Anthropic's Project Glasswing and Claude Security Push
Anthropic's Claude Mythos Preview found 10,000+ critical vulnerabilities via Project Glasswing - but fewer than 100 are patched. Here is what that gap actually means for AI-assisted vuln triage.
Anthropic quietly launched two security-focused initiatives within the span of a month, and taken together, they represent something more systematic than a product announcement. The first β Project Glasswing, launched April 7, 2026 β hands a pre-release frontier model to a curated set of enterprise partners and asks it to find vulnerabilities before attackers do. The second β Claude Security, which entered public beta on April 30, 2026 β puts a generally available AI security assistant into the hands of Claude Enterprise customers. The questions worth asking: what has this actually found, how fast are those findings getting fixed, and what does a parallel Japan rollout involving sovereign finance institutions tell us about the geopolitical dimension of frontier AI access?
These are not rhetorical questions. Anthropic's Claude Mythos Preview has already surfaced over 10,000 high- and critical-severity vulnerabilities β including a 27-year-old flaw in OpenBSD and a 16-year-old bug in FFmpeg. Fewer than 100 of those findings have been patched as of reporting. That gap is where the real story lives.
Project Glasswing: Controlled Access, Frontier Model
Project Glasswing is a controlled early-access program. Anthropic selects partners, gives them access to Claude Mythos Preview β a frontier model not yet publicly released β and the stated goal is to identify and remediate critical vulnerabilities before they can be exploited in the wild. The partner list reads like a Who's Who of infrastructure and security incumbents: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
The model running all of this is Claude Mythos Preview. It is distinct from Claude Opus 4.7, which powers the separate Claude Security product. Mythos is unreleased to the general public and is being deployed here specifically for offensive security research β meaning it is being asked to think like an attacker, enumerate attack surfaces, and surface vulnerabilities that production teams may have missed for years.
What Mythos Has Actually Found
The numbers are striking. More than 10,000 high- and critical-severity vulnerabilities identified. Among them: a 27-year-old vulnerability in OpenBSD and a 16-year-old bug in FFmpeg, both of which had sat undetected (or at least unreported) through decades of security audits, CVE submissions, and professional penetration testing.
The patch count is sobering by comparison. Fewer than 100 of the 10,000+ findings have been remediated as of current reporting. That is not necessarily a failure of the model β it may reflect the ordinary friction of enterprise patch cycles, coordination between upstream maintainers and downstream consumers, and the sheer volume of findings landing simultaneously on engineering teams. But it does mean the immediate practical impact of Glasswing is still largely unrealized. If a model can find vulnerabilities faster than organizations can fix them, the bottleneck has shifted from detection to remediation β and that is a harder problem that software cannot solve on its own.
Why the Partner Composition Matters
The mix of Glasswing partners is deliberate. Broadcom, Cisco, and Palo Alto Networks sit at the network and endpoint layer. CrowdStrike and SentinelOne handle endpoint detection. AWS, Google, and Microsoft control the cloud platforms where most enterprise software runs. Apple covers consumer OS and hardware. NVIDIA supplies the GPU infrastructure underlying a large fraction of AI workloads. Linux Foundation stewards critical open-source software.
In other words, Glasswing is structured to cover the stack: from silicon to OS to cloud to application to security tooling. A vulnerability found in a dependency used across all these environments β like the FFmpeg bug Mythos surfaced β is a vulnerability that could affect every partner simultaneously. The program's value, if it works as described, compounds precisely because of that breadth.
Claude Security: The GA Product for Enterprise Teams
Where Glasswing is a controlled research program, Claude Security is a product. It entered public beta on April 30, 2026, and is available to Claude Enterprise customers today. It runs on Claude Opus 4.7 β a publicly released model β rather than Mythos Preview.
What It Does
Claude Security is positioned as an AI-assisted vulnerability management tool integrated into existing security workflows. Its advertised capabilities include:
- Static and dynamic codebase scanning for vulnerabilities
- Analysis of module interactions and dependency chains β not just line-by-line code review
- Automated generation of targeted patches with a confidence score attached
- Export to CSV and Markdown for audit trails and reporting
- Webhook integrations with Jira and Slack for existing ticketing and alerting pipelines
The confidence scoring deserves attention. Patch recommendations from a language model without a quality signal attached are hard to act on β a confident wrong patch can introduce new vulnerabilities while appearing to fix an old one. Confidence scores, if calibrated well, give security engineers a triage layer: high-confidence suggestions go directly to review; low-confidence suggestions flag for manual investigation.
Partner Integrations
Claude Security launches with integrations across several major security platforms:
| Platform | Integration |
|---|---|
| CrowdStrike | Falcon platform + Project QuiltWorks |
| TrendAI | Threat intelligence feed integration |
| Microsoft Security | Microsoft Defender and Sentinel ecosystem |
| Palo Alto Networks | Cortex XSOAR and XSIAM workflow automation |
| SentinelOne | Endpoint detection and response |
| Wiz | Cloud security posture and workload scanning |
The CrowdStrike integration is notable for including Project QuiltWorks, CrowdStrike's own AI-augmented security research initiative. That two AI-driven security programs are now formally interoperating suggests the industry is starting to build connective tissue between AI security products β whether those integrations deliver on their promise at scale remains to be seen.
