Project Glasswing: How Anthropic's AI Uncovered Decade-Old Vulnerabilities Across Every Major Platform
Anthropic's Project Glasswing used Claude AI to discover thousands of critical vulnerabilities — including a 27-year-old OpenBSD flaw and 16-year-old FFmpeg bug — across major OS and browser codebases.
The Security Audit That Survived 27 Years of Human Review
Consider this number: 27 years. That is how long a critical vulnerability in OpenBSD survived every human code review, automated static analysis tool, and fuzzing campaign that passed over it — until Anthropic's Claude Mythos Preview identified it as part of Project Glasswing. A 16-year-old bug in FFmpeg met the same fate in the same initiative.
Project Glasswing is Anthropic's AI-powered proactive security initiative, and the depth of what it found is prompting a genuine reevaluation of systematic vulnerability discovery across the security community.
What Project Glasswing Did
The core methodology: deploy Claude Mythos Preview to systematically analyze codebases across every major operating system and web browser in scope. The model was not performing narrow pattern-matching against known vulnerability signatures. It was doing what a skilled security researcher does — reasoning about code semantics, tracing data flows across function boundaries, and identifying conditions under which software behavior deviates from its intended design.
The results: thousands of high-severity vulnerabilities identified across the scope of the initiative, with the headline findings being decades-old flaws that survived in production code without detection. Amazon, Apple, Microsoft, Google, and Cisco are collaborating on coordinated disclosure and patch development.
Why Long-Lived Vulnerabilities Survive
The persistence of decade-old security flaws is not a mystery to practitioners. Several compounding factors explain it:
- **Cognitive anchoring:** Human reviewers naturally focus scrutiny on recently changed code. Stable legacy code receives progressively less attention over time as reviewer familiarity becomes an assumption rather than a verification
- **Context loss:** Original authorship knowledge dissipates over years. Subtle behavioral assumptions embedded in legacy code become invisible without the original design rationale
- **Cross-boundary blindness:** Traditional static analysis tools struggle significantly with vulnerability patterns that span multiple function calls, modules, or translation units
- **Combinatorial complexity:** Modern codebases involve millions of lines with interdependencies that exceed what any human can hold simultaneously in working memory
AI-driven analysis sidesteps cognitive anchoring entirely and scales to complete codebase coverage simultