The bottleneck has moved from finding flaws to fixing them
In the spring of 2026, an unreleased artificial intelligence built by Anthropic quietly mapped the hidden fractures running through the digital infrastructure that modern civilization depends upon — finding more than ten thousand critical vulnerabilities across the systems of some of the world's most powerful technology organizations. The discovery marks a threshold moment: humanity has built a machine that can see danger faster than it can respond to it. The bottleneck in cybersecurity has migrated from perception to action, from finding wounds to healing them, and the implications of that shift are only beginning to be understood.
- An AI called Claude Mythos Preview has located over 10,000 critical flaws in the software backbone of the internet — including systems at AWS, Apple, Google, Microsoft, and the Linux kernel — at a speed no human team can match.
- The danger is not only what was found, but what it reveals: security teams are now drowning in vulnerability reports they cannot process, with some researchers being asked to slow down their submissions simply to prevent paralysis.
- With a 90.6% accuracy rate and the ability to map full chains of exploitation, the system has moved beyond bug detection into something closer to adversarial reasoning — understanding not just where a crack exists, but how an attacker would widen it.
- Anthropic is deliberately withholding public release, warning that the same capability that defends infrastructure could just as easily be turned against financial systems, power grids, and communications networks by those with harmful intent.
- The world now faces a new kind of security crisis — not a shortage of detection, but a shortage of human bandwidth to act on what the machines already know.
In April 2026, Anthropic launched Project Glasswing — a collaboration with fifty major technology organizations including AWS, Apple, Google, Microsoft, Cisco, and the Linux Foundation — deploying an unreleased AI system called Claude Mythos Preview against the software infrastructure that underpins much of modern digital life. What the system found was staggering: more than 10,000 critical vulnerabilities, hidden inside codebases that millions of people and institutions depend on every day.
The significance of this moment lies not only in the scale of the findings, but in what they expose about the nature of the problem. Claude Mythos Preview does not simply scan for known patterns of error. It reasons through source code deeply enough to trace chains of exploitation — the sequences by which a single flaw might be leveraged into a cascading failure. Among the systems where vulnerabilities were found and corrected are OpenBSD, FFmpeg, and the Linux kernel. Mozilla reported that the AI helped identify and fix 271 vulnerabilities in Firefox alone, with an error rate approaching zero.
Cloudflare, whose infrastructure carries traffic for roughly eighty percent of the world's websites, tested the system across more than fifty of its own code repositories and confirmed it outperforms previous tools — not only in finding bugs, but in generating proof-of-concept exploits and suppressing false positives. Across more than a thousand open-source projects, the AI flagged over 23,000 total findings, with 6,202 classified as grave or critical. External reviewers confirmed 90.6% of sampled results as genuine vulnerabilities.
But the achievement has produced an unexpected crisis. Human engineering teams are overwhelmed. Some have begun asking researchers to reduce the volume of reports simply to avoid being buried in notifications they cannot act upon in time. The constraint is no longer detection — it is remediation. Engineers cannot patch problems as fast as the system can find them.
Anthropichas chosen to keep Claude Mythos Preview locked away from public access. The reasoning is direct: a tool this powerful in defensive hands is equally powerful in the hands of those who would use it to attack. The effort required to probe financial systems, power grids, and communications networks for exploitable weaknesses would fall dramatically if such a system were freely available. Until the world has built adequate defenses, Anthropic is holding the door closed — aware that what protects can also destroy, depending entirely on who is holding it.
An artificial intelligence system called Claude Mythos Preview, built by Anthropic and not yet released to the public, has identified more than 10,000 critical vulnerabilities in software that runs the internet and powers major corporations. The discovery came through a collaboration with fifty organizations—among them AWS, Apple, Google, Microsoft, Cisco, and the Linux Foundation—in an initiative called Project Glasswing that launched in April 2026.
What makes this moment significant is not just the sheer number of flaws found, but what it reveals about the future of cybersecurity work. The speed at which Claude Mythos Preview locates vulnerabilities now exceeds the speed at which human teams can verify, communicate, and repair them. The bottleneck in security has shifted. It is no longer about finding the problems. It is about fixing them fast enough.
