Organizations using Claude Mythos have discovered thousands of vulnerabilities in the first month of security testing under Project Glasswing, per an announcement from Anthropic last week.
The project, initially announced on April 7, granted preview access of Mythos to about 50 organizations, including Apple, Google, JPMorgan Chase, the Linux Foundation and Microsoft. Anthropic said it felt compelled to limit the release after seeing the model’s ability to find previously undetected security weaknesses in some of the most widely used technologies.
“Ultimately, Mythos-class models will enable developers to build far more secure software by catching bugs before they are deployed,” Anthropic wrote in its May 22 update. “But this interim period — while vulnerabilities are being rapidly discovered and slowly patched — presents new risks.”
Most of the participants in Project Glasswing each found hundreds of critical- or high-severity vulnerabilities in their software, Anthropic said. In all, the companies invited to use Mythos Preview have so far flagged more than 10,000 significant security flaws.
One example offered in the announcement was Cloudflare. The provider of content delivery networks and other internet services uncovered approximately 2,000 vulnerabilities in its products; of those, 400 were treated as high- or critical-severity.
Anthropic said yesterday that it intends to release Mythos “in the coming weeks.”
“This is definitely something that we all need to prepare for,” said Jim Reavis, CEO of the Cloud Security Alliance (CSA), which published a strategy paper in April about the Mythos risk. The CSA is also conducting a series of forums for CISOs to share ideas and observations about how Mythos and other frontier LLMs will change cybersecurity. Those changes will be significant, Reavis said, because they have to be.
“We’ll see a lot more vulnerabilities,” Reavis said. “And as soon as you see a vulnerability or you see a vendor release a patch, an attacker will have a complete blueprint to immediately create an exploit out of that.”
To counter the AI threat, organizations need to take aggressive steps to automate security in the SOC, use agentic tools during incident response activities and place even more focus on least-privilege practices, Reavis said. “We’re all going to be working pretty hard for the next year or two.”
“It’s interesting how fast it’s moving,” said Barry Mainz, CEO of Forescout, a cybersecurity vendor. “It’s a shock to the industry, but a good shock.”
Security teams now better understand that defensive tactics such as threat containment and zero-trust security are crucial, Mainz said. Patch management will still matter, he added, but patching won’t be enough to defend against AI-driven attacks.
While teams should expect a difficult period of adjustment and experimentation in the near-term, Mainz said cybersecurity will take a big leap forward as a result of the vulnerabilities being exposed by AI.
“There’s some definite opportunities [for improved practices],” Mainz said. “It’s definitely shaking up the industry.”
Phil Sweeney is an industry editor and writer focused on cybersecurity topics.
Claude Mythos Preview and the new rules of cybersecurity
Agentic AI’s role in amplifying and creating insider risks
How AI threat detection is transforming enterprise cybersecurity
Health-ISAC: How Claude Mythos could impact healthcare cybersecurity
Stay up to date with the latest U.S. tech news, IPOs and executive moves shaping the industry each week.
Cloudflare cuts 1,100 jobs despite strong revenue growth, betting big on AI agents to reshape cybersecurity — but experts warn …
Anthropic’s Claude Mythos has generated buzz and alarm among CIOs and CISOs, who fear the model could expose vulnerabilities and …
FinOps gives businesses the operating model for visibility, accountability and value management. But traditional FinOps models …
Tightly coupled AI systems create control gaps. A reasoning-execution boundary enables policy-bound, traceable and auditable …
While AI’s utility will continue to generate revenue for businesses, its cost grows with it. FinOps is a key strategy and …
In this extract from his book, ‘The digital leader’s playbook’, CIO Paul Coby offers expert advice for established IT leaders and…
Microsoft goes on the offensive after a disgruntled security researcher unleashed a series of zero-days without checking in first.
Virgin Atlantic’s adoption of AI for customer service might indicate the fruits of a safety-first approach
©2026 TechTarget, Inc. d/b/a Informa TechTarget. All Rights Reserved.
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information
Leave a Reply