Anthropic Project Glasswing: AI Finds 10,000+ Zero-Days

Anthropic's Project Glasswing aims to make AI agents safer by proactively finding vulnerabilities. In its first month, the project surfaced over 10,000 high and critical-severity zero-day vulnerabilities. This is a number that would typically take traditional security teams years to uncover. The initiative involves around 50 major tech industry partners, including Microsoft, Google, and Cloudflare. AI coding capabilities can now match or outperform human penetration testers in finding software flaws. Project Glasswing ensures these capabilities benefit defenders first. Cloudflare used the AI model, called Mythos Preview, on its critical systems and found about 2,000 bugs, with 400 being high or critical severity. Mozilla used it to audit Firefox 150 and patched 271 vulnerabilities. In the open-source arena, Mythos Preview flagged over 6,000 high or critical-severity vulnerabilities in widely used projects. A large subset confirmed a 90.6% true-positive rate. This included a critical flaw in the wolfSSL cryptography library, used by billions of devices, which has since been patched. Anthropic is currently keeping Mythos Preview from public release because its powerful defensive capabilities could also make it a dangerous offensive tool if misused. This project highlights the critical need to secure AI agents as their capabilities rapidly advance.