The AI's capability goes beyond surface-level bug hunting. It analyzes source code with enough depth to reason through chains of exploitation—the sequences of moves an attacker might make to turn one flaw into a cascade of failures. Among the systems where vulnerabilities were discovered and patched are OpenBSD, FFmpeg, and the Linux kernel itself. In April, Mozilla reported that Claude Mythos Preview helped identify and correct 271 vulnerabilities in Firefox, the browser used by millions worldwide. The error rate in those identifications was nearly zero.
Cloudflare, which manages traffic for roughly eighty percent of the world's websites, tested Claude Mythos Preview against more than fifty of its own code repositories. The company's engineers confirmed that the system outperforms earlier solutions not only in detecting bugs but in generating proof-of-concept exploits and filtering out false alarms. Yet Cloudflare's technical teams emphasize that deploying such an AI effectively requires precision orchestration—clearly defined tasks, independent validation systems, and duplicate testing to confirm findings. The methodology matters. Without it, errors propagate.
Across more than one thousand open-source projects, Claude Mythos Preview identified 6,202 vulnerabilities classified as grave or critical out of 23,019 total findings. When external security firms reviewed a sample of these results, 90.6 percent proved to be genuine vulnerabilities, and 62.4 percent fell into the high or critical severity categories. The accuracy is striking. But it has created an unexpected problem.
Software maintenance teams are now overwhelmed. Some have begun asking researchers to reduce the frequency of vulnerability reports simply to avoid drowning in notifications they cannot process. The human capacity to understand, reproduce, and patch problems before releasing fixes has become the constraint. Engineers cannot move faster than the system can find flaws. This is a new kind of crisis in cybersecurity—not a shortage of detection, but a shortage of remediation bandwidth.
Anthropic has chosen not to release Claude Mythos Preview to the general public. The company argues that adequate safeguards do not yet exist to prevent malicious actors from using such a system to hunt for exploitable weaknesses in critical infrastructure. The concern is concrete: while the AI offers a significant defensive advantage to those who control it, it could equally accelerate the work of attackers. The effort required to find vulnerabilities in financial systems, power grids, and communications networks would drop dramatically. Until the world has better defenses in place, Anthropic is keeping the tool locked away.
Citações Notáveis
The speed at which the AI locates vulnerabilities now exceeds the speed at which human teams can verify, communicate, and repair them— Anthropic's findings from Project Glasswing
Some software maintenance teams have begun requesting fewer vulnerability reports to avoid being overwhelmed by notifications they cannot process— Industry teams collaborating with Anthropic
A Conversa do Hearth Outra perspectiva sobre a história
Why does Anthropic refuse to release this model publicly if it's so effective at finding vulnerabilities?
Because the same capability that lets defenders find flaws also lets attackers find them. Right now, only trusted organizations have access. If it were public, bad actors would have the same tool.
But doesn't keeping it secret just delay the inevitable? Eventually someone will build something similar.
Probably. But there's a difference between delaying and preventing. Anthropic is buying time for the world to build better defenses—patches, monitoring systems, incident response plans. The goal is to stay ahead of the threat.
The article mentions that human teams are now asking for fewer vulnerability reports. That's strange—why would they want to know about fewer problems?
Because they're drowning. Imagine a fire department that gets ten thousand alarms a day but can only respond to fifty. At some point, the volume becomes paralyzing. Teams need time to absorb, verify, and fix. The AI finds faster than humans can act.
So the real problem isn't finding vulnerabilities anymore. It's patching them.
Exactly. For decades, the bottleneck was detection—we didn't have good tools to find flaws. Now we do. The bottleneck has moved downstream, to the human work of understanding and fixing what's been found.
What happens if this technology spreads to countries or groups with fewer resources to patch quickly?
That's the nightmare scenario. A well-resourced attacker with this tool could find vulnerabilities faster than a smaller organization could patch them. The gap between offense and defense widens. That's why Anthropic is being cautious about release.