Anthropic's Glasswing Leaves CVE Count Uncertain

Anthropic launched a restricted preview called Project Glasswing that lets a curated group of partners run its new security model, Mythos, against their software to find and remediate vulnerabilities before public release. Anthropic claims Mythos autonomously identified thousands of previously unknown high-severity flaws, and early partners include Microsoft, Google, Apple, Amazon Web Services, Nvidia, and other large infrastructure vendors. Independent enumeration of CVE records tied to Glasswing is unresolved; researcher Patrick Garrity found 75 CVE entries mentioning Anthropic since February, of which 35 are Anthropic-tooling issues and 40 are credited to Anthropic or affiliates, a dataset that may or may not map directly to Glasswing findings.

Mythos is presented as an LLM fine-tuned for automated vulnerability discovery and exploit generation. Public materials and vendor analyses highlight capability jumps in exploit success rates, for example the Checkmarx post shows Mythos producing working Firefox JavaScript exploits far more reliably than earlier models. Key technical points practitioners should note:

• •Mythos is reported to chain multi-stage vulnerabilities, including kernel escalation and browser exploitation, implying it automates both discovery and exploit synthesis.
• •Anthropic operates Mythos in a controlled, invitation-only mode under Project Glasswing to limit societal risk and coordinate responsible disclosure.
• •There is no public, verifiable mapping between the touted "thousands" of discoveries and CVE assignments; credit listings in the CVE database are inconsistent and incomplete.

The Glasswing effort sits at the intersection of AI-assisted offensive capability and defensive coordination. CISA leaders signaled that AI companies should play a larger role in the CVE program as disclosure velocity accelerates. For security teams, two broader shifts matter: first, automated discovery dramatically lowers the effort needed to find exploitable code paths, increasing the exposure surface; second, current disclosure infrastructure, human triage workflows, and patching SLAs were not designed for the resulting volume. Vendors and analysts, such as Forrester, argue that this is not just a tooling issue but a strategic change to how organizations govern software risk, prioritize patching, and engage in cross-industry remediation.

The CVE ecosystem relies on consistent attribution metadata and coordinated disclosure. Garrity's search exposed noisy attribution entries, mixing Anthropic-internal tooling bugs, third-party integration issues, and research credited to individuals or partner programs. That makes it impossible to say how many CVEs came directly from Glasswing without Anthropic publishing a reconciliation. The ambiguity fuels both alarm and skepticism: security vendors stress the defensive benefit of rapid discovery while observers warn that similar models, used maliciously, could compress the window between discovery and exploitation.

Expect the CVE program and vulnerability coordination bodies to adapt rules for AI-assisted findings, including provenance metadata and disclosure prioritization. Organizations should assume higher rates of discovered issues, re-evaluate patching SLAs, and demand clearer provenance from model providers. Also watch for vendor transparency: without a published mapping of findings to CVEs, risk teams cannot measure the defensive impact of Project Glasswing precisely.