across the security community, raising questions about what AI-assisted vulnerability research could mean for both defenders and attackers going forward.

What Happened With Project Glasswing

Project Glasswing appears to be a structured red-team and code-analysis initiative designed to stress-test Claude Mythos's capabilities in a security context. The model was tasked with analyzing large codebases and identifying exploitable weaknesses. The result, over 10,000 confirmed zero-days, is a figure that would take human security researchers years to produce at comparable scale.

Zero-day vulnerabilities are flaws unknown to the software vendor, meaning no patch exists at the time of discovery. Finding even a handful in a single audit is considered a strong outcome. Finding thousands points to a qualitative shift in what automated analysis can achieve when paired with a capable language model.

The implications cut in two directions. Security teams that can access a model with these capabilities could dramatically accelerate the process of hardening their own systems before adversaries find the same flaws. At the same time, the existence of such a tool raises the question of access controls and how Anthropic plans to manage deployment in sensitive contexts. The company has previously emphasized safety-focused release practices, including staged rollouts and usage policies tied to its Constitutional AI framework.

The volume of findings here is not something you see from traditional static analysis tools. This changes the baseline expectation for what an AI model can contribute to a security audit.CyberSecurityNews analysis of the Glasswing results

Where Claude Mythos Fits in the Broader Picture

Mythos is distinct from the models currently available through Anthropic's commercial products. It sits alongside ongoing development work that includes Claude 4 Opus and the wider Claude model family. Preview evaluations like the Glasswing project are typically used to probe the edges of a model's capabilities before a wider release, gathering data on both performance and potential misuse vectors.

Cybersecurity has emerged as one of the most consequential application areas for large language models. Models that can read and reason about code at scale are naturally suited to finding logic errors, memory safety issues, and authentication flaws. Earlier efforts in this space, including work from academic groups and other AI labs, showed promise but rarely at the throughput suggested by the Glasswing numbers.

It is worth noting that the full methodology behind Project Glasswing has not been made public. The nature of the codebases analyzed, the criteria used to confirm a finding as a genuine zero-day, and the rate of false positives all matter when interpreting the headline figure. Independent verification would add confidence to the claims. That said, even a substantially lower confirmed count would still represent a significant data point about the model's practical utility in security research.

For now, the security community is watching closely. How Anthropic chooses to make these capabilities available, and under what conditions, will shape how the findings are ultimately put to use. The company has not yet issued a formal statement on Project Glasswing or a timeline for Mythos's broader availability.