Security teams have spent years treating vulnerability discovery as the hard part. The latest numbers from Project Glasswing suggest the harder problem may now be everything that comes after.
In its first month, Anthropic’s Mythos Preview model reportedly surfaced more than 10,000 high- or critical-severity vulnerabilities across software used throughout the internet ecosystem. The partner list alone hints at the scale: Cloudflare, Mozilla, Apple, Google, Microsoft, the Linux Foundation, and AWS were all involved in the early rollout.
The most striking comparison came from Firefox. Mythos Preview identified 271 vulnerabilities, compared to just 148 findings from an earlier Claude Opus 4.6 run. The codebase did not suddenly become dramatically less secure. The scanning capability improved.
That shift matters because automated vulnerability discovery has historically suffered from a high false-positive rate. Security teams are used to scanners producing oceans of noise. Glasswing’s reported numbers are different enough to force attention. Across more than a thousand scanned open-source repositories, 1,587 findings were triaged as true positives out of 1,752 assessed cases — roughly 90.6% precision.
At that level, maintainers cannot simply ignore the queue.
The uncomfortable detail is what happened next.
Out of 530 high- or critical-severity vulnerabilities disclosed to open-source maintainers under coordinated 90-day disclosure rules, only 75 had been patched at the time of reporting. Just 65 carried public advisories. The overwhelming majority remained unresolved.
That changes the shape of the problem entirely.
For years, the cybersecurity industry optimized around finding vulnerabilities faster. Now the discovery pipeline appears capable of outpacing the human systems responsible for understanding, reproducing, prioritizing, and fixing those findings. Open-source infrastructure was never staffed for industrial-scale vulnerability intake. Many heavily used projects are maintained by small teams or volunteers working in spare time.
The result is a backlog of known exploitable issues accumulating faster than it can be drained.
The Glasswing update includes an especially alarming example: WolfSSL CVE-2026-5194, a certificate forgery vulnerability that could allow a fraudulent banking website to pass Transport Layer Security validation checks. WolfSSL is widely embedded across devices and infrastructure. Bugs like this are not theoretical edge cases hidden in obscure software.
Meanwhile, enterprise users are moving far faster. According to the report, internal deployments patched more than 2,100 vulnerabilities within three weeks. That difference is revealing. Enterprises control their own repositories, deployment pipelines, and staffing. There is no volunteer bottleneck, no public disclosure coordination, and no waiting for exhausted maintainers to review incoming reports after work hours.
The contrast highlights a growing asymmetry in software security. Large organizations may soon be able to continuously scan and repair their codebases with AI assistance, while the open-source dependencies underpinning those same systems struggle to keep pace.
Anthropic appears aware of the risks. Mythos Preview remains restricted to selected partners rather than being released publicly. The company reportedly stated that the model can identify and exploit zero-day vulnerabilities across major operating systems and browsers. One disclosed example involved a 17-year-old stack buffer overflow in FreeBSD’s RPCSEC_GSS handler.
That is perhaps the clearest signal from the whole Glasswing effort: the limiting factor in security is no longer necessarily finding vulnerabilities. It is building enough human and organizational capacity to absorb what increasingly capable systems can uncover.
The full breakdown and figures are available here: The Bottleneck Has Moved.