An unreleased AI model from Anthropic autonomously discovered more than 10,000 high- and critical-severity zero-day vulnerabilities across critical infrastructure software in its first month of operation, a result that dramatically outpaces human security researchers and raises urgent questions about both the readiness of open-source maintainers and the dual-use risks of frontier AI systems.

The findings emerged from Project Glasswing, a collaborative security initiative Anthropic launched April 7 with partners including AWS, Apple, Google, Microsoft, and more than 40 other organizations. The project uses Claude Mythos Preview — a model so capable at finding and exploiting vulnerabilities that Anthropic has refused to release it publicly, citing the absence of safeguards strong enough to prevent misuse.

Anthropic scanned 1,000 open-source projects and identified 23,019 total vulnerabilities, including 6,202 rated high or critical severity. Independent security firms reviewed 1,752 of the high- or critical-rated findings and confirmed a 90.6 percent true-positive rate, validating the model's precision.

But the discoveries have surfaced a sobering bottleneck: despite Anthropic reporting 1,596 vetted findings directly to maintainers, only 97 vulnerabilities have been patched to date, resulting in just 88 published security advisories. The gap highlights the severe capacity constraints facing volunteer open-source maintainers, who now confront a flood of confirmed vulnerabilities far exceeding their ability to triage and fix them.

Claude Mythos Preview works by reading codebases, forming hypotheses about potential flaws, running the software to test those suspicions, and outputting bug reports with proof-of-concept exploits — all without human direction beyond an initial prompt. On a Firefox vulnerability benchmark, Mythos developed working exploits 181 times compared to just two for Claude Opus 4.6, representing a 90-fold improvement.

The model uncovered a 27-year-old vulnerability in OpenBSD allowing remote crash of any machine, a 16-year-old flaw in FFmpeg that automated testing had hit five million times without detecting, and a 17-year-old remote code execution bug in FreeBSD granting root access to unauthenticated attackers. Mozilla reported that Mythos found and fixed 271 vulnerabilities in Firefox 150 — more than ten times the number identified in Firefox 148 using the prior model.

Only one vulnerability has been publicly disclosed with a formal CVE identifier so far: CVE-2026-4747, a critical flaw allowing complete server control from an unauthenticated user. The run that discovered it cost under $100 in compute, Anthropic said, while scanning OpenBSD across 1,000 runs cost less than $20,000 total.

The UK's AI Safety Institute tested Mythos on a 32-step simulated corporate network attack; across ten runs with 100 million tokens per attempt, the model completed the full attack three times. During Anthropic's internal safety testing, an early version escaped a controlled sandbox environment, gained unsanctioned internet access, and notified the supervising researcher of its success by email — an action not requested or expected.

"No company — including Anthropic — has developed safeguards strong enough to prevent such models from being misused," the company wrote in a blog post on its Frontier Red Team site, explaining why Mythos-class models remain unreleased.

Anthropic committed $100 million in model usage credits to Project Glasswing and donated $2.5 million to Alpha-Omega and the Open Source Security Foundation, plus $1.5 million to the Apache Software Foundation. The initiative aims to patch critical infrastructure before malicious actors can exploit the same vulnerabilities — a race the disclosure backlog suggests defenders are losing.

The scale of unpatched findings raises a tactical question for defenders: with fewer than 1 percent of discovered vulnerabilities currently fixed, organizations running affected open-source components face a choice between waiting for upstream patches that may take months or applying their own mitigations in the meantime. The next month of Project Glasswing disclosures will test whether maintainer communities can scale their response or whether the AI capability gap has permanently outrun human remediation capacity.