← All articles

Anthropic Project Glasswing Finds 23,019 Vulnerabilities in Month One — What CISOs Must Know in 2026

By Asaf Katz · July 16, 2026

QUICK ANSWER

Anthropic launched Project Glasswing on April 7 2026, giving Claude Mythos Preview to 50 partner organizations for defensive cybersecurity work only. The first-month report showed 23,019 vulnerabilities found across 1,000+ open-source projects, with 90.6% confirmed real on independent sampling. For cybersecurity vendors, this sets a new AI benchmark that buyers will reference in every procurement conversation.

Anthropic Found 23,019 Real Vulnerabilities in Month One — What That Means for Cybersecurity Vendors

On April 7, 2026, Anthropic launched Project Glasswing: a controlled program giving Claude Mythos Preview to approximately 50 partner organizations for defensive cybersecurity work exclusively. No offensive use cases. No general access.

The first-month results, published May 22, are striking:

For cybersecurity vendors selling to CISOs, security architects, and heads of AppSec, this changes your procurement landscape.

Why This Matters for Cybersecurity Vendors

Buyers now have a reference point for AI-assisted vulnerability discovery. Before Glasswing, "AI for security" was a marketing category. After the first-month report, it is a quantified benchmark. When you claim AI improves your detection rate, buyers will reference Claude Mythos finding 23,019 confirmed real vulnerabilities in 30 days across open-source infrastructure.

The 90.6% accuracy bar is your new floor. Any AI-assisted security product that ships with higher false-positive rates than Claude Mythos will face skepticism in procurement. CISOs who have seen the Glasswing report will ask about your precision rate before discussing your recall.

Scope matters. Glasswing covered open-source repositories — not proprietary enterprise code. This is important context: enterprise environments with custom code, internal frameworks, and unique configurations present different challenges. Vendors who can speak to that gap in the Glasswing data have a differentiated conversation.

How Cybersecurity Vendors Should Respond

Use the Glasswing data in your positioning. If your product covers ground Glasswing does not — proprietary code analysis, runtime detection, cloud configuration, identity posture — name it explicitly. Do not compete directly with a Claude benchmark. Position alongside it.

Host a CISO roundtable on AI in vulnerability management. The Glasswing results give you a timely, credible hook for a live event: "What does 23,019 AI-found vulnerabilities mean for your security posture?" That question gets CISOs in the room. The event earns the meeting.

Address the deployment gap. Glasswing is controlled access for 50 organizations. Most enterprise security teams will not have Mythos access in 2026. Your product, if it delivers AI-assisted coverage now, wins on availability even if Mythos beats it on raw performance.

LinkedOtter in Cybersecurity Pipeline

LinkedOtter runs event-led pipeline for cybersecurity vendors — CISO roundtables, security-focused webinars, invite-only panels — using timely news hooks like Glasswing to fill rooms with high-intent buyers.

With 38 C-level attendees at RSA from 1,266 prospects and 43 qualified meetings in 60 days, the model works in security-heavy enterprise markets where trust and credibility drive decisions.

The Glasswing results give cybersecurity vendors a news hook that earns a CISO's attention. LinkedOtter turns that attention into a booked meeting.

Events from $6,000 per event.

Frequently asked questions

What is Anthropic Project Glasswing?

Project Glasswing launched April 7 2026, giving Claude Mythos Preview to approximately 50 partner organizations for defensive cybersecurity work only. The goal: test AI-assisted vulnerability discovery at scale in controlled conditions.

How many vulnerabilities did Claude Mythos find in month one?

The first-month report published May 22 2026 showed 23,019 vulnerabilities found across 1,000+ open-source projects, with 90.6% confirmed real on independent sampling.

What is the false-positive rate for Claude Mythos in Project Glasswing?

90.6% of found vulnerabilities were confirmed real on independent sampling — a precision rate well above most automated scanning tools currently in enterprise security stacks.

How should cybersecurity vendors respond to the Glasswing benchmark?

Position your product alongside Glasswing rather than competing with it. Highlight coverage gaps — proprietary code, runtime detection, cloud config, identity posture — that the Glasswing open-source scope does not cover.

Can a CISO access Claude Mythos for vulnerability scanning in 2026?

Not broadly. Project Glasswing is limited to approximately 50 partner organizations with controlled access for defensive use only. Most enterprise security teams will not have Mythos access in 2026, which creates a window for commercial security vendors.

Related

Take the free 60-second check