Anthropic's AI Found 10,000 Security Holes — Now It's Scanning Critical Infrastructure

by Geth Author

Anthropic announced on June 3, 2026 that Project Glasswing — its AI-powered vulnerability-hunting initiative — is expanding to 150 organizations in more than 15 countries. The program uses Claude Mythos Preview, an unreleased frontier model that Anthropic describes as capable of surpassing all but the most skilled human security researchers at finding and exploiting software vulnerabilities.

What Glasswing Has Found So Far

The initial cohort of roughly 50 partner organizations began working with Mythos Preview earlier this year. The results were stark: the model identified more than 10,000 high- or critical-severity vulnerabilities across the partners' codebases, including multiple zero-days in widely deployed software. These are the class of bugs — buffer overflows, logic errors in authentication flows, memory corruption issues — that historically take human security teams weeks or months to find.

The model doesn't just find bugs; it generates working patches. Partners reported that in most cases they received a vulnerability report and a proposed fix in the same Mythos session.

Who the Expansion Covers

The new 150-organization cohort includes sectors Anthropic describes as critical infrastructure: healthcare, energy, communications, and technology. The addition of healthcare and energy operators is a meaningful escalation — these are environments where an unpatched vulnerability can have consequences well beyond data exposure. A vulnerability in a hospital's clinical systems or an energy grid's control software has physical-world consequences.

Participation in Project Glasswing is gated. Organizations apply, agree to safety protocols and disclosure requirements, and receive access to Mythos Preview through a controlled API. They cannot export the model or run it independently.

The Uncomfortable Part

Anthropic is unusually transparent about the risk it's describing. The same capabilities that make Mythos Preview useful for defense make it dangerous for offense. A model that can find and explain 10,000 critical vulnerabilities can, in theory, help an attacker exploit them as well.

Anthropic's framing is that this capability already exists — or soon will — across the AI industry, and that the right response is to get it into defenders' hands first, under controlled conditions, rather than pretend the capability doesn't exist. The company estimates that within six to twelve months, many other AI labs will have Mythos-class models. Whether those models are released with equivalent safeguards is an open question.

Project Glasswing is, in effect, a bet that proactive defense has a window of advantage. The expansion to 150 critical infrastructure operators suggests Anthropic is trying to use that window before it closes.