Numbers that change the rules of cybersecurity

When Anthropic launched Project Glasswing on April 7, 2026, it used cautious language. The Claude Mythos Preview model — the most capable version of Claude yet — was to remain only in the hands of vetted partners, and no general release was planned. The May 22 update, however, fundamentally changes the tone.

After the first month of testing, roughly fifty partner organizations are reporting over ten thousand high- or critical-severity vulnerabilities. That is a number that changes the entire equation — previously, finding bugs was the limiting factor. Now it's the ability to fix them.

Cloudflare discovered 2,000 bugs in its critical systems, 400 of which were high or critical severity — with a lower false positive rate than human testers. Mozilla found and fixed 271 vulnerabilities in the current version of Firefox 150, which is more than ten times what it found in the previous version (Firefox 148) using the Claude Opus 4.6 model. Palo Alto Networks included five times more patches than usual in its latest update.

Open source under fire: 3,900 confirmed critical bugs

Anthropic also deployed Mythos Preview to scan over 1,000 open-source projects that much of the internet relies on. The model identified an estimated 6,202 vulnerabilities rated as high or critical. Six independent security firms then verified 1,752 of these findings — 90.6% were confirmed as valid and 62.4% retained their high or critical severity rating. At current success rates, this means nearly 3,900 confirmed high-severity vulnerabilities from just the first round of open-source scanning.

One concrete example: Mythos Preview identified vulnerability CVE-2026-5194 in the wolfSSL library, used by billions of devices worldwide. The model was able to build a functional exploit that would allow an attacker to forge certificates — essentially creating fake banking websites or email servers that an end user couldn't distinguish from legitimate ones. The flaw has already been fixed.

The UK's AI Security Institute also confirmed that Mythos Preview is the first model capable of fully solving both of their cyber simulators — multi-stage cyberattack scenarios, from intrusion to data exfiltration. The independent platform XBOW called the model a "significant leap over all existing models" on the web exploit benchmark.

Bottleneck: even developers themselves can't keep up with fixes

The biggest problem Glasswing uncovered isn't with the AI itself — it's human. Of the 530 high- or critical-severity bugs that Anthropic reported to open-source project maintainers, only 75 had been fixed by May 22. The average time to fix one such vulnerability is two weeks.

Several open-source project maintainers directly asked Anthropic to slow down the pace of reporting — they lack the capacity to triage, reproduce, and fix the bugs. Daniel Stenberg, founder and lead developer of cURL, told The Register that even improved AI reports place an enormous burden on maintainers.

Anthropic responded by partnering with the Alpha-Omega project from the Open Source Security Foundation and committing $4 million to help maintainers with triaging and processing reports. But that's a drop in the ocean — the problem is systemic and affects the entire software industry.

Claude Security: what's available today

While Mythos Preview itself remains behind closed doors, on May 22 Anthropic launched Claude Security — a tool in public beta for Claude Enterprise customers. It runs on the Claude Opus 4.7 model and allows companies to scan their own code repositories, find vulnerabilities, and generate fix suggestions. In the first three weeks, over 2,100 vulnerabilities were fixed through it — significantly faster than in the open-source world, because companies fix their own code directly.

Alongside this, Anthropic also launched the Cyber Verification Program, which allows verified security professionals to use Anthropic's publicly available models for legitimate security work without some of the standard anti-abuse restrictions.

For Czech companies, it's important that Claude is available in Europe, including support for Czech — however, Claude Security is currently intended only for enterprise customers, whose prices start in the range of tens of thousands of crowns per month.

Regulators take notice. And what about Opus 4.8?

Glasswing's results haven't gone unnoticed by regulators. Bank of England Governor Andrew Bailey, who chairs the Financial Stability Board (FSB) coordinating regulation across G20 economies, has asked Anthropic for a briefing on the vulnerabilities in the global financial system that Mythos uncovered. Meanwhile, US and Indian officials have called emergency meetings with banks and are pushing them to test their systems against Mythos-level threats.

And what about the speculation around Claude Opus 4.8? This model is not officially confirmed. The identifier "Mythos 1" briefly appeared in the Claude interface, but it's more of a signal from the user interface than a product announcement. Mentions of a Sonnet 4.8 model in the Claude Code source map leak from late March remain in the realm of speculation. The only confirmed models in production deployment are currently Claude Opus 4.7 (used in Claude Security) and older versions.

For the average Claude user in Czechia, this means that the benefits stemming from Mythos research — particularly more secure software and faster vulnerability fixes — will reach them sooner than Mythos itself. And from a cybersecurity perspective, that's actually good news.