Anthropic's Project Glasswing Found Thousands of Zero-Day Bugs
News

Anthropic’s Project Glasswing Found Thousands of Zero-Day Bugs. Only 1% Were Fixed.

Boring Dude
Read Time:5 Minute, 14 Second

Claude Mythos Preview just scanned the world’s most critical software and found thousands of zero-day vulnerabilities — bugs hidden in every major operating system, every major web browser, and critical infrastructure software. Some of these bugs had been sitting undetected for 20 or 27 years. The alarming part is not that AI found them. The alarming part is that fewer than 1% of them were patched.

This is Anthropic’s Project Glasswing, announced on April 27, 2026. And it is one of the most significant AI security events in history.

Anthropic's Project Glasswing Found Thousands of Zero-Day Bugs. Only 1% Were Fixed.

What Is Project Glasswing?

Project Glasswing is Anthropic’s initiative to use Claude Mythos Preview — the unreleased frontier model Anthropic has kept locked away — to secure the world’s most critical software infrastructure. Over the past several weeks, Mythos Preview was deployed to scan operating systems, web browsers, and major software platforms for security vulnerabilities.

The initiative involves more than 40 technology companies including AWS, Apple, Google, Microsoft, NVIDIA, and CrowdStrike. These organizations are now using Mythos Preview to identify and eliminate vulnerabilities in the critical digital infrastructure the modern world depends on.

What Mythos Found

The findings are alarming in both scale and age:

  • Thousands of zero-day vulnerabilities discovered across every major operating system
  • Bugs found in every major web browser currently in use
  • Vulnerabilities in a range of critical software platforms
  • Many of the bugs are 10 to 20 years old — present since the software was originally built
  • The oldest bug found so far is a 27-year-old vulnerability in OpenBSD — now patched

A zero-day vulnerability is a security flaw that is unknown to the software vendor and therefore has no patch. These are the most dangerous type of bugs because attackers can exploit them before any defence exists. Mythos Preview found thousands of them.

The 1% Problem

Here is the most alarming statistic from Project Glasswing: fewer than 1% of the vulnerabilities discovered by Mythos have been patched.

This is not because the vulnerabilities are disputed or low priority. It is because the software industry simply does not have the capacity to fix bugs at the rate AI can now find them. The discovery-to-remediation pipeline — which involves vendor notification, patch development, testing, and deployment — was designed for a world where finding a critical bug required weeks of expert human analysis.

AI has compressed that discovery timeline to near-zero. The patching pipeline has not kept up.

Anthropic’s framing is blunt: the industry needs to prepare for a world where AI can find bugs faster than humans can fix them. Project Glasswing is partly a demonstration of this reality, and partly an attempt to build the coordination infrastructure needed to address it.

Why This Matters Beyond Security

The Dual-Use Reality of Frontier AI

Claude Mythos Preview has already demonstrated it can find zero-days that human researchers missed for decades. The same capability that makes it invaluable for defence makes it potentially devastating in the wrong hands. This is precisely why Anthropic has refused to release Mythos publicly.

The Project Glasswing announcement effectively confirms what many security researchers suspected: frontier AI models have crossed a threshold where they can perform offensive security research at a level surpassing all but the most elite human experts.

The Patch Gap Is a National Security Issue

The fact that fewer than 1% of AI-discovered vulnerabilities have been patched means there are thousands of known, critical bugs in software running on government networks, banking infrastructure, hospital systems, and power grids, and the vendors know about them but have not fixed them yet.

This is not a theoretical future risk. It is a present reality.

What Happens When Attackers Get This Technology

Nation-state threat actors, China, Russia, North Korea, and Iran, are all investing heavily in frontier AI. The question Project Glasswing is implicitly answering is: what happens when a hostile actor has the same vulnerability-finding capability as Mythos Preview? The answer is that the existing patch infrastructure is completely inadequate for that threat model.

What This Means for Indian IT and Cybersecurity Professionals

India is a major provider of IT services to global enterprises, including organisations running the exact software that Project Glasswing is scanning. Indian security professionals have direct exposure to this issue through several angles:

  • Security operations centre (SOC) teams at Indian IT companies need to understand that the vulnerability landscape has permanently changed. AI-assisted vulnerability discovery is now a reality on both sides.
  • Patch management teams are going to face an unprecedented backlog. AI-accelerated vulnerability disclosure means the queue of known, unpatched bugs is growing faster than it can be cleared.
  • Cybersecurity career opportunities are expanding. The gap between vulnerability discovery and remediation creates demand for AI-augmented security engineers who can triage, prioritise, and remediate at speed.
  • Companies like CrowdStrike, which are Project Glasswing partners, are expected to benefit significantly. Indian IT professionals servicing CrowdStrike deployments should expect increased demand for their skills.

Anthropic’s Position

Anthropic has been explicit about why they are doing this publicly. Their stated goal with Project Glasswing is twofold: demonstrate that frontier AI can dramatically improve the world’s security posture, and force the industry to build the coordination and remediation infrastructure needed before hostile actors close the same gap.

The 27-year-old OpenBSD bug that Mythos found and that has now been patched is the clearest proof point. A vulnerability that survived three decades of human security research was found and fixed in weeks once AI was deployed.

The 99% that have not been fixed yet is the open problem.

Final Thought

Project Glasswing is the clearest signal yet that frontier AI has moved from being a tool that assists security professionals to one that fundamentally changes the threat landscape. The model that found thousands of zero-days in every major OS and browser is the same model that Anthropic will not release publicly because it is too capable.

The question every organisation running critical software should be asking right now is not “will AI find vulnerabilities in our systems?”, it already has. The question is whether you are patching fast enough to stay ahead of the people who will use the same capability offensively.

Is your organisation prepared for AI-accelerated vulnerability disclosure? Share your thoughts in the comments.

About Post Author

Boring Dude

boringdude.in@gmail.com
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Receive updates directly to your email

We don’t spam! Read our privacy policy for more info.

0 0
In, , , , , , , , ,
DeepSeek V4 Is Here Previous post DeepSeek V4 Is Here: Open Source, 1 Million Token Context, 35x Cheaper Than Claude
Outlier AI Is Hiring Telugu Speakers for Voice AI Training Next post Outlier AI Is Hiring Telugu Speakers for Voice AI Training | Work From Home | Up to $7.5/hr | Apply Now

More Stories

Close

Receive updates directly to your email

We don’t spam! Read our privacy policy for more info.