Anthropic's Cyber AI Has Found 23,000 Software Flaws, the Same Power That Got Mythos Restricted

While Washington and Anthropic fight over whether Mythos is too dangerous, the model has quietly been doing the thing that makes it dangerous. Through Project Glasswing, Anthropic's cyber AI has now scanned more than 1,000 open-source projects and flagged 23,019 issues, including 6,202 high or critical vulnerabilities. It is a remarkable defensive result. It is also exactly the capability that just got the model pulled offline.

Glasswing launched in April. The idea is straightforward: give trusted security teams early access to Claude Mythos, a model built to hunt software flaws, and point it at the critical open-source code the whole internet runs on before attackers find the holes. Mythos is not public, it is gated to defenders with guardrails, precisely because a tool this good at finding bugs is also good at exploiting them. That dual nature is the whole story.

The results are hard to argue with. Beyond the raw count, Mythos surfaced a 27-year-old bug in OpenBSD and a 16-year-old flaw in FFmpeg, the video software embedded in countless apps, both of which standard automated tools had missed for years. Cloudflare alone found around 2,000 bugs through the program, 400 of them high or critical. Mozilla and others added hundreds more. Anthropic has been disclosing the worst ones to maintainers and committed up to 100 million dollars in usage credits to keep it running.

Here is where it gets uncomfortable. The same model finding and fixing thousands of flaws can, in the wrong hands, find them to attack. That is why the government's cyber concern over Mythos was not crazy, even if Anthropic disputes how it was handled. A model that autonomously discovers zero-days is a defensive superpower and an offensive one at the same time, depending entirely on who holds it. Glasswing is the optimistic version. The export fight is the worried one.

Both can be true at once, and that is the hard part of this whole episode. Anthropic is now scaling Glasswing to around 150 organizations across more than 15 countries, aiming at power, water, healthcare, and communications. That is real security upside for critical infrastructure. It is also a lot of very powerful cyber capability spreading across borders, which is the exact thing export controls exist to slow. The June order and Project Glasswing are two reactions to the same fact: Mythos is unusually good at cyber.

So the model at the center of a national security fight has, in parallel, been one of the more effective security tools the open-source world has seen. Powerful cyber AI cuts both ways, and everyone from Anthropic to the White House is now arguing over which way it cuts. Glasswing shows the upside in hard numbers. The export order shows the fear. The vulnerabilities were real, and so is the worry.