Anthropic published the first Project Glasswing update on May 22, 2026, reporting that an unreleased model called Claude Mythos Preview found more than 10,000 high- or critical-severity vulnerabilities across systemically important software in its first month, working with about 50 partners including Cloudflare, Mozilla, Microsoft, Oracle, Palo Alto Networks, and the UK AI Security Institute.
What you can use today, what's still gated
Mythos itself is preview-only. Anthropic says it has "yet to release Mythos-class models to the public" and will gate them until stronger safeguards are in place. What is shipping right now is Claude Security, in public beta for Enterprise customers on Opus 4.7, with Team and Max plans coming "soon." If you run on Enterprise, you can already point Claude Security at your repos, schedule recurring scans, and get patch suggestions back without writing any custom agent code. If you don't, the practical move is to track when Team and Max access opens, because that's the same scanning surface that produced the Glasswing numbers, just on a smaller model than Mythos.
Why it matters
The headline number is loud, but the per-partner data is louder. Cloudflare ran Mythos against critical-path systems and surfaced 2,000 bugs, 400 of them high or critical, with a false-positive rate better than human pentesters. Mozilla shipped fixes for 271 Mythos-found vulnerabilities in Firefox 150 alone, and noted the model substantially outperformed prior testing with Opus 4.6. For the open-source slice, Anthropic scanned more than 1,000 projects, flagged 6,202 estimated high- or critical-severity issues, and saw 90.6% of independently-assessed flags confirmed valid. One of them was a forge-any-certificate bug in wolfSSL, which ships in billions of devices.
Key details
Glasswing is the program; Mythos Preview is the model class running underneath. Partners report bug-finding throughput that is "more than 10x" higher than their previous tooling. The disclosed scope spans Linux distros, browsers, cryptography libraries, and cloud infrastructure. Anthropic is also working with the U.S. and allied governments on the expansion, per Benzinga's coverage, and frames public Mythos release as a "near future" milestone gated on safeguards. The April 30 Claude Security public-beta launch is the consumer-tier preview of where this is heading.
What to do next
If you ship code with the help of Claude Code, treat Mythos as a roadmap signal: the same lab whose model is finding 10,000 critical bugs a month is the one writing your reviews. Audit your dependency tree for anything that looks like wolfSSL or Firefox 150 (long-lived C/C++, exposed cryptography, browser-resident parsers) before Mythos lands in production tooling and the public CVE feed catches up. Enterprise customers should enable Claude Security beta this week and pipe its findings into an existing triage queue rather than a separate inbox; the value compounds when patches and reviews stay in one place.
