An AI just conducted the largest-ever coordinated vulnerability hunt in cybersecurity history. Anthropic's Project Glasswing, deploying the Claude Mythos Preview model, discovered more than 10,000 high-severity or critical security flaws across critical infrastructure systems. Partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, NVIDIA, and Palo Alto Networks. Here's what was found and what every organization must do now.
What Is Project Glasswing and How Did It Find 10,000 Flaws?
Project Glasswing is Anthropic's initiative to deploy Claude Mythos Preview — a frontier AI tuned for cybersecurity — to autonomously discover vulnerabilities in critical software and infrastructure. As of June 2, 2026 (per CNBC), the project has expanded to 150 organizations across 15+ countries. The model analyzes codebases, API surfaces, and system configurations at a scale no human security team can match. Traditional penetration testing might audit one system over weeks; Glasswing analyzes thousands of code paths simultaneously.
"We're enabling AI to be the first line of defense at a scale that's never been possible before," Anthropic stated in the Glasswing partner announcement. The 10,000+ flaws are all high or critical severity — vulnerabilities enabling potential data theft, system compromise, or service disruption.
The Scale of the Problem — Why This Changes Cybersecurity
For context: the US National Vulnerability Database typically processes 25,000–30,000 CVEs per year across all reported software globally. Project Glasswing found 10,000+ flaws within its partner organizations alone, in a fraction of the time. Cisco's response is telling: starting July 2026, the company is moving to a twice-monthly vulnerability disclosure schedule — a direct response to "AI tools accelerating the discovery of software flaws." Before this: monthly disclosure cycle designed for human-speed research. After this: a faster cadence that reflects AI-speed discovery.
According to CrowdStrike's 2025 Global Threat Report, the average attacker breakout time has shrunk to just 62 seconds. AI-accelerated vulnerability discovery on both offense and defense makes defensive AI tools like Glasswing not a luxury but a necessity.
Which Organizations Are at Risk — What the Findings Reveal
AWS, Apple, Google, Microsoft, JPMorgan Chase — these are among the most security-sophisticated organizations on earth. If Glasswing found 10,000+ high-severity flaws across their combined infrastructure, the implication for mid-market enterprises (with a fraction of the security headcount) is stark. As we covered in our analysis of the Charter/Spectrum breach exposing 42 million records, even organizations with mature IT infrastructure can be compromised through a single employee account.
President Trump's June 2026 executive order on AI and cybersecurity — asking leading AI companies to give the federal government early access to advanced models for 30-day security review — underscores how seriously government is taking this risk.
What Your Organization Must Do Right Now
The 10,000+ discovered vulnerabilities were shared with the affected organizations — Glasswing partners are already patching. The risk falls most heavily on organizations outside the Glasswing network relying solely on traditional practices. Immediate actions: audit third-party dependencies and open-source components (supply chain vulnerabilities represented a significant share of Glasswing discoveries); review authentication and access control configurations; evaluate whether your security tooling includes AI-accelerated vulnerability scanning capability.
What This Means for You
Project Glasswing's findings are a direct call to action. The gap between offensive AI-assisted hacking and defensive AI-assisted security tools is narrowing — but only for organizations actively adopting the latter. Evaluate AI-assisted scanning tools from CrowdStrike, Palo Alto, or Tenable. Ask your security vendor whether their tools have been updated for AI-speed discovery rates. Ensure your patch management cadence can respond to Cisco's new twice-monthly disclosure schedule.
Frequently Asked Questions (FAQs)
Q: What is Anthropic Project Glasswing and who is involved?
A: Project Glasswing is Anthropic's AI-powered cybersecurity vulnerability discovery initiative using Claude Mythos Preview. Partners include AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, NVIDIA, Palo Alto Networks, and 40+ others across 150 organizations in 15+ countries.
Q: How many vulnerabilities did Project Glasswing find?
A: As of June 2026, Project Glasswing has discovered more than 10,000 high-severity or critical security vulnerabilities across critical infrastructure belonging to its partner organizations.
Q: How is AI changing cybersecurity in 2026?
A: AI accelerates both attack and defense. On defense, projects like Glasswing audit codebases at scale. On offense, AI tools can discover vulnerabilities faster than human researchers. Cisco's shift to twice-monthly vulnerability disclosures is a direct response to this acceleration.
Q: Can small businesses use AI-powered cybersecurity tools like Glasswing?
A: Project Glasswing is a large-organization partner program. However, AI-powered vulnerability scanning is available commercially through Tenable, Qualys, CrowdStrike, and Palo Alto Networks — many with small business tiers.
The cybersecurity landscape of 2026 is being rewritten by AI. Project Glasswing's 10,000+ vulnerability count is just the opening chapter. Is your organization's security stack ready for AI-speed threats? Share your thoughts below.
