Project Glasswing identifies over 10,000 critical vulnerabilities in first month using AI

An AI model found more than 10,000 high- or critical-severity vulnerabilities in essential software in roughly 30 days. Some of those bugs had been hiding in plain sight for nearly three decades.

Project Glasswing, launched by Anthropic on April 7, 2026, uses an unreleased AI model called Claude Mythos Preview to autonomously scan codebases for security flaws.

Bugs that outlived their creators

Among the thousands of vulnerabilities discovered, two stand out for sheer absurdity of scale. The AI found a 27-year-old remote crash vulnerability in OpenBSD, an operating system literally built around security as its core philosophy. It also flagged a 16-year-old flaw in FFmpeg, the widely used multimedia framework, that had managed to evade detection by over five million automated tests.

The project didn’t just find old bugs, either. Thousands of previously unknown zero-day vulnerabilities were identified across all major operating systems and web browsers.