Discovery Got 100x Faster. Patching Didn't. Here's What That Actually Means.

I wrote a post a while back warning that AI was going to break the equilibrium between vulnerability discovery and patching, that time-to-exploit would compress in ways the industry was not ready for, and that exploitation methods themselves would mutate into things like npm and open-source supply chain poisoning that the CVE-and-patch model was never designed to address.

That post landed on the doomsday side, just like everyone else who posted about Mythos when it dropped. I'll own that.

On the substance though, Anthropic's first Project Glasswing update on Friday, May 22 confirmed the core thesis. The numbers tell a more nuanced story than the headlines, and the nuance is worth getting right.

What the primary source actually says

Project Glasswing is Anthropic's defensive cybersecurity initiative built on Claude Mythos Preview, a frontier model with vulnerability discovery and exploit development capabilities beyond most human researchers. The initiative has roughly 50 partners now, including Cloudflare, Mozilla, Cisco, AWS, Apple, Google, Microsoft, NVIDIA, JPMorganChase, the Linux Foundation, and Palo Alto Networks.

Across that partner group and Anthropic's own open-source scanning effort, Mythos Preview has surfaced more than 10,000 high or critical severity vulnerabilities in roughly a month.

On the open-source side specifically, the numbers from Anthropic's update are worth quoting from the primary source rather than the headlines:

• 23,019 total vulnerability candidates discovered across more than 1,000 open-source projects.
• 6,202 of those estimated by Mythos as high or critical severity.
• 1,752 carefully reassessed by six independent security firms or by Anthropic.
• 1,587 of those (90.6%) confirmed as valid true positives.
• 1,094 confirmed as high or critical severity.
• 530 high or critical severity bugs disclosed to maintainers so far, with another 827 confirmed and awaiting disclosure.
• 1,129 additional unvetted bugs disclosed directly at maintainer request.
• 75 patches landed upstream so far. 65 public advisories.

The average time from disclosure to patch for a Mythos-found high or critical bug is two weeks. We are still inside the 90-day Coordinated Vulnerability Disclosure window for almost everything, so more patches are coming.

The discovery side is solved (or will be by end of year)

For 22 years in cybersecurity, the constraint on vulnerability research was talent. Finding novel flaws in production code at scale required senior researchers who could read complex systems, think adversarially, and chain primitives together to prove real-world impact. That talent has always been scarce and expensive.

Mythos Preview removes that constraint. The evidence is no longer anecdotal.

Cloudflare found 2,000 bugs across their critical-path systems, 400 of them high or critical, with a false positive rate Cloudflare's team rates as better than human testers. Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos Preview, over ten times more than they found in Firefox 148 using Claude Opus 4.6. The UK AI Security Institute reports Mythos Preview is the first model to solve both of their cyber ranges end to end. The latest Palo Alto Networks release shipped over five times the usual patch count.

Anthropic specifically highlighted a critical flaw Mythos found in wolfSSL, an open-source cryptography library used by billions of devices worldwide, that allows an attacker to forge certificates and stand up convincingly fake banking or email sites. Mythos did not just find the bug. It constructed the working exploit. The CVE is 2026-5194. The full technical analysis is coming in the next few weeks.

This is senior offensive research operating at machine speed. And that will translate to actual exploitation in the wild, if it hasn't already. The bottleneck has moved. Our earlier coverage in Claude Mythos and Project Glasswing and the machine-speed threats governance layer walked through the early signals. This update confirms them.

The patching side is overloaded, not broken

Here is where I want to be more precise than the headline coverage has been.

75 patches against 530 disclosed high or critical bugs is roughly 14%. Most of the early reporting framed this as a structural patch failure. The primary source is more careful. Three reasons explain the number.

First, the 90-day disclosure window is still open on almost every bug. The two-week average patch time means a large wave of patches is queued behind the disclosure clock.

Second, some patches ship without public advisories. Anthropic is scanning for those silent patches itself using Claude, but the count is undercounted by definition.

