AI finds 10,000 vulnerabilities. China is copying the models.

TL;DRFrontier AI models can now find thousands of vulnerabilities in weeks, but China is distilling those same capabilities through industrial-scale campaigns. The US response is a voluntary 30-day review that was weakened before it was signed.

In May, Google’s Threat Intelligence Group confirmed the first known case of an AI system discovering and weaponising a zero-day exploit that was then deployed in the wild. A criminal actor used a frontier model to find a two-factor authentication bypass, build a working exploit, and use it before any defender knew the vulnerability existed.

That single incident compressed what used to take skilled hackers weeks into a process measured in hours. It is the clearest illustration yet of the dual-use problem at the heart of frontier AI: the same capabilities that let Anthropic’s Mythos find more than 10,000 high-severity vulnerabilities through Project Glasswing can, in the wrong hands, generate an equivalent number of exploits.

The defensive side

Project Glasswing is Anthropic’s showcase for what frontier models can do for cybersecurity defence. Since launch, Claude Mythos Preview has surfaced thousands of zero-day vulnerabilities across every major operating system and web browser, some of which had survived decades of human review. Anthropic has expanded the programme to approximately 150 organisations in more than 15 countries, including Samsung, SK Hynix, NATO, and the EU’s cybersecurity agency ENISA.