Project Glasswing: AI Finds 23k Bugs, But Who Patches Them?

July 19, 2026 · 7 min read

Project Glasswing: AI Finds 23k Bugs, But Who Patches Them?

It starts with a headline that sounds reassuring: "AI finds 23,000 security flaws." The less reassuring part is that 99% of them are still sitting there, unpatched.

When Anthropic launched Project Glasswing in April, the coverage focused on what the model could do. Claude Mythos, a restricted tier of Anthropic's model line, had been let loose on partner codebases and found thousands of real vulnerabilities. It was fast, it was accurate, and it was being framed as a turning point for AI in cybersecurity.

The number that matters more is 75.

In short: Project Glasswing is Anthropic's controlled-access cybersecurity programme. Claude Mythos found 23,019 vulnerabilities across partner codebases. Fewer than 1% have been patched. The bottleneck is not finding bugs - it is fixing them. What you need to do:

What Is Project Glasswing?

Project Glasswing is Anthropic's controlled-access cybersecurity programme. It gives approved organisations access to Claude Mythos, a model tier above Opus designed to find and, in some cases, chain zero-day exploits in third-party code.

Launched April 7, 2026, it started with 12 founding partners: AWS, Apple, Google, Microsoft, NVIDIA, Broadcom, Cisco, Palo Alto Networks, CrowdStrike, JPMorganChase, the Linux Foundation, and Anthropic itself. Today it has over 200 approved organisations spanning NATO member states, ENISA, financial institutions, and enterprise technology vendors. It is not a public product. Access is controlled, participants are vetted, and the model operates under restrictions that include an export ban the U.S. Commerce Department imposed on June 12, lifted 19 days later on June 30, after authorities classified its capability as a dual-use concern.

The programme produces a steady stream of vulnerability disclosures fed back to affected vendors. On paper, it is a scaled-up bug bounty with an AI doing the hunting. In reality, it is a test of whether the industry can patch as fast as a model can find.

Access is structured in tiers. Founding partners get deeper integration with Mythos, including the ability to submit proprietary codebases for scanning under controlled conditions. The broader 200-plus approved organisations receive vulnerability disclosures scoped to open-source dependencies and shared infrastructure. The tiering reflects a deliberate strategy: Anthropic is learning how to scale AI-driven security without disrupting the normal vendor patch process, but that same tiering also means the most impactful findings land in the hands of organisations that already have mature security teams - which is not every organisation affected by the bugs discovered.

23,019 Findings, 75 Patches: The Numbers That Matter

MetricNumberSource
Total vulnerabilities discovered23,019Anthropic (per Memeburn)
High/critical findings6,202Anthropic (per Memeburn)
True-positive rate90.6%Independent assessment (per Memeburn)
Vulnerabilities patched75Anthropic (per Memeburn)
Percentage patched<1%Anthropic (per Memeburn)
Founding partners12Anthropic (per Memeburn)
Claude Mythos benchmark (Firefox JS shell)72.4%Anthropic (per Memeburn)
Days export ban lasted19 (June 12-30)Commerce Dept (per Memeburn)

The numbers are striking, but context matters.

A 90.6% true-positive rate means the model is genuinely good at finding real vulnerabilities. False positives are low enough that the programme can trust its outputs. The 72.4% benchmark on the Firefox JavaScript shell test for vulnerability discovery puts Mythos ahead of any publicly known AI model for this specific task.

But the number that stands out is the last one. Fewer than 1% of the discovered vulnerabilities have been patched, per Anthropic's own figures as reported by technology news outlet Memeburn. That is 75 fixes out of over 23,000 findings.

This is not unusual for vulnerability discovery at this scale. AI can scan thousands of codebases in the time it takes a human team to triage a single finding. The discovery pipeline accelerates, but the remediation pipeline moves at human speed: a vendor needs to reproduce the bug, engineer a fix, test it, and ship it through whatever patch cycle they operate. That process has not gotten faster just because the finder is now a model instead of a researcher.

The 75 patches that have been issued cover the most critical findings, but the backlog of 22,944 unpatched vulnerabilities is growing faster than any single vendor's patch cycle can absorb. This is not a criticism of the vendors involved. It is a mathematical reality of asymmetric speeds: one AI model can generate more validated findings in a week than a team of ten engineers can patch in a quarter.

