← BACK TO HOME — Anthropic News — 进阶
行业观点 · ANALYSIS · IMPACT 8/10

May 22, 2026AnnouncementsProject Glasswing: An initial update

Anthropic's Project Glasswing, using Claude Mythos Preview, discovered over ten thousand high-severity vulnerabilities in critical global software within a month, shifting the core cybersecurity bottleneck from finding flaws to fixing them.

KEY POINTS
  • AI models (Mythos Preview) can now systematically discover high-severity software vulnerabilities at scale, far exceeding human teams.
  • The primary constraint in software security has shifted from the speed of finding vulnerabilities to the speed of verifying, disclosing, and patching them.
  • This capability has been validated in critical infrastructure (e.g., Cloudflare, Firefox) and financial fraud prevention scenarios.
  • This marks AI's transition from being 'the subject of defense' to becoming 'the most powerful defensive tool,' fundamentally altering the asymmetry of cyber warfare.
ANALYSIS

The Cause: When the AI 'Spear' Becomes Too Sharp, We Urgently Need a Stronger 'Shield'

For a long time, cybersecurity has been plagued by a disturbing 'asymmetry': attackers (hackers) only need to find one vulnerability to breach a system, while defenders (security teams) must guard against thousands of potential weaknesses. As AI models grow more powerful, a looming fear has been that malicious actors could use them to automate the discovery and exploitation of vulnerabilities, posing an unprecedented threat to global digital infrastructure. Anthropic's Project Glasswing was launched precisely against this backdrop. Instead of passive fear, the initiative proactively harnesses the power of cutting-edge AI to get ahead of attackers and cleanse the world's most critical software.

Deconstruction: From 'Humans Hunting Bugs' to 'AI Sweeping for Bugs,' with a Tenfold Efficiency Leap

The core of Project Glasswing is deploying Anthropic's most powerful confidential model, Claude Mythos Preview, to scan systemically important software globally (e.g., internet infrastructure, financial systems). Within one month, it discovered over ten thousand high or critical-severity vulnerabilities in partners' systems like Cloudflare and Mozilla. This number is staggering. More crucially, the efficiency gain: Cloudflare reported that the AI's vulnerability discovery rate was over ten times higher than their human testing team, with a lower false positive rate. In Mozilla's tests, the new model found ten times more vulnerabilities than the previous generation. This reveals a fundamental shift: the bottleneck in vulnerability discovery has moved from human cognitive and physical limits to AI's computational power and model capabilities.

Trend Insight: A 'Paradigm Shift' in the Security Industry and AI's New Role

The initial results from Glasswing reveal several deeper trends:

  1. The Core Conflict in Security Work Has Shifted: Historically, security teams spent most of their effort 'finding vulnerabilities.' Now, with AI capable of discovering vulnerabilities in bulk at high speed, the new bottleneck is 'how quickly we can verify, coordinate disclosure, and deploy patches.' As Microsoft and Palo Alto Networks noted, the number of patches they need to handle is surging. This demands a revolutionary acceleration in the vulnerability response processes across the entire software industry.

  • AI Transitions from 'Object of Protection' to 'Premier Defensive Weapon': In the past, discussions about AI safety focused more on concerns about AI models being attacked or misused. Now, models like Mythos Preview are becoming the most powerful tools for protecting the digital world. They don't just find code vulnerabilities; they can also identify and block fraudulent wire transfers (like a $1.5 million case) in real-time in banking scenarios. AI is acting as a 'super security analyst,' auditing code and transactions 24/7.

  • The 'Public Good' Nature of Open-Source Software Security is Reinforced: Anthropic proactively used the model to scan over a thousand open-source projects underpinning the internet, finding over six thousand high-severity vulnerabilities. This is akin to a large-scale 'security check-up' for the entire digital society. In the future, leading AI companies outputting their security capabilities as a 'public good' may become a new industry norm and responsibility.

  • Practical Value: Implications for Developers and Businesses

    For IT practitioners, this is not distant research news but a reality about to change how we work:

    • Security Response Processes Must Be Reimagined: If your enterprise relies heavily on open-source components or has a large codebase, automated, continuous vulnerability scanning using AI will become standard, not optional. You need to be prepared for the potential 'vulnerability information tsunami' AI might bring by establishing more efficient patch management and deployment workflows.
    • Re-evaluate Security Team Functions: The role of security experts may shift from 'manual digging' more towards 'vulnerability validation, risk assessment, and remediation strategy design.' Understanding the principles behind AI-discovered vulnerabilities, assessing their actual risk, and designing fixes—these higher-order judgments will become even more critical.
    • Update Your Perception of AI Capabilities: AI is not just an assistant for writing code or chatting; it has reached a level surpassing human experts in the highly specialized, logic-intensive field of security offense and defense. When evaluating the security of any software or system, considering whether it has been audited by advanced AI models will become a new, important metric.

    Counter-intuitive/Unexpected

    One point that might be overlooked is: Project Glasswing exposes a major shortcoming in current software engineering practices—our code production and maintenance processes cannot keep pace with AI's review speed. It's like having a super质检仪 that can inspect ten thousand products per second, while our assembly line and rework车间 still operate at a handicraft pace. This isn't just a security issue; it foreshadows that in all domains where AI capabilities surpass humans, society's 'response bandwidth' will become the new bottleneck. Another surprise is Anthropic's choice to first apply such powerful capability for 'defense' rather than commercialization, and to share some results with the community. This, to some extent, sets an ethical tone for the AI safety race.

    Analysis by BitByAI · Read original

    Originally from Anthropic News · Analyzed by BitByAI