Third, the security ecosystem genuinely is overloaded. This is the part that matters. Several open-source maintainers told Anthropic that they are severely capacity constrained right now. Some asked Anthropic to slow down the rate of disclosures because they need more time to design patches.

That last detail is the single most important data point in the entire update. Maintainers asking the discovery engine to slow down is what a structural capacity problem looks like in the wild. The patch pipeline is not broken. It is sized for a different era, and the era just ended.

The exploitation side has already mutated

This is the part of the earlier post worth coming back to.

The shift is not just that bugs get found faster. The methods of exploitation are changing, and they often do not look like CVEs. The npm ecosystem has been hit repeatedly with maintainer account takeovers, malicious dependency injections, and typosquatted packages designed to harvest credentials and secrets at build time. PyPI has seen the same pattern. Open-source poisoning, where the attacker contributes a bug instead of exploiting one, sidesteps the entire CVE-and-patch model. Recent incidents like the TanStack-to-GitHub supply chain cascade, the WordPress plugin backdoor campaign, and the Axios npm supply chain compromise are evidence that this category is now industrial, not artisanal.

Mythos-class models accelerate both sides of that fight. A defender reading a maintainer's pull request history for behavioral anomalies is real defensive capability. An attacker writing a backdoor subtle enough to pass code review is real offensive capability. The same model class sits on both sides of the table.

Software supply chain controls built on the assumption that vulnerability management equals CVE patching are controls built for the wrong threat model.

The window problem

Mythos Preview is currently restricted. Anthropic has not released it publicly because they acknowledge there are no adequate safeguards yet to prevent misuse. Their explicit bet with Glasswing is that defenders get a head start, harden critical infrastructure, and reduce systemic risk before equivalent capabilities show up unrestricted.

That bet has a clock on it. Anthropic says as much in the update itself: models with similar cybersecurity capabilities will soon be developed by many AI companies. When one of them ships without restrictions, the math flips. The same discovery engine becomes an attacker's tool. Adversaries do not need a 90.6% true positive rate. They need one working exploit per target.

Glasswing is buying time. The defenders who use the window get the benefit. The ones who do not will be running 30-day patch SLAs into a discovery rate that has fundamentally changed.

For CISOs: stop sizing your program for the old discovery rate

Three concrete moves matter most this quarter.

Re-baseline patch SLAs against AI-driven discovery rates. The 30-day critical patch SLA was sized for a world where critical CVEs arrived at human research speed. The Palo Alto release containing five times the usual patch count is the leading edge of what monthly volumes are going to look like across major vendors. If patch capacity is not part of the FY26 budget conversation, it should be.

Invest in compensating controls that do not depend on patching. Segmentation, runtime application self-protection, behavioral detection, MFA, hardened default configurations, comprehensive logging. NIST and the UK NCSC both publish the baseline. These matter more when patch lag is structural. When the bug cannot be fixed fast enough, blast radius is the only remaining lever. Our NIST CSF 2.0 compliance checklist walks through the relevant subcategories under PROTECT and DETECT.

Treat the software supply chain as an attack surface, not a procurement function. SBOM as a live operational asset, not a compliance artifact. Dependency pinning. Build provenance through SLSA. Signed releases. Behavioral monitoring on package installs. The npm threat model is not the CVE threat model, and most VM programs are still only built for the latter. See AI supply chain risk and third party model governance for the framing.

For CROs: this is a risk appetite question, not a technical one

The velocity gap is the kind of risk that shows up in enterprise risk registers a quarter late. By the time it surfaces through normal cyber-to-ERM reporting channels, the board is asking why nobody saw it coming. Three things worth getting in front of.

Reframe AI-era cyber risk in terms the business understands. Patch velocity gaps, supply chain exposure, and AI-enabled fraud are not IT issues. They are operational resilience issues with direct revenue, regulatory, and reputational consequences. Translate them that way before someone else does it for you.