Glasswing vs. Claude Security: A Direct Comparison
| Dimension | Project Glasswing | Claude Security |
|---|---|---|
| Audience | Vetted enterprise partners only (11 named orgs) | Claude Enterprise customers broadly |
| Model | Claude Mythos Preview (unreleased frontier) | Claude Opus 4.7 (publicly released) |
| Primary function | Pre-exploit vulnerability discovery at infrastructure scale | Codebase scanning, patch generation, workflow integration |
| Status | Active controlled program (launched April 7, 2026) | Public beta (launched April 30, 2026) |
| Remediation output | Findings handed back to partners for patching | Confidence-scored patches + ITSM/SIEM integration |
The distinction matters. Glasswing is research infrastructure; Claude Security is an operations tool. Glasswing finds the 27-year-old OpenBSD flaw; Claude Security is built to help a three-person security team triage the hundred tickets in their Jira backlog. Both are necessary. Neither is a substitute for the other.
Japan, MUFG, and the Geopolitics of Frontier AI Access
The Japan announcement on May 13, 2026 adds a dimension that is easy to dismiss as a diplomatic sideshow and probably should not be. US Treasury Secretary Bessent announced during his Tokyo visit that Japanese government institutions and the three megabanks β MUFG, SMBC, and Mizuho β would gain access to Claude Mythos. Japan Finance Minister Satsuki Katayama confirmed the arrangement publicly. A 36-entity public-private working group was announced alongside it.
This is frontier AI access as a foreign policy instrument. Mythos is not yet generally available. The decision to extend it to Japanese sovereign financial institutions β through a Treasury-level announcement, with a finance minister's public endorsement, and a formal working group structure β is a deliberate signal about where the US and Japan want to align on AI capabilities and standards. The Next Web noted the unusual nature of a model access program being announced at a diplomatic level.
For Indian engineers and security teams reading this: the 36-entity working group is worth monitoring. Japan's financial infrastructure parallels India's in certain ways β large public-sector bank exposure, regulatory complexity, and significant digital payments infrastructure. If the Glasswing/Mythos framework produces meaningful results in Japanese financial institutions, it will likely become a template for analogous arrangements elsewhere in Asia.
What the Finance Sector Deployment Implies
Banks are a different attack surface than cloud infrastructure or consumer OS. The vulnerabilities that matter in financial systems tend to be in transaction processing code, settlement logic, authentication flows, and API surfaces exposed to correspondent banks and payment networks β not in kernel drivers. Whether Mythos was trained or fine-tuned on financial software artifacts, or whether its general code understanding extends cleanly to COBOL and legacy transaction systems, has not been detailed in any public announcement. That gap in the public record is worth noting honestly: "access confirmed" and "effective at financial-sector vulnerability discovery" are different claims, and only the first has been verified.
The Patch-Velocity Problem
The most underreported number in this story is the fewer-than-100 patched out of 10,000+ found. The implication: Glasswing has created a large, apparently growing database of known critical vulnerabilities across major infrastructure components β vulnerabilities that were previously unknown, now known to Anthropic and its partners, but not yet fixed.
This is not unique to Glasswing. The security industry has long lived with disclosure timelines measured in months. But AI-assisted discovery can outpace AI-assisted remediation if organizations are not staffed and structured to act on findings quickly. A single human engineer reviewing model-generated patch suggestions, triaging confidence scores, testing in staging, and coordinating with upstream maintainers is not going to close 10,000 tickets. The organizational infrastructure for acting on AI-generated findings at this volume does not yet exist at most companies β including, one suspects, some of the Glasswing partners themselves.
What to Watch
- Patch velocity over the next two quarters. The 10,000 finding / sub-100 patched ratio is the metric that determines whether Glasswing produces durable security improvements or a large unresolved backlog. Watch for Anthropic publishing aggregate remediation rates.
- Claude Security confidence score calibration. If the confidence scores on patch suggestions are well-calibrated, it will become one of the more practically useful features in enterprise security tooling. If they are not, they create false assurance. Independent assessments will tell the story better than vendor benchmarks.
- Japan working group outputs. A 36-entity public-private working group is large enough to produce real policy and technical outputs, or to produce nothing. The structure and any published findings over the next 6 months will signal which it is.
- Mythos public availability. Glasswing is by definition limited to partners Anthropic selects. If Mythos becomes generally available β or if a downstream version does β the competitive and safety dynamics change substantially.
- India / Southeast Asia parallel arrangements. If the Japan model (Treasury-level access, finance minister endorsement, working group) proves useful, similar arrangements with other allied economies are probable. India's financial regulators and IT ministry are the obvious next conversation.
- Patch tooling ecosystem. The real unlock for Glasswing's findings is not more AI discovery β it is faster, automated remediation tooling that can act on model-generated patches with appropriate guardrails. Watch which of the Glasswing partners ships something in this category first.
