Anthropic’s Project Glasswing Expansion Says the Security Bottleneck Is No Longer Finding Bugs — It Is Surviving the Fix Queue

Anthropic’s Project Glasswing expansion is easy to misread as another “AI finds zero-days” headline. That was the April story. The more important June story is less theatrical and much more uncomfortable: AI-assisted vulnerability discovery is starting to generate more validated security work than many organizations can absorb.

Anthropic says it is expanding Glasswing from roughly 50 initial partners to about 150 new organizations across more than 15 countries, focusing on power, water, healthcare, communications, hardware, critical vendors, and nonprofits whose code sits underneath large parts of society. The company says a major attack on many of these partners could affect more than 100 million people. That is the right target set if you believe frontier models will soon make high-end vulnerability discovery cheaper. It is also a warning: finding the bug is no longer the hard finish line. It is the start of the queue.

The numbers from Anthropic’s earlier Glasswing work are big enough to deserve skepticism and concrete enough to deserve attention. In its initial update, Anthropic said Mythos Preview scanned more than 1,000 open-source projects and estimated 23,019 total vulnerabilities, including 6,202 high- or critical-severity issues. Of 1,752 high/critical-rated findings assessed by independent security firms or Anthropic, 90.6% were valid true positives, and 62.4% were confirmed high or critical. Anthropic also said it had disclosed 530 high- or critical-severity bugs to maintainers, with 827 more confirmed vulnerabilities queued for disclosure, and 75 of the 530 reported bugs patched at that point.

The bottleneck moved from discovery to throughput

Those figures change the shape of the security problem. For years, the industry has treated vulnerability discovery as the scarce resource: hire better researchers, run better fuzzers, improve SAST, offer bug bounties, and hope serious findings arrive before attackers weaponize them. Glasswing suggests the scarcity is shifting downstream. Once a model can produce a high volume of plausible, triaged findings, the constraint becomes verification, reproduction, severity analysis, ownership, patch review, coordinated disclosure, advisory writing, release engineering, and deployment.

That is not a semantic distinction. A confirmed critical vulnerability sitting in a disclosure backlog is still risk. A generated patch that nobody has reviewed is still not a fix. A maintainer who receives fifty AI-assisted reports in a week still has the same number of hours. The model can make discovery cheaper; it cannot make maintainers infinite.

This is where Anthropic’s Claude Security positioning matters. The company says it recently released Claude Security, using public frontier models such as Claude Opus 4.8 to scan codebases and suggest patches, while Mythos Preview remains restricted because Anthropic believes Mythos-class safeguards are not ready for general release. That split is telling. Anthropic is trying to get useful defensive capability into ordinary security teams without broadly releasing the strongest offensive-research capability. It is a reasonable posture, but it creates a product and governance gap: selected critical-infrastructure partners get the sharpest tool, while most maintainers still need workflows that can handle incoming volume.

TechCrunch’s same-day coverage reported the expansion and said organizations named by Financial Times sources included Okta, Samsung, SK Hynix, SK Telecom, NATO, and ENISA, while noting it had asked Anthropic for confirmation. Even if that roster shifts, the direction is clear. This is no longer a lab demo pointed at toy repositories. It is a controlled rollout aimed at codebases where a successful exploit has societal blast radius.

Generic coding agents are not enough

Cloudflare’s write-up on Project Glasswing is the useful corrective to the naive version of this story. The company’s point was not “throw a coding agent at the repo and wait.” It argued that vulnerability research is narrow, parallel, and hypothesis-driven. A single generic agent stream over a large codebase covers only a tiny part of the useful attack surface before context limits, tool latency, and attention bottlenecks get in the way.

That matters for developers adopting Claude Security, Claude Code, Codex, or any other agentic scanning workflow. The winning shape is not one heroic chat session. It is a harness: codebase mapping, many focused subagents, scoped hypotheses, reproducible evidence, triage artifacts, severity rationale, patch suggestions, and reviewable state. Anthropic’s initial Glasswing materials described harnesses for codebase mapping, scanning subagents, triage and reporting, and threat-model building. That is the real product. The model is powerful, but the workflow around it determines whether findings become fixes or just scary prose.

Mozilla’s Firefox experience is another signal that this is real enough to plan for. Firefox 150 shipped fixes for 271 vulnerabilities identified during an initial Claude Mythos Preview evaluation, compared with 22 security-sensitive bugs found in Firefox 148 using Claude Opus 4.6. That is a striking jump, but Mozilla’s own framing is not “humans are obsolete.” It is closer to: if AI can close the gap between routine scanning and elite human research, defenders may finally drain some backlog — provided humans can still understand, prioritize, and safely change the code.

That last clause is the practitioner takeaway. AI vulnerability discovery punishes codebases that are already difficult for humans to reason about. If your build is not reproducible, tests are weak, ownership is unclear, dependencies are unmapped, and release trains are fragile, a better scanner mostly gives you a better list of things you cannot fix quickly. Complexity becomes incident debt. The same AI that finds the bug may propose a patch, but teams still need human review, regression coverage, deployment discipline, and rollback paths.

What teams should do before the scanner arrives

The first action item is inventory. Know which repositories matter, who owns them, what they depend on, and how patches ship. Orphaned components are where AI-generated findings go to die. If a project has no clear owner, no working CI, and no release process, a high-confidence vulnerability report becomes a coordination exercise instead of an engineering task.

Second, require evidence. AI-generated security reports should include reproduction steps, affected versions, severity rationale, exploitability assumptions, and references to the specific code paths involved. “The model says this is critical” is not a triage artifact. Treat generated findings like reports from a very fast junior researcher: useful, often impressive, but still in need of proof.

Third, separate finding acceptance from patch acceptance. A report can be valid while the suggested fix is incomplete, too broad, or subtly breaking. Generated patches deserve the same review as human patches, with extra attention to authorization logic, input validation, concurrency, serialization, and compatibility. The goal is not to maximize patch speed at all costs. The goal is to reduce exposure without introducing the next bug.

Fourth, budget triage capacity. If Glasswing-style tools increase valid vulnerability discovery by an order of magnitude, the security team cannot stay staffed and scheduled like last year. Someone has to reproduce, rank, assign, review, disclose, and track. Tooling should log model versions, prompts or harness versions, inputs, outputs, human decisions, and final patch links. When an advisory becomes public months later, provenance will matter.

There is also an uncomfortable equity problem in the rollout. Anthropic says Mythos-class models may diffuse across the industry within 6 to 12 months, possibly without equivalent safeguards. Restricting the strongest models to trusted defenders may be wise, but attackers do not wait for product-market governance. The best answer is not simply “release everything” or “lock everything down.” It is to raise defensive throughput quickly: give ordinary teams useful scanners, shared harnesses, disclosure support, and patch workflows before the offensive capability becomes mundane.

The editorial trap is to celebrate the bug-finding machine and ignore the humans downstream. Glasswing’s expansion is important because it shows Anthropic understands the stakes: critical infrastructure, validated findings, restricted capability, and a path toward broader defensive tooling. But the durable advantage will not belong to the organization with the scariest scanner. It will belong to the organization that can turn credible findings into shipped fixes faster than attackers can turn similar findings into exploits.

Sources: Anthropic: Expanding Project Glasswing, TechCrunch coverage, Anthropic initial Project Glasswing update, Cloudflare on Project Glasswing, Mozilla on AI security and zero-days