An AI model that has never seen the light of day publicly has already conducted one of the most comprehensive security reviews in internet history. This is Anthropic's Claude Mythos Preview — and the company's decision on what to do with the findings differs significantly from industry norms.

Secret Model, Massive Findings

According to AI News, Claude Mythos Preview has identified thousands of high-risk vulnerabilities in all major operating systems and browsers. Particularly striking is that several of the flaws had gone undetected for years — one of them for 27 years in OpenBSD, another for 16 years in the multimedia platform FFmpeg — despite frequent security reviews and millions of automated tests.

Anthropic itself describes the situation directly: «AI models have now reached a level of coding capability where they can outperform all but the most experienced humans in finding and exploiting software vulnerabilities."

«We have a new model that we are explicitly not releasing to the public.» — Mike Krieger, Anthropic Labs

Project Glasswing: Industry Unites

Instead of a typical product launch, Anthropic has created the Project Glasswing initiative, making Mythos Preview available to a wide range of technology players and open-source communities. Partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

The goal is to use the model's capabilities to proactively find and patch security flaws in critical software — before they can be exploited by malicious actors.

A Shift in the Threat Landscape

Anthropic's findings do not come in a vacuum. Research from Veracode shows that a full 45 percent of AI-generated code across over 100 large language models contains security flaws — in Java applications, the error rate is over 70 percent, according to the same report. Checkmarx, for its part, has documented that up to 70 percent of AI-generated code can be considered insecure.

At the same time, data shows that AI-driven security tools can improve the detection of so-called zero-day vulnerabilities by 70 percent and reduce false positives in threat intelligence by up to 90 percent. This means security analysts can spend more time on real threats.

45%
AI-generated code with security flaws (Veracode 2025)
70%
Improved zero-day vulnerability detection with AI

Not the Only Project of Its Kind

Anthropic is not alone in working in this field. According to research material, Google DeepMind has developed CodeMender, an AI-powered agent based on Gemini Deep Think models, which has already contributed 72 security fixes to open-source projects. Companies like Snyk and DeepKeep are also working on hybrid approaches that combine machine learning with human expertise.

Experts believe AI capabilities have now crossed a threshold that fundamentally changes the urgency of protecting critical infrastructure.

Responsible Withholding — or Dangerous Precedent?

Anthropic's decision to keep Mythos Preview from the public raises fundamental questions. On one hand, it's a clear signal that the company takes «responsible disclosure» seriously — it gives affected parties time to patch the flaws before they are widely known. On the other hand, it means that a very powerful security model is now operating within a closed, industrial consortium without public oversight.

It is worth noting that the details surrounding Project Glasswing are currently only known through Anthropic's own statements and AI News' coverage. Independent verification of the scope and composition of the vulnerabilities found is not yet available.

The fact that half of cybersecurity experts were already using AI to spot code vulnerabilities in 2025, according to industry data, suggests that this is no longer a niche activity — but a new standard for how digital infrastructure is protected.