AI Bug Hunt Strains Patch Pipelines Arabian Post

2026-05-24 02:10:31

(MENAFN- The Arabian Post) clearfix">Anthropic's Claude Mythos Preview has identified more than 10,000 high- or critical-severity software vulnerabilities through Project Glasswing, intensifying debate over whether frontier AI is becoming a defensive breakthrough or a new accelerant for cyber risk.

The findings, disclosed after the initiative's first month of operation, mark a sharp escalation in AI-assisted vulnerability discovery across software used in operating systems, browsers, cloud platforms, open-source projects and financial infrastructure. Anthropic has restricted wider access to Mythos Preview while giving selected technology companies, banks and security teams controlled use of the model for defensive testing.

Project Glasswing was launched on April 7, 2026, as a coalition built around critical software security. Its launch partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. More than 40 additional organisations involved in critical software infrastructure have also been given access under the programme.

The scale of the discoveries has put pressure on a long-standing weak point in cybersecurity: the gap between finding flaws and fixing them safely. Anthropic says many partners have each found hundreds of high- or critical-severity weaknesses, while several have reported more than a tenfold rise in bug discovery rates. Cloudflare, one of the participating companies, identified thousands of bugs across critical-path systems, with hundreds rated high or critical.

The disclosure has been handled cautiously because many of the vulnerabilities are still moving through coordinated remediation channels. Standard industry practice allows time for maintainers to assess, patch and distribute fixes before technical details are made public. That convention is now being tested by AI systems that can generate vulnerability reports far faster than human teams can validate them.

See also SEPPmail flaws raise email gateway risks

Open-source software is a central concern. Anthropic says Mythos Preview has scanned more than 1,000 open-source projects that underpin internet infrastructure and corporate systems. The model estimated 6,202 high- or critical-severity vulnerabilities among 23,019 findings across all severity levels. Independent security firms assessed 1,752 of the high- or critical-rated findings, with 90.6 per cent judged valid and 62.4 per cent confirmed as high or critical.

Those numbers point to both promise and strain. A high true-positive rate would make AI a powerful tool for defenders, particularly for under-resourced open-source maintainers. Yet even valid findings create operational pressure, requiring reproduction, severity assessment, disclosure reports, patch design and release coordination. Several maintainers have already asked for slower disclosure because they lack capacity to absorb the volume of reports.

One case involved wolfSSL, a widely used open-source cryptography library deployed across billions of devices. Mythos Preview identified a certificate-forgery flaw that could have allowed an attacker to host a convincing fake version of a bank or email provider website. The vulnerability has been patched and assigned CVE-2026-5194, with fuller technical analysis expected after safer deployment of fixes.

Financial regulators are watching closely. Anthropic is expected to brief the Financial Stability Board on cyber vulnerabilities identified by Mythos, following concern that the same capabilities used to find flaws for defenders could eventually be used by adversaries against banks and other institutions with complex legacy systems. The watchdog's interest signals that AI-assisted exploit discovery has moved from a technical security issue into the realm of systemic risk oversight.

The model has also been tested against advanced cyber ranges. The UK's AI Security Institute found Mythos Preview to be the first model to complete both of its multistep cyberattack simulations end to end. Independent benchmarks have also placed it ahead of other systems in exploit development tasks, reinforcing concerns that the line between defensive tooling and offensive capability is narrowing.

See also Tax notice lures fuel malware threat

Anthropic has framed the programme as a controlled attempt to give defenders an advantage before similar capabilities become broadly accessible. Mythos Preview is available only as a gated research preview, with access through selected cloud and platform channels. The company has committed up to $100 million in usage credits and $4 million in donations to open-source security organisations to support the initiative.

Security executives involved in Glasswing have described the shift as a structural change rather than a routine product improvement. Their concern is that attackers will eventually use comparable systems to compress the time between vulnerability discovery and exploitation. For defenders, the immediate challenge is to upgrade triage, patch management and asset visibility quickly enough to keep pace.

The findings also complicate the economics of software security. Traditional bug bounty programmes, code audits and penetration tests are expensive, episodic and limited by human labour. AI systems that can scan large codebases repeatedly may lower discovery costs, but they could also flood maintainers with complex reports that require scarce expert review. The bottleneck is shifting from detection to verification and repair.

MENAFN24052026000152002308ID1111161934

Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.