Anthropic’s Project Glasswing uncovers 10,000 critical software flaws in one month
The collaborative initiative involving Microsoft, Oracle, and Cloudflare has revealed that while artificial intelligence can rapidly identify high-severity bugs, the industry lacks the human resources to verify and fix them at a comparable speed.
Anthropic has released an initial update on Project Glasswing, a collaborative initiative launched last month to secure critical software using its Claude Mythos Preview model. Within the first month, approximately 50 partners, including Cloudflare, Palo Alto Networks, Microsoft, and Oracle, have identified over 10,000 high- or critical-severity vulnerabilities in their software. The project highlights a significant cybersecurity bottleneck: while AI can detect flaws rapidly, human capacity to verify, disclose, and patch these issues remains the limiting factor.
The initiative underscores a shift in the software security landscape. Progress on software security used to be limited by how quickly new vulnerabilities could be found, but Anthropic notes that this is no longer the case. The company states that the current constraint is the speed at which human teams can verify, disclose, and patch the large numbers of vulnerabilities identified by AI. This acceleration in discovery is outpacing the traditional 90-day coordinated vulnerability disclosure policy, leaving a window of risk for end users.
Early results from the participating partners indicate a substantial increase in bug detection rates. Cloudflare reported finding 2,000 bugs across its critical-path systems, with 400 rated as high- or critical-severity. The company noted that its false positive rate was considered better than that of human testers. Similarly, Palo Alto Networks included over five times the usual number of patches in its latest release, while Oracle reported finding and fixing vulnerabilities multiple times faster than before. Microsoft indicated that the number of new patches would continue to trend larger for some time.
Beyond commercial software, Anthropic has used the model to scan more than 1,000 open-source projects that underpin much of the internet. The model has identified an estimated 6,202 high- or critical-severity vulnerabilities in these projects. Of the 1,752 vulnerabilities assessed by independent security research firms, 90.6 per cent were confirmed as valid true positives, with 62.4 per cent confirmed as high- or critical-severity. This suggests the model is on track to surface nearly 3,900 high- or critical-severity vulnerabilities in open-source code alone, in addition to findings from its commercial partners.
To address the influx of reports, Anthropic has released Claude Security in public beta for Enterprise customers and partnered with the Open Source Security Foundation’s Alpha-Omega project to assist maintainers in triaging bug reports. The company continues to withhold the general release of Mythos-class models due to current safeguard limitations, aiming instead to provide asymmetric security advantages to critical infrastructure defenders. Anthropic plans to expand the project with US and allied governments in the near future.