The Find-vs-Fix Gap Is Not Anthropic's Problem

The gap between what AI can discover and what humans can fix is the real story of Project Glasswing. And it is not unique to Anthropic.

Security researcher Bruce Schneier called Glasswing a "fantastic PR move" in a blog post cited by Memeburn. His point was not that the programme lacks substance. It was that the narrative around AI-driven vulnerability discovery tends to skip past the hard part: someone still has to write the patch. Finding bugs and fixing them are different speeds entirely.

Finding bugs and fixing them are different speeds entirely.

The timing adds context. Anthropic filed confidential IPO paperwork on June 1 with a reported $965 billion valuation and an October Nasdaq target, per the Financial Times as reported by Memeburn. The 90-day Glasswing public summary report is due in July 2026. Memeburn's reporting draws a connection between the report timing and Anthropic's IPO roadshow period. That is the journalist's own analysis, not an established fact, but the programme's most detailed public reckoning arrives during a pivotal commercial moment for the company.

Meanwhile, competition is emerging. OpenAI released GPT-5.5-Cyber, aimed at similar vulnerability discovery tasks. Zhipu AI's GLM-5.2 is approaching Mythos-level detection at lower cost. Anthropic has acknowledged that Mythos-class models will likely exist from multiple vendors within 6 to 12 months. The moat is not the model. It is the trust infrastructure around access and disclosure.

On governance, Anthropic currently leads Glasswing directly but has stated an intention to transition to an independent third-party body. No timeline has been set. For an IT-pro evaluating the programme, this matters: as long as Anthropic controls both the finding model and the disclosure pipeline, the programme operates under a single vendor's priorities. An independent body would, in theory, set disclosure timelines, prioritisation criteria, and patch coordination standards that serve the industry rather than a single company's IPO timeline.

What This Means for Your Security Team

If you have ever looked at a vulnerability scan with 200-plus findings and known only a fraction will get patched this sprint, you already understand Glasswing's central problem. The bottleneck is not finding bugs. It is fixing them.

Here is what you can do this week, in roughly the order that makes a difference:

  1. Check the age distribution in your vulnerability backlog. Pull the full list and bucket findings by age: under 30 days, 30 to 90 days, 90 days to a year, over a year. The shape of that distribution tells you whether your remediation pipeline is keeping pace with discovery or quietly accumulating debt.

  2. Compare your find-to-fix time against industry benchmarks. If your mean time to remediate (MTTR) is longer than your scan cadence, you are adding findings faster than you close them. The total number of open items may look stable, but the trend is not.

  3. Review whether your team has dedicated remediation capacity. The most common pattern is patching as a side task squeezed between feature work. Glasswing-style accelerated discovery will only widen the gap. The fix is structural, not technical: schedule patching time, track it, protect it.

  4. If you use or evaluate AI-assisted vulnerability discovery, build the remediation pipeline before you enable additional scanning. Another scanner means more findings. More findings without more patching capacity creates larger backlogs, not better security. The order matters: pipeline first, scanning second.

  5. For small teams: prioritise known-exploited vulnerabilities first. Not all findings carry the same weight. A CVE with active exploitation in the wild matters more than a theoretical finding in a low-impact library. AI-driven discovery tools do not prioritise for you yet - that decision still belongs to your team.

Project Glasswing is a meaningful step for AI in cybersecurity. The model finds real bugs at impressive scale. But the number that matters most for your team is not 23,019. It is the number sitting in your own backlog, waiting for a fix that has not been scheduled yet.

Project Glasswing does not replace your patch management process. AI finds bugs faster than humans can fix them, and that gap is not getting smaller. The question to ask your team is not whether your AI can find more vulnerabilities. It is whether you have the capacity to fix the ones you already know about.

This article is based on pre-report data from Anthropic's May 22 update as reported by Memeburn. A 90-day public summary from Anthropic is expected in July 2026.


Further reading

Mathew Clark / Founder, SecureInSeconds / Currently: staring at my own vulnerability backlog and wondering if AI would make it better or worse

Share:

You might also like