Anthropic published its first progress update on Project Glasswing on 22 May 2026, approximately 30 days after the initiative launched. The headline result is striking: Claude Mythos Preview and approximately 50 partner organisations identified more than 10,000 high- or critical-severity vulnerabilities in systemically important software during that period. Of those, 6,202 were classified as high or critical severity across more than 1,000 open-source projects.
What Glasswing Is
Project Glasswing is Anthropic’s answer to concerns about the dual-use nature of its most advanced cybersecurity model, Claude Mythos Preview. Rather than making the model broadly available, the company restricted access to a curated group of trusted organisations focused on defensive security work. The 50 partners include software security firms, academic institutions, and critical infrastructure operators.
The Scale of the Finding
Finding more than 10,000 critical vulnerabilities in 30 days across 1,000-plus open-source projects puts the capability of AI-assisted security research in concrete terms. To put it in context: the entire CVE database, accumulated over decades of human security research, contains roughly 250,000 entries. A 30-day effort producing 10,000 high-severity findings represents a step change in the speed at which software vulnerabilities can be discovered and disclosed.
What It Means for UK Organisations
British organisations running open-source infrastructure — from NHS trusts using Linux-based systems to financial services firms relying on open-source database and cryptography libraries — should be watching Glasswing’s disclosure timeline closely. UK CISOs should prioritise reviewing their open-source dependency inventories and ensuring patch management processes are capable of responding quickly when disclosures arrive.
