AI Is Finding Thousands of Hidden Security Flaws in Critical Infrastructure

A company called Anthropic has expanded a cybersecurity project called Project Glasswing. It now works with about 150 new organizations across more than 15 countries. These organizations use an AI tool called Claude Mythos Preview to scan their computer code for security vulnerabilities—essentially weak points that hackers could exploit.

The expansion is significant because the initial group of 50 organizations already found more than 10,000 serious security flaws. Now the program is adding new partners from power plants, water systems, hospitals, phone networks, and hardware manufacturers. Many of these organizations provide services that people around the world depend on, including governments. Anthropic estimates that an attack on most of these partners could affect more than 100 million people.

Protecting the Systems Everyone Relies On

The new organizations were specifically chosen because their code is critical infrastructure—the digital backbone that keeps essential services running. Unlike older security tools that companies install and run themselves, Claude Mythos Preview works differently. It operates as a collaboration where Anthropic works with these organizations to find problems, and the discoveries can help protect the entire ecosystem.

Before any organization can use Claude Mythos Preview, Anthropic checks to make sure they meet security requirements. The company hasn't said exactly what those requirements are, but the screening process appears designed to balance letting more organizations in with protecting the AI system itself.

The U.S. government was among the original partners, which shows how seriously this project is taken at the highest levels.

How It Works and What It Found

Since April, these partner organizations have been using Claude Mythos Preview to scan their code. The AI tool looks through computer programs line by line, looking for security weaknesses the way a human auditor would, but much faster. In just two months, it found more than 10,000 significant vulnerabilities across the original group.

This rate of discovery is much faster than traditional security auditing, where human experts manually review code. Think of it like the difference between one person manually checking every brick in a wall versus a camera that can scan the entire wall at once and flag any cracked bricks.

What About Open Source Software

Anthropic is talking with other companies about using Claude Mythos Preview to scan open-source software—code that's freely available for anyone to use and modify. This is tricky because open-source code often gets used by thousands of organizations around the world at the same time.

If a security problem is found in widely-used open-source code, it has to be fixed carefully so that everyone using it knows and can update. The timing is complicated because different organizations move at different speeds, and people who manage open-source projects usually have smaller teams than big companies.

The Bigger Picture

There's a wider context here that matters. When automated security tools first appeared in the late 1990s, they also found thousands of problems in code that had seemed fine before. The code hadn't suddenly gotten worse—the new tools were simply able to examine it with a different kind of systematic attention. What we're seeing now with Claude Mythos Preview fits the same pattern. It's likely finding vulnerabilities that were always there but had been missed by traditional review methods.

That said, it's worth acknowledging that automated tools like this raise both opportunities and concerns. On one hand, finding thousands of security flaws before hackers do is genuinely valuable for protecting the systems and data people depend on. On the other hand, building AI systems that can discover vulnerabilities at scale introduces questions about how this technology might be misused, and whether the software industry is ready to handle the coordination challenges of patching so many issues across so many organizations. These are not settled questions.

Questions Still to Answer

Anthropic has published some technical documentation about how Claude Mythos Preview works, but important details remain unclear. For example, it's not entirely clear whether Claude Mythos Preview is a specialized version of Anthropic's general Claude AI, a different system entirely, or a set of tools wrapped around existing capabilities. That distinction matters for understanding how well it will work and how it might develop in the future.

Another open question is how the system handles false alarms—when it flags something as a vulnerability when it actually isn't. This has been a real limitation of automated security tools in the past. When a scanning tool flags thousands of issues, security teams have to spend time checking each one, and if many of them turn out to be false alarms, the tool becomes less useful.

Managing Growth

The move from 50 partners to about 200 is a significant scaling test. If Claude Mythos Preview keeps finding vulnerabilities at the current rate with all these new organizations, there will be a lot more security issues to coordinate and fix. This includes not just the organizations in the program, but all the other companies and people who use the software components they're scanning.

Open-source software adds another layer of complexity. When a security flaw is found in widely-used open-source code, it might affect dozens or hundreds of other organizations downstream. The software industry currently has processes for disclosing these problems safely, but those processes were built for human-speed discovery. AI-powered discovery that works much faster may strain those existing systems and require new approaches.

The expansion of Project Glasswing is a real-world test of using AI to protect critical infrastructure. The results from this larger group will probably shape how both Anthropic and the broader technology industry think about using AI in security in the future.