5 takeaways from Anthropic’s Mythos update

Anthropic says its Mythos model helped partners find more than 10,000 vulnerabilities in one month.

Anthropic’s latest Project Glasswing update gives a rare look at how an unreleased AI model is being used for security work, with partners reporting faster bug-finding and bigger patch lists.

Item	Vulnerabilities found	Severity notes
Project Glasswing partners overall	10,000+	Mixed severity
Cloudflare	2,000	400 high or critical
Firefox via Mozilla	271	10x older Claude model result
Open-source scans by Anthropic	6,202	High or critical out of 23,019

1. Mythos is already finding bugs at scale

Anthropic says Claude Mythos Preview has helped Project Glasswing partners find more than 10,000 vulnerabilities in about a month. That is the headline number, and it is the clearest sign that the model is being used as a serious security tool rather than a demo.

The company says the bug-finding rate has increased by more than 10 times for many partners. That matters because security teams usually want two things at once: more findings and faster triage. Mythos appears to be pushing both.

• More than 10,000 vulnerabilities found overall
• Most partners found hundreds of critical- or high-severity issues
• Anthropic says the rate improved by over 10x

2. The biggest gains are in high-severity issues

This is not just about padding a bug count. Anthropic says many partners found hundreds of critical- or high-severity vulnerabilities, which are the kinds of flaws that can lead to real damage if they are left open.

Cloudflare’s results show why that matters. The company found 2,000 bugs with Mythos, including 400 that were high or critical. In other words, the model is not only surfacing edge cases; it is helping uncover issues security teams would care about first.

• Cloudflare: 2,000 bugs total
• Cloudflare: 400 high or critical
• Anthropic says partner results include hundreds of serious issues

3. Mozilla’s Firefox results suggest a big jump over older models

Mozilla reported that it found and fixed 271 vulnerabilities in Firefox using Mythos, which Anthropic says is 10 times more than what it found with an older Claude model. That comparison is useful because it gives a sense of how much the newer model may improve security workflows.

For browser security, where bugs can affect millions of users, that kind of jump is more than a nice stat. It suggests AI-assisted review may be moving from helper status to a core part of the process.

Firefox with Mythos: 271 vulnerabilities fixed Older Claude model: about 1/10 of that result

4. Anthropic is using Mythos on open-source code too

Anthropic says it scanned 1,000 open-source projects over the past few months and found 6,202 high- and critical-severity vulnerabilities out of 23,019 total issues. That gives the company a broader test bed than partner reports alone and shows the model can work across a wide set of codebases.

Open-source scanning is useful for two reasons: it helps expose common patterns across projects, and it gives researchers a way to measure whether the model is finding real problems instead of just noisy results. The severity split suggests the output is worth paying attention to.

• 1,000 open-source projects scanned
• 23,019 total vulnerabilities found
• 6,202 high- or critical-severity issues

5. Public release is still on hold

Anthropic says Mythos Preview is not available to the public yet because it does not believe current safeguards are strong enough to prevent misuse. That is the main limit on the story: the model appears powerful, but the company is treating that power as something to control carefully.

For now, Anthropic plans to expand Project Glasswing with partners, including governments, and says “Mythos-class models” may come later once better protections exist. The company is also working with Amazon Web Services, Apple, CrowdStrike, Google, JPMorganChase, NVIDIA, and Palo Alto Networks.

• Not public yet
• Release depends on stronger safeguards
• Future rollout may include governments and other partners

How to decide

If you care about security research, the most important takeaway is that Mythos looks strongest where scale and severity matter most. Teams hunting for high-impact bugs, especially in browsers, cloud services, or large codebases, are the ones most likely to benefit first.

If you are watching Anthropic as a business story, the security update also fits a bigger pattern: the company is showing commercial traction while keeping its most powerful model under wraps. That makes Mythos both a product signal and a policy signal at the same time.