앤스로픽: AI 취약점 발견 속도가 패치 속도 앞질렀다

Anthropic warns Claude Mythos Preview finds bugs faster than developers can patch them Matthias Bastian View the LinkedIn Profile of Matthias Bastian May 23, 2026 Anthropic Key Points Anthropic and around 50 partners used the Claude Mythos Preview AI model to identify more than 10,000 critical security vulnerabilities in system-relevant software within just one month. The rate of discovery already outpaces the capacity to verify and fix the identified flaws, according to the company. Anthropic warns of a dangerous transition period, as AI models like Claude Mythos can detect vulnerabilities far faster than organizations can patch them, creating a growing security gap. Ask about this article… Search A month after launching Project Glasswing, Anthropic is sharing its first results. The company says its Claude Mythos Preview AI model, working with about 50 partners, has found more than 10,000 high- or critical-severity vulnerabilities in system-critical software. The model now spots security flaws faster than teams can verify, disclose, and patch them, Anthropic writes in a blog post. The company is holding back specific technical details, since the standard industry deadline for disclosing new vulnerabilities is 90 days and most findings can't be described yet without putting end users at risk. Partners report a tenfold jump in bug discovery Anthropic says the Glasswing partners run and build software that's core to the internet and other critical infrastructure. Each has found hundreds of critical vulnerabilities. Several also say their bug-finding rate jumped more than tenfold. Ad Cloudflare says it flagged 2,000 bugs, 400 of them high or critical severity. Its false positive rate beat human testers. Mozilla found and fixed 271 vulnerabilities in Firefox 150 , more than ten times what its predecessor, Claude Opus 4.6, caught in Firefox 148. Ad DEC_D_Incontent-1 Outside reviews back up these numbers. The UK's AI Security Institute says the latest Mythos Preview checkpoint is the first model to fully solve both of its in-house cyber ranges —simulated multi-stage cyberattacks. Independent security platform XBOW calls the model a major step beyond all prior models, citing "unprecedented precision." Anthropic says Mythos Preview also tops the academic benchmarks ExploitBench and ExploitGym , with GPT-5.5 being close in most of these benchmarks and already openly available. The impact is also showing up in patch volumes, according to Anthropic: Palo Alto Networks shipped five times as many patches as usual in its latest release. Microsoft said the number of new patches will "continue trending larger for some time." Oracle claims it's finding and fixing flaws several times faster than before. Ad Mythos Preview has also proven useful beyond just hunting bugs. At one partner bank, the model helped catch and block a fraudulent wire transfer worth over $1.5 million, Anthropic says. Over 6,000 potential flaws in open-source projects Alongside partner work, Anthropic says it scanned more than 1,000 open-source projects with Mythos Preview. The model estimates it found 6,202 high- or critical-severity vulnerabilities, with 23,019 total findings across all severity levels. Ad DEC_D_Incontent-2 Independent security firms—and partly Anthropic itself—have reviewed 1,752 of the high- or critical-severity findings so far. 90.6 percent turned out to be true positives. 62.4 percent were confirmed as genuinely high or critical. Based on those triage rates, Anthropic estimates Mythos Preview has uncovered close to 3,900 confirmed high- or critical-severity vulnerabilities in open-source code. The company plans to keep scanning. Ad Several open-source maintainers have asked Anthropic to slow down disclosures because "they need more time to design patches," the blog post says. On average, fixing a high- or critical-severity bug takes two weeks. So far, 530 such bugs have been reported to maintainers. Of those, 75 have been patched and 65 got public advisories. Another 827 confirmed vulnerabilities are still waiting to be disclosed. Making things worse, maintainers are already drowning in low-quality, AI-generated bug reports. Anthropic warns of a high-risk transition period Anthropic says models with similar cybersecurity skills will soon be widely available. Some likely already are. OpenAI's GPT-5.5 fits the profile, and there's also a more specialized variant called GPT-5.5 Cyber , though it's unclear what exactly sets the two apart. Either way, these new capabilities create a transition period where vulnerabilities get found fast but patched slowly. That gap brings new risks, Anthropic says. Mythos-class models slash the time and cost of finding and exploiting flaws. No company, Anthropic included, has built safeguards strong enough to stop misuse of these models and prevent serious damage. Over time, these models should help developers build far more secure software by catching bugs before code ships. Currently, Anthropic says software teams should shorten their patch cycles and make updates as easy as possible for users. Network defenders should stick to the basics: multi-factor authentication, hardened configs, and thorough logging. AI News Without the Hype – Curated by Humans Subscribe to THE DECODER for ad-free reading, a weekly AI newsletter, our exclusive "AI Radar" frontier report six times a year, full archive access, and access to our comment section. Subscribe now Source: Anthropic