What Mythos Revealed About Open-Source Security
AI-powered code auditing refers to the use of advanced machine learning models to automatically scan software codebases at scale, identify likely security vulnerabilities, and prioritize the most severe findings for human review and remediation in a continuous, repeatable way. Anthropic’s Mythos, used in Project Glasswing, has pushed this idea from theory into practice. Partners using the Claude Mythos Preview model have uncovered more than 10,000 high- or critical-severity vulnerabilities across software that underpins internet, cloud and enterprise systems. In Anthropic’s own open-source scan, Mythos examined over 1,000 projects and surfaced 23,019 potential issues, including 6,202 estimated as high or critical severity. This scale of AI vulnerability detection shows that the bottleneck is shifting. Finding bugs is no longer rare; deciding which issues to fix first, and how fast, is now the harder security problem.
Inside Project Glasswing: 6,202 Serious Flaws in 1,000 Projects
Project Glasswing turns Mythos into an automated, large-scale software vulnerability discovery engine aimed at critical open-source dependencies. Anthropic reports that Mythos identified 23,019 vulnerability candidates across more than 1,000 open-source projects, with 6,202 rated as high or critical severity. Of the high- and critical-rated findings reviewed by independent firms or Anthropic, 90.6% proved to be real issues, and 1,094 have been confirmed as high or critical. According to Anthropic’s May update, “Anthropic has disclosed 1,596 vulnerabilities across 281 open-source projects as of May 22, while 97 have been patched and 88 have received a CVE record or GitHub Security Advisory.” These numbers reveal wide security gaps in widely-used dependencies that power modern applications, but they also show the new backlog: maintainers, many working in their spare time, are suddenly facing volumes of credible reports that once would have taken years of manual auditing to find.
From Discovery to Exploit: The wolfSSL Case Study
The most striking evidence of Mythos’s impact is not the volume of findings but the depth of some individual flaws. In wolfSSL, a widely used SSL/TLS library common in IoT and smart home devices, Mythos uncovered a critical vulnerability assigned CVE-2026-5194. Anthropic says the model could construct an exploit that allows attackers to forge certificates, letting malicious sites convincingly impersonate banks or email providers. This turns a quiet bug in a cryptography library into a broad risk for any application that trusts those certificates. Similar results have appeared in major products: Mozilla reports Mythos helped it find and fix 271 vulnerabilities in Firefox 150, more than ten times what it found in Firefox 148 with a previous Claude model. The wolfSSL case shows that AI vulnerability detection is already capable of surfacing bugs with real-world, high-impact exploitation paths.
How Organizations Are Using AI Code Auditing at Scale
For large organizations, Mythos reframes code auditing tools from occasional tests into permanent infrastructure. Cloudflare reports that Mythos found 2,000 bugs across its critical-path systems, including 400 high- or critical-severity issues, with a false-positive rate lower than human testers. Most Project Glasswing partners have found hundreds of serious vulnerabilities within a month, and several say their bug-finding rate increased more than tenfold. This forces new workflows: continuous triage, coordinated disclosure to open-source maintainers, and faster patch pipelines. Anthropic is responding with complementary offerings such as Claude Security for enterprise customers and a Cyber Verification Program for vetted professionals, while some Glasswing tools are available to qualifying security teams. As AI-driven software vulnerability discovery gets cheaper and faster, organizations that keep manual, infrequent testing will fall behind attackers and peers who treat continuous AI code auditing as a baseline security requirement.
What AI-Driven Vulnerability Discovery Means for Open-Source
The open-source ecosystem now faces a structural shift. Mythos has shown that widely used projects harbor thousands of high- or critical-severity open-source security flaws that traditional processes did not catch quickly. At the same time, Anthropic is keeping Mythos-class models behind controlled programs like Project Glasswing because it says no one has safeguards strong enough to prevent misuse at scale. That tension defines the next phase. Security teams and maintainers gain powerful AI vulnerability detection, but they also face relentless disclosure pressure and limited human time to patch, test and ship fixes. The market is already adjusting: security vendors report larger patch volumes as AI code auditors run continuously against their products. In this environment, the winners will be the teams that shorten patch cycles, streamline updates and treat AI-driven code auditing tools as ongoing infrastructure rather than one-off compliance checks.