Anthropic said it is limiting the rollout of its AI model, Claude Mythos Preview, to a select group of companies after it identified thousands of critical vulnerabilities across operating systems, web browsers, and other software.
According to the company, the new general-purpose model also uncovered high-severity flaws in every major operating system and web browser.
“Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely.”
AI has already been leveraged by hackers to carry out cyberattacks, with incidents rising sharply. According to AllAboutAI, AI-powered attacks increased 72% year over year, and 87% of global organizations experienced such attacks in 2025.
Anthropic warned that similar capabilities in the hands of malicious actors could significantly escalate these threats.
To address the risk, the company on Tuesday launched Project Glasswing, a new initiative bringing together more than 40 organizations, including Amazon Web Services, Apple, Cisco, Google, JPMorgan, the Linux Foundation, Microsoft, and Nvidia.
The initiative will use Claude Mythos Preview to proactively identify software vulnerabilities, share findings with partners, and enable faster patching of critical flaws before they can be exploited.
Decades-old bugs uncovered
A zero-day vulnerability refers to a software flaw that can be exploited before developers are aware of it. Traditionally, detecting and fixing such issues has required highly specialized and costly expertise, but AI could dramatically improve both the speed and scale of discovery.
Anthropic said many of the vulnerabilities identified by its model are subtle and difficult to detect. Some date back decades, including a 27-year-old flaw in OpenBSD—an operating system known for its strong security—which has since been patched.
The model also uncovered a 16-year-old bug in the FFmpeg media processing library, a 17-year-old remote code execution vulnerability in the FreeBSD operating system, and multiple issues within the Linux kernel.
In addition, Claude Mythos Preview identified weaknesses in widely used cryptography standards and protocols such as TLS, AES-GCM, and SSH.
Anthropic noted that web applications remain highly vulnerable, with common issues including cross-site scripting, SQL injection, and more targeted flaws like cross-site request forgery, which is frequently exploited in phishing attacks.
Anthropic said that 99% of the vulnerabilities it identified remain unpatched, adding that “it would be irresponsible to disclose details about them.”
Software will become more secure—but not immediately
The company said this marks only the early stages of a broader shift, warning that strengthening global cyber infrastructure could take years. However, it added that AI is expected to play a key role in making software and systems more resilient over time.
“In the long run, we expect that defense capabilities will dominate: that the world will emerge more secure, with software better hardened—in large part by code written by these models. But the transitional period will be fraught.”
