Category: Cyber Security | Published: 2026-06-09
For years, the biggest challenge in cyber security was finding vulnerabilities quickly enough. Security teams knew flaws existed across their software and infrastructure, but the work of discovering them was slow, expensive, and reliant on a limited pool of skilled researchers.
AI cybersecurity tools are changing that equation dramatically. And the result is not entirely reassuring.
Anthropic's Project Glasswing: A Glimpse of What Is Coming
Earlier this year, Anthropic launched a restricted initiative called Project Glasswing, a programme designed to test the defensive potential of advanced AI in cybersecurity before the same capabilities reach attackers. At its core is Claude Mythos Preview, a specialised version of Anthropic's AI built specifically for vulnerability discovery, software analysis and cyber defence.
Mythos Preview has not been made publicly available. Instead, it was provided to approximately 50 carefully selected partners, including organisations responsible for protecting some of the world's most critical digital infrastructure.
In just one month, those partners collectively identified more than 10,000 high- or critical-severity vulnerability candidates. Over 1,700 of those have been verified as genuine security flaws. More than 1,000 have been confirmed as high- or critical-severity vulnerabilities requiring urgent attention.
To understand the scale of what that means: these are not minor software bugs. High- and critical-severity vulnerabilities are the kind that attackers actively hunt for because they can enable full system compromise, data theft, or service disruption.
A Real Example: The wolfSSL Flaw
One of the more striking discoveries from Project Glasswing involved wolfSSL, a cryptographic library deployed across billions of devices worldwide. Mythos Preview identified a vulnerability that could have allowed attackers to forge digital certificates, effectively enabling them to impersonate legitimate websites and services. The flaw has since been patched, but it is the sort of vulnerability that would traditionally take months of manual review to surface.
Anthropoc also scanned more than 1,000 open-source software projects that form the backbone of large parts of the internet. That exercise alone produced 6,202 potential high- or critical-severity vulnerability candidates, of which 1,094 have already been confirmed as genuine.
The Bottleneck Has Moved
The most significant claim in Anthropic's announcement is not about the number of vulnerabilities found. It is about what happens next.
For most of the history of software security, the constraint was discovery. Researchers and automated tools simply could not find flaws fast enough. AI cybersecurity tools have now shifted that constraint. As Anthropic put it: progress on software security used to be limited by how quickly vulnerabilities could be found. Now it is limited by how quickly teams can verify, disclose and patch the large numbers of vulnerabilities that AI is discovering.
In other words, the finding is no longer the bottleneck. The fixing is.
That observation is backed up by independent research. According to Google's Mandiant M-Trends 2026 report, the mean time to exploit a newly disclosed vulnerability has reached negative seven days. Exploitation is now routinely occurring before a patch even exists. Of all vulnerabilities disclosed last year, 28.3 per cent were being actively exploited within 24 hours of public disclosure.
The Industry Is Seeing the Same Pattern
Project Glasswing is not an isolated experiment. The same pattern is appearing across the industry.
Cloudflare used Mythos Preview and found 2,000 bugs across critical systems, of which 400 were classified as high- or critical-severity. Mozilla ran the system against Firefox and found more than ten times as many vulnerabilities in a single testing cycle compared with conventional methods. Microsoft has acknowledged that patch volumes are expected to keep rising. Oracle has already accelerated its patching schedules in response.
Anthropic also points to research showing that AI cybersecurity tools are being adopted at scale: CVE submissions to the National Vulnerability Database have risen by 263 per cent since 2020, and the acceleration is continuing.
The Patching Gap Is Already Alarming
Even before AI-powered discovery is factored in, the gap between vulnerability disclosure and remediation is wide. Edgescan's 2025 Vulnerability Statistics Report found that the average time to remediate a known high- or critical-severity vulnerability is 74 days. More troublingly, 45 per cent of vulnerabilities identified in systems maintained by large organisations are never remediated at all.
When AI cybersecurity tools can surface thousands of verified critical flaws in a single month, that 74-day average and that 45 per cent figure become considerably more alarming.
The Same Capability Works for Attackers Too
AI-powered vulnerability discovery is not exclusive to defenders. The same techniques that allow Mythos Preview to find flaws in software are available, in various forms, to threat actors. CrowdStrike's 2026 Global Threat Report found that the average time for an attacker to move from initial access to lateral movement across a network has dropped to 29 minutes. The fastest observed case was 27 seconds.
IBM's X-Force Threat Intelligence Index for 2026 adds further context: 56 per cent of publicly known vulnerabilities can be exploited without any authentication, meaning an attacker does not need to have any existing foothold in a system to take advantage of them. The World Economic Forum's Global Cybersecurity Outlook 2026 reported that 87 per cent of security professionals now consider AI-related vulnerabilities the fastest-growing category of cyber risk.
AI cybersecurity cuts both ways. The defenders who adopt it gain a significant advantage. The defenders who do not are leaving a widening gap.
AI as a Defensive Force Multiplier
The potential goes beyond finding bugs. One banking partner in Project Glasswing used Mythos Preview to identify and prevent a fraudulent wire transfer worth $1.5 million. Attackers had compromised a customer email account and used spoofed phone calls to support the fraud attempt. The AI flagged the pattern before the transfer went through.
This is the broader promise of AI cybersecurity: the ability to analyse large volumes of signals, correlate unusual patterns and surface threats faster than human analysts can working alone. For organisations that cannot afford a large in-house security team, AI-powered tools offer a way to extend their defensive capability significantly.
Why Anthropic Is Not Releasing This Publicly Yet
It is worth noting that Anthropic has not made Mythos Preview available to the public. The reason is explicit: the company says that no organisation, including Anthropic itself, has yet developed safeguards sufficient to prevent a model this capable from being misused in ways that could cause serious harm.
That is a candid acknowledgement of the double-edged nature of what has been built. The same capability that found 10,000 vulnerabilities in a month for defenders could theoretically be pointed in the other direction.
What This Means for Your Business
For most small and mid-sized businesses, building and running AI-powered security tooling in-house is not realistic. But the underlying shift matters regardless of company size. The window between a vulnerability being discovered and an attacker exploiting it has collapsed. Patching quickly, maintaining strong endpoint detection, and having visibility across your systems are no longer optional disciplines.
Our Managed EDR service is designed specifically for businesses that need robust, continuously monitored endpoint protection without the overhead of managing it internally. In an environment where AI cybersecurity threats move at machine speed, response time matters.
The Takeaway
AI cybersecurity represents both the most powerful defensive tool the industry has seen and a meaningful escalation of the threat landscape. The organisations that will fare best are those that treat it as both at once: investing in AI-assisted defences while recognising that attackers have access to the same playbook.
The bugs are being found faster than ever. The question is who finds them first.