Industry
Ilya Kabanov

Anthropic's Glasswing update: discovery is solved, patching is the new bottleneck

TL;DR: Mythos found 10,000+ high or critical bugs across 50 partners in one month, but only 97 are patched upstream. Anthropic also launched Claude Security beta for Enterprise customers, a scanner that suggests patches. Mature software shops gain from AI. Real-world businesses don't.

Anthropic just quietly stepped into a $60B market with its Glasswing update. And it's not AppSec.

Mythos found 10,000+ high or critical vulnerabilities in partner systems in one month. And only 14% of reported high or critical bugs are patched so far.

Mythos Preview's open-source disclosure funnel. Source: Anthropic.
Mythos Preview's open-source disclosure funnel. Source: Anthropic.

Highlights:

  • Anthropic's public CVD dashboard tells the patching story: of 23,019 candidate findings across 281 OSS projects, 1,596 disclosed, 97 patched upstream, and 88 with CVE or GHSA advisories. Average time to patch a high or critical bug is about two weeks.
  • Mythos constructed a working exploit for a wolfSSL flaw (CVE-2026-5194) that enables certificate forgery, letting attackers impersonate banking and email services in phishing campaigns.
  • On the open-source side, Mythos flagged 6,202 high or critical vulnerabilities across 1,000+ projects. Independent reviewers spot-checked 1,752 findings and confirmed 90.6% as valid.
  • Mozilla ran Mythos on Firefox 150 and pulled out 271 vulnerabilities. That's more than 10x what earlier models surfaced.
  • Anthropic also launched Claude Security in public beta for Claude Enterprise customers, a scanner that proposes fixes; Claude Opus 4.7 has been used to ship 2,100 patches in three weeks.

My take:

  1. Discovery is no longer the bottleneck. Patching is. HackerOne's 2026 data shows the same gap: bugs up 76%, fixes down 46%, critical backlog up 25x.
  2. Fixing is also getting easier, but unevenly. Mature shops with clean dependency trees and clear code ownership get the upside. Real-world businesses don't. I wrote about the same asymmetry: AI defense works if you own the code, not if you consume it.
  3. Anthropic looks to be probing the fraud prevention market. The $1.5M wire-fraud catch at a partner bank is the only data point so far, but it's a deliberate one to surface in a security-research update. AppSec is a ~$15B market in 2026. Fraud detection and prevention is ~$60B.

Sources:

  1. Project Glasswing: initial update (Anthropic)
  2. Anthropic's coordinated vulnerability disclosure dashboard