Anthropic’s latest cybersecurity experiment has exposed a widening gap between how quickly AI can uncover software flaws and how slowly humans can fix them.
March–April 2026: Project Glasswing quietly launches
Last month, Anthropic launched Project Glasswing as a “collaborative effort to secure the world’s most critical software before increasingly capable AI models can be turned against it.”1 The initiative centers on a specialized model, Claude Mythos, designed to hunt for vulnerabilities in source code.
April–May 2026: AI finds thousands of flaws in weeks
Within its first month, Glasswing uncovered “more than 10,000 high- or critical-severity vulnerability candidates across some of the most systemically important software in the world.”2 Of those, 1,726 have been validated as true positives and 1,094 confirmed as high- or critical-severity flaws.2
A key discovery was a critical bug in the WolfSSL library (CVE-2026-5194, CVSS 9.1) that could allow forged certificates and service impersonation across IoT, automotive, and industrial systems.2
Defenders struggle to keep pace
Despite the surge in detection, “only 97 have been patched,” highlighting that “the rate of discovery is orders of magnitude faster than the rate of remediation.”2 As one analysis put it, “the gap between those numbers is the story.”3
Anthropic itself warned that “the relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity,” urging developers to shorten patch cycles.2 Some major vendors are already adapting: Oracle has moved from quarterly to monthly patch releases, and Microsoft expects its monthly patch counts to “continue trending larger for some time.”2
AI’s evolving role: from finding to fixing
To reduce the backlog, Anthropic is promoting tools like Claude Security, which “reasons about your code like a security researcher… validating findings, and proposing targeted patches” so vulnerabilities “get resolved instead of sitting in a queue.”4 The system performs multi-stage verification, ranks severity, and generates patches for human review, keeping “humans in the decision loop” so changes “aren’t shipped on their own.”4
Anthropic frames this as giving defenders new leverage at a moment when “the pace of AI-enabled threats is accelerating,”4 even as the Glasswing results underline how far remediation practices must evolve to match AI’s speed.