Anthropic's Claude Mythos Compresses Zero-Day Discovery From Weeks to Hours
Anthropic's Project Glasswing — using an internal model variant called Claude Mythos — has demonstrated the ability to discover zero-day vulnerabilities in production software in hours rather than the weeks typically required by human researchers. Partner organizations including Microsoft, Apple, and Amazon are collaborating on responsible disclosure protocols.
Original source## Claude Mythos Finds Zero-Days in Hours — Project Glasswing Goes Live
Anthropic has revealed Project Glasswing, a security research program using an internal model variant called Claude Mythos to autonomously discover zero-day vulnerabilities in major software systems. The project has reportedly compressed the discovery timeline for novel vulnerabilities from the weeks typically required by skilled human researchers to a matter of hours — a claim that, if it holds up under scrutiny, represents a seismic shift in offensive and defensive security.
Glasswing's approach combines symbolic reasoning about codebases with fuzzing guidance and static analysis, allowing Mythos to form hypotheses about likely vulnerability classes, prioritize exploration paths, and generate proof-of-concept exploits automatically. Unlike previous automated security research tools that excel at known vulnerability patterns, Glasswing is claimed to generalize to novel attack classes in unfamiliar codebases.
The announcement has triggered a complex reaction in the security community. On one hand, dramatically accelerating vulnerability discovery could mean that critical bugs in infrastructure software get found and patched faster — a net benefit for defenders. On the other hand, the same technology in adversarial hands — whether nation-state actors or criminals — could accelerate the offensive timeline in a way that blue teams cannot match.
Anthropic has structured Glasswing as a coordinated disclosure program, partnering with major technology companies to ensure discovered vulnerabilities are patched before details are released. Microsoft, Apple, and Amazon are named as current partners — suggesting the program is already active on production code, not just controlled test environments.
The broader implication is significant: if AI systems can now find zero-days faster than human researchers, the patch-cycle economics of software security change permanently. Bug bounty programs, security audit firms, and national vulnerability databases will need to adapt to a world where the rate of vulnerability discovery could outpace the human capacity to fix them.
Panel Takes
The Builder
Developer Perspective
“If Glasswing is actually finding novel zero-days in Microsoft and Apple production code, this changes how I think about dependency security. I need to assume my third-party library surface is being continuously scanned by systems like this — both for good and bad actors.”
The Skeptic
Reality Check
“Anthropic has every incentive to oversell the capability of a proprietary internal model. 'Hours instead of weeks' needs independent verification — security researchers who can confirm specific CVEs were AI-discovered without human guidance. Glasswing could be real, or it could be an impressive demo environment.”
The Futurist
Big Picture
“The security equilibrium we've relied on for decades — that finding bugs is harder than patching them — is breaking. Glasswing is one data point in a trend that includes autonomous red-teaming, AI-generated exploit code, and LLM-assisted malware. The patch cadence of the entire software industry needs to accelerate by an order of magnitude.”