Ask the question your auditors will ask in six months. Does the organization have a documented risk appetite for AI-era cyber threats? Does the risk register reflect velocity-gap exposure and supply chain attack vectors that fall outside traditional CVE management? If the answer is no, that gap is going to show up in the next regulatory exam, the next M&A diligence, and the next cyber insurance renewal.

Demand integrated reporting across cyber, AI governance, and operational risk. Three siloed views of the same problem are how organizations miss the structural shifts. The CISO sees patch metrics. The AI governance lead sees model risk. The operational risk team sees the enterprise picture. None of them sees all three. That is the gap.

For Boards: three questions worth asking this quarter

Boards do not need to understand the technical mechanics of Project Glasswing. They do need answers to three questions, and the answers should not require a deep technical translation.

First, what is the organization's exposure to AI-accelerated vulnerability discovery and the patch velocity gap it creates? A defensible answer names the risk in plain language and points to the metrics tracking it.

Second, how is the organization governing AI risk as a business risk, not just a technology risk? A defensible answer points to a documented framework, an accountable executive, and reporting that reaches the board on a regular cadence.

Third, who is the executive advisor with both cyber and AI fluency helping the organization navigate this shift? A defensible answer names a person and a body of work, not a vendor and a dashboard. Our note on what a vCISO actually does goes deeper on this role.

If the answer to any of those is unclear, the gap is governance, not technology. And governance gaps in a velocity-driven threat environment compound fast.

Where Glance fits

This is the world Glance was built for.

Most GRC and cyber platforms tell you your compliance posture. That was useful in the era when compliance frameworks tracked the threat landscape. They do not anymore. The Glasswing update is the clearest evidence yet that compliance-only posture leaves boards and executive teams flying blind on the risks that actually matter now.

Glance positions a strategic Executive Security Advisor inside the platform itself, with native fluency across cybersecurity, AI governance, and risk-informed decision making for the AI era. Not a chatbot. Not a dashboard. An advisor that translates AI-era cyber risk into the language your CRO, your audit committee, and your board can act on, grounded in your actual program, your actual risk register, and your actual regulatory exposure.

If the velocity gap is a problem you need to solve in the next two quarters, this is the conversation worth having now.

The bank story matters too

One detail from the update that did not get enough attention. A Glasswing partner bank used Mythos Preview to flag and block a fraudulent $1.5 million wire transfer where an attacker had compromised a customer's email and made spoof calls to authorize the wire. The model caught it as anomalous behavior.

That is a different application than code analysis. It is behavioral fraud detection. The same model class that finds zero-days can reason about transaction patterns, social engineering signals, and account takeover indicators in real time. Defensive AI is not one capability. It is a category.

Treating Mythos-class models only as vulnerability scanners misses most of the picture.

Where this leaves us

Project Glasswing is real progress. Software that millions of organizations depend on every day just got materially more secure because of work that would have taken senior researchers years to do manually. Cloudflare hardened. Firefox 150 hardened. wolfSSL hardened. Oracle, Microsoft, and Palo Alto pushing larger patch volumes than they ever have. That is the win.

But the update also confirms the velocity gap, the time-to-exploit compression, and the supply chain mutation that the earlier post pointed at. Not a forecast anymore. The thing.

Maintainers are asking the discovery engine to slow down. That sentence is the entire story of where defensive AI is taking us. The defenders who recognize what that sentence means and rebuild their programs around it have a window. The ones who treat AI-driven discovery as someone else's problem are going to learn the math the hard way.

I wish I had been wrong. I wasn't.

The patching problem just became the problem.

Source: anthropic.com/research/glasswing-initial-update

Related Resources

• Claude Mythos and Project Glasswing: What Defenders Should Do Now
• Project Glasswing and the Machine-Speed Threats Governance Layer
• TanStack-to-GitHub: The May 2026 Supply Chain Cascade
• AI Supply Chain Risk and Third Party Model Governance
• NIST CSF 2.0 Compliance Checklist
• What Does a vCISO Actually Do? A Complete Guide
• Executive Risk Advisory Services
• Virtual CISO (vCISO) Services