Claude Mythos Preview has discovered 6,202 potential vulnerabilities estimated to be of 'high' severity or higher; an initial report on the high-performance AI, which is seeing moves toward use by Japanese banks, has been released.
Searching for software vulnerabilities has traditionally been a time-consuming process, requiring expert security researchers to read code and verify whether an issue is truly exploitable. However, Anthropic's high-performance AI, 'Claude Mythos Preview,' is said to be able to not only discover vulnerabilities but also verify their exploitability with high accuracy. Anthropic has published a report on the achievements of Claude Mythos Preview to date.
Project Glasswing: An initial update \ Anthropic
Claude Mythos Preview is an AI model that is not publicly available. Anthropic describes Claude Mythos Preview as having the potential to discover and exploit vulnerabilities at a level that surpasses most humans, except for the most skilled. In other words, while it is an extremely powerful reconnaissance tool for defenders, it is also a dangerous technology that could significantly lower the barrier to cyberattacks if used by malicious attackers.
In April 2026, Anthropic launched 'Project Glasswing,' an initiative to use Claude Mythos Preview for defensive purposes. Project Glasswing includes participation from Amazon Web Services, Apple, Cisco, Google, Microsoft, NVIDIA, Palo Alto Networks, and others, who are using Claude Mythos Preview to protect their critical software.
According to the Project Glasswing report recently released by Anthropic, Anthropic and approximately 50 partners used Claude Mythos Preview to discover more than 10,000 vulnerabilities rated as 'high' or 'critical' in globally important software.
One particularly significant achievement is their research into open-source software. Open-source software is software whose source code is publicly available and can be used and modified by anyone. Because it is widely used in foundational technologies such as Linux and cryptographic libraries, a single vulnerability can affect numerous companies and services.
Anthropic investigated over 1,000 open-source projects using Claude Mythos Preview and discovered 23,019 potential vulnerabilities. Of these, 6,202 were estimated to be of 'high' or 'critical' severity by Claude Mythos Preview.
However, not all of the candidates found by the AI are genuine vulnerabilities. Therefore, Anthropic had 1,752 of the candidates deemed high-severity verified by independent security research companies and others. As a result, 1,587 (90.6%) were genuine vulnerabilities, and 1,094 (62.4%) were actually rated as 'high' or 'critical.' Anthropic also publishes the progress of verification, reporting, and remediation for all vulnerability candidates of all severity levels after discovery.
The image below illustrates the process from discovery to reporting, remediation, and publication of security advisories for potential vulnerabilities found by Claude Mythos Preview in open-source software. Of the 23,019 potential vulnerabilities, 1,596 had been reported to maintenance personnel, 1,451 had been acknowledged by maintenance personnel, 97 had been remediated in upstream projects, and 88 security advisories had been published as of the time of writing. Note that the numbers in the image include all vulnerability candidates of all severity levels, including not only 'high' and 'critical' but also medium and low severity levels.
The impact of Claude Mythos Preview extends beyond software development to the financial sector, and Japanese financial authorities are also wary of its effects. According to Reuters, on May 12, 2026, Finance Minister and Minister of State for Financial Services Satsuki Katayama announced the establishment of a public-private working group to examine the cyber risks that Claude Mythos Preview poses to the financial system . In an era where AI can quickly detect vulnerabilities, how quickly banks can fix them will also become crucial.
Furthermore, Reuters reported on May 13, 2026, that Japan's three largest banks—Mitsubishi UFJ Financial Group, Mizuho Financial Group, and Sumitomo Mitsui Financial Group—are expected to have access to Claude Mythos Preview within approximately two weeks . However, each bank and Anthropic have declined to comment, and at the time of writing, this is not an official adoption announcement, but rather a report of efforts toward obtaining access.
Anthropic states that as AI has accelerated the speed at which vulnerabilities are found, the challenge has shifted from 'discovery' to 'verification, fixation, and release.' Even if a large number of vulnerabilities are found, security will not improve unless human developers and maintenance personnel review them, create fixes, and deliver updates to users.
If an AI with capabilities equivalent to Claude Mythos Preview were to become widely available without security measures, the cost for attackers to find and exploit vulnerabilities would decrease significantly. Therefore, Anthropic has not publicly released Claude Mythos Preview at the time of writing. Anthropic states that while powerful AI-driven vulnerability detection capabilities can be leveraged by defenses, mechanisms must also be put in place to prevent exploitation.
Related Posts:
