What Mythos AI Is and Why Its Bug Count Matters
Mythos is Anthropic’s security-focused large language model used in Project Glasswing to perform AI security scanning across live, production-grade software and infrastructure, identifying code vulnerabilities and multi-step exploit paths at a scale that traditional tools and human reviewers struggle to match. In preliminary testing, Mythos AI vulnerabilities surfaced more than 10,000 high-risk or critical issues in under a month across core software applications, indicating a major shift in how defenders can approach code vulnerability detection. Cloudflare alone reported over 2,000 bugs on its own infrastructure, with 400 classified as critical or high risk, while Mozilla found 271 security bugs in a new Firefox build, about ten times more than with earlier AI tools. These findings suggest frontier LLMs are now acting less like static scanners and more like fast, semi-autonomous security analysts embedded in development pipelines.
From Volume to Verification: The False Positive Problem
The early Mythos AI vulnerabilities story is not only about volume but also about accuracy and trust. In Project Glasswing, Mythos scanned more than 1,000 open source projects and reported 6,202 high or critical severity bugs. Anthropic sent 28% of these, or 1,752 findings, to six independent security firms. Those reviewers reported a 9.4% false positive rate and confirmed 62.4% as genuinely high or critical severity. While a sub-10% false positive rate aligns with many commercial scanners, the absolute number of incorrect or low-value alerts becomes large when an AI model scales to thousands of findings. As Cloudflare CSO Grant Bourzikas noted, “Ask a model to find bugs, and it will find them, whether the code has any or not,” warning that hedged, probabilistic results can overwhelm triage queues even when the overall accuracy looks acceptable on paper.
How AI Security Scanning Changes the Defensive Bottleneck
Project Glasswing highlights a structural shift: AI security scanning is no longer the slowest part of software defense. Mythos can detect some classes of code vulnerability detection targets in seconds, including complex multi-stage attack chains tested by the UK AI Safety Institute and XBOW’s web vulnerability evaluations. Anthropic reports that partners are seeing around a tenfold increase in bug-finding speed, turning attention to what happens after a vulnerability is flagged. The new bottleneck is human: validating reports, writing fixes, testing them, and deploying patches safely. Anthropic says it has disclosed 530 bugs so far, with only 75 patched and 65 receiving public advisories, underscoring how remediation lags behind discovery. In this environment, AI that multiplies findings without equally improving triage and patch workflows risks widening the gap between known weaknesses and those that are actually fixed.
Strengths and Limits of Security-Focused LLMs in Production
Mythos shows both the promise and constraints of security-focused LLMs in real environments. On the strength side, the model has exposed severe issues, including a critical WolfSSL vulnerability, CVE-2026-5194, rated CVSS 9.1 and capable of enabling certificate forgery. It can also chain weaknesses into proof-of-concept exploits, moving beyond simple pattern matching. Yet this power increases operational risk: each complex finding demands deeper review, and Mythos’ probabilistic nature means results can vary with each run. Bourzikas warns that “hedged findings vastly outnumber the solid ones,” which is acceptable for exploration but “ruinous” for a production triage queue. Anthropic’s controlled-access Project Glasswing, plus partnerships with efforts like the Open Source Security Foundation’s Alpha-Omega project, show a cautious path forward. Mythos demonstrates that frontier LLMs can materially improve AI security scanning, but success now depends on reducing false positive rates and scaling human-guided remediation.