How AI Found 10,000 Security Bugs in 30 Days

Anthropic and roughly 50 security partners surfaced over 10,000 high-severity software vulnerabilities in under a month. Cloudflare found 2,000 bugs across its critical infrastructure. Mozilla identified 271 vulnerabilities in Firefox 150—more than ten times the number found in Firefox 148 using an earlier model. The tool responsible, Claude Mythos Preview, is not publicly available. Understanding why that is, and what it means for security teams right now, is worth working through carefully.

What is Project Glasswing and Claude Mythos Preview?

Project Glasswing is Anthropic's initiative to apply frontier AI models to the problem of securing critical software. The headline output so far is Claude Mythos Preview, a model not yet released to the general public, which Anthropic has been running with a restricted group of security partners.

Mythos is not a static analysis tool with a larger rule set. According to Anthropic's published materials and its 244-page system card, the model can reason across entire data flows, construct end-to-end attack chains autonomously, escape sandboxes, and perform privilege escalation. That combination of capabilities is what separates it from tools like Semgrep or CodeQL, which pattern-match against known vulnerability signatures. Mythos appears to reason about what code does, not just what it looks like.

The practical result: several Glasswing partners reported a tenfold or greater increase in their bug-finding rate compared to earlier approaches. Those are not marginal improvements—they represent a qualitative shift in what automated analysis can surface.

The 10,000-Bug Avalanche: Case Studies from Mozilla and Cloudflare

Two public case studies give a sense of what this looks like in practice.

Mozilla's work on Firefox 150 produced 271 confirmed vulnerabilities. When the same exercise was run on Firefox 148 using Claude Opus 4.6—an earlier, publicly available model—the count was exactly 22 security-sensitive bugs. That's the same codebase, similar methodology, dramatically different output. Mozilla has published additional detail on the hardening process for those who want to read into the specifics.

Cloudflare's experience involved 2,000 bugs—including 400 rated high or critical severity—across systems described as critical. That's a large number for infrastructure that has presumably been reviewed repeatedly by skilled engineers. The implication is that there is a class of vulnerability—possibly involving subtle interactions across components, or complex data-flow conditions—that human review and conventional tooling miss at scale, but that a sufficiently capable model can find systematically.

Neither of these examples proves that all 10,000 bugs would have been exploitable in practice. Severity ratings and real-world exploitability are different things. But high-severity classifications are not issued carelessly by organizations like Cloudflare and Mozilla, so the signal is worth taking seriously.

The Remediation Bottleneck: Why Bug Hunting Is No Longer the Hard Part

The more structurally interesting consequence of Glasswing isn't the raw count—it's where the constraint has moved.

For most of software security history, finding vulnerabilities has been the expensive, time-consuming part. Skilled researchers are scarce; automated tools generate noise; triaging results takes judgment. Discovery was the bottleneck.

That is no longer clearly true. If a model can find thousands of real vulnerabilities in weeks, the bottleneck shifts to everything that happens after: verification that the finding is genuine, coordinated disclosure to affected vendors, writing and reviewing patches, testing that patches don't introduce regressions, and deploying fixes across production systems.

None of those steps has been meaningfully accelerated by Mythos. Patch deployment in particular is constrained by organizational processes, testing requirements, and in some cases regulatory review—not by how fast you can write the fix. Some partners working with Anthropic have reportedly described the situation as feeling overwhelmed: the discovery rate has outpaced their ability to process and act on what's been found.

This is not a complaint about the tool. It's a structural observation about what happens when one stage of a pipeline becomes dramatically faster than the stages downstream of it. Security teams that engage with AI-assisted discovery tools, including the publicly available ones, should think about this before they run their first scan. What does your triage process look like at 10x the current finding rate? Who owns verification? What's your disclosure workflow?

The Offense vs. Defense Dilemma: Why Mythos Remains Private

Anthropic has been explicit about why Mythos is not available to the public: the same capabilities that make it useful for defense make it dangerous for offense. A model that can autonomously construct attack chains from vulnerability discovery to privilege escalation is, by definition, a capable attack tool if pointed in that direction.

This is not a hypothetical concern. The asymmetry is real and uncomfortable. Defenders need to find and patch every vulnerability that matters. Attackers only need to find one that defenders missed and exploit it before a patch arrives. Compressing the time and cost of vulnerability discovery accelerates both sides of that equation, but the consequences of each side moving faster are not symmetric.

Anthropic's position—restrict Mythos, allow time to develop safeguards, then consider broader release—is a reasonable response to this, but it doesn't resolve the underlying problem. Other labs are working on similar capabilities. The window in which only defenders have access to this class of tool is probably not permanent. What the current restricted deployment does accomplish is buying time to understand how the remediation pipeline needs to change before the discovery rate increases further.

Arming the Defenders: How to Use Claude Security Today

For teams that can't wait for Mythos and want to act now, Anthropic has released Claude Security in public beta for Enterprise customers. It's built on Claude Opus 4.7—a publicly available model tier—and is designed to scan codebases and generate proposed fixes, not just flag issues.

In three weeks of operation, it helped patch more than 2,100 vulnerabilities. That's a meaningful number for a tool in public beta, and it addresses the specific gap that purely discovery-focused tools leave open: getting from "here is the bug" to "here is a plausible fix" is where a lot of remediation effort currently lives.

The New Stack has a practical overview of what Claude Security does differently from legacy static analysis tools. The short version: it reasons across data flows rather than matching patterns, which means it can surface issues that involve interactions between components rather than just local code smells.

Claude Security is not Mythos. The finding rates will not be comparable. But it represents a meaningful step forward from tools that only know what they've been explicitly taught to look for, and it's accessible to enterprise teams today.

What still needs watching

Several things remain unclear from the published information. The false-positive rate for Mythos findings hasn't been disclosed in detail—10,000 high-severity bugs is an extraordinary number, and understanding what fraction required significant human judgment to confirm would change how you interpret the scale. The long-term economics of responsible disclosure at this volume also haven't been stress-tested publicly; coordinated disclosure processes were not designed for thousands of simultaneous findings across dozens of codebases. And the competitive dynamic—how quickly other labs reach comparable capability, and what their release decisions look like—is genuinely unknown.

The remediation bottleneck is the most tractable near-term problem, and it's one that security teams can start working on now, before they have access to Mythos-class tools. The discovery side of the equation is about to get much easier. The rest of the pipeline needs to catch up.

The false-positive rate question matters to me practically: if I ever ran a Mythos-class scan against the Next.js and Strapi v5 stack I use across my projects, a finding rate I couldn't triage myself would be worse than no scan at all, which is the same capacity problem Cloudflare and Mozilla are dealing with at a much larger scale.

Sources

• Project Glasswing - Anthropic
• Project Glasswing: An initial update - Anthropic
• The zero-days are numbered - The Mozilla Blog
• Behind the Scenes Hardening Firefox with Claude Mythos Preview - Mozilla Hacks
• Project Glasswing: what Mythos showed us - The Cloudflare Blog
• Claude Security is now in public beta
• Anthropic's Claude Security emerges from closed preview - The New Stack
• mozilla.org
• mindstudio.ai
• mozilla.org
• anthropic.com
• anthropic.com