On April 24, Anthropic gave the world a preview of a number that should keep every CISO awake at night. Fewer than 1% of the vulnerabilities discovered by its new Claude Mythos model under Project Glasswing have been patched. Meanwhile, the list of discoveries keeps growing.
What Mythos actually found
Mythos is a frontier model purpose-built for security research. Under the Project Glasswing umbrella, Anthropic has given early access to AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, Nvidia, and roughly 40 other critical-infrastructure operators. The findings so far include a 27-year-old bug in OpenBSD — an operating system widely considered the most rigorously audited in existence. A 16-year-old vulnerability in FFmpeg that automated fuzzers had executed the affected line five million times without detecting. A 17-year-old remote code execution bug in FreeBSD, assigned CVE-2026-4747, that allows any attacker on the network to gain root on a machine running NFS. Read that again. Twenty-seven years. Sixteen years. Seventeen years. These are not niche edge cases. They sit inside the foundational software that every cloud provider, every mobile OS, every enterprise server pipeline depends on. They stayed invisible to the best human eyes and the best static-analysis tools in the industry — until a language model started reading the code.
Why the patching gap matters more than the discovery
The number that made the headlines — "thousands of vulnerabilities found" — is impressive. The number that should terrify everyone is the follow-up: less than 1% patched. The gap exists because patching requires human engineers to reproduce the bug, understand the fix, test for regression, coordinate disclosure, and deploy through fragmented supply chains. Discovery is now AI-speed. Remediation is still human-speed. This asymmetry is already being exploited. Days before the Glasswing announcement, CVE-2026-33626 — a server-side request forgery flaw in LMDeploy, a widely used LLM-serving toolkit — was exploited in the wild less than 13 hours after public disclosure. Attackers do not wait for a paper tweet. They pipe the CVE feed into their own automated exploit generators.
The state-surveillance question
The obvious uncomfortable question — if Anthropic's model is this good at finding zero-days, what about the ones built by government agencies with no disclosure obligations? Anthropic has been explicit that Mythos will not be generally available. But foundation models are now cheap enough to train that any capable nation-state can build a Mythos-class system privately. Every public discussion of Glasswing's capabilities is also an instruction manual for adversary labs. This is the part of the AI-safety conversation that gets insufficient airtime. The model-provider community has tools and norms around content policy. It has almost nothing around offensive-security capability arms races. Project Glasswing, to Anthropic's credit, is an attempt to get defenders ahead. But the same capability in a different lab, released without a sixty-vetted-organization partner program, would be catastrophic.
What this means for working developers and security teams
If you ship code — any code, at any company — your threat model just changed. Three concrete implications. First, code age is no longer a proxy for security. "We have been running this library since 2008" used to mean "battle-tested." Now it means "it has had 18 years to accumulate bugs nobody could find, until last month." Age is exposure. Second, patching velocity is now a board-level metric. If your mean-time-to-patch is measured in months, you are effectively running an open house. Asset inventory, SBOM coverage, and automated patch pipelines are not cybersecurity hygiene anymore — they are business continuity. Third, developers must start running the same AI tooling on their own code before anyone else does. Projects like Anthropic's Claude Code and similar offensive-aware coding tools can run internal Glasswing-style sweeps. If you ship PHP, Python, Go, or Rust at scale, running AI-powered vulnerability scans on your own repos this quarter is no longer optional.
My take
We have entered a period where AI can find vulnerabilities faster than humans can fix them, and faster than organizations can prioritize them. The window between "AI-powered discovery is real" and "AI-powered patching is real" is the most dangerous interval we will see this decade. Project Glasswing demonstrates that the first half of that equation is already here. The security industry spent twenty years optimizing for human-speed discovery. That problem is now mostly solved. Patching is suddenly the limiting factor — and patching is not a model problem. It is an organizational, legal, and supply-chain problem. Models do not patch code. People do. And there are not enough of them. If you are not already running fire drills for "we just learned the protocol we built on has been broken for twenty years," you are running the wrong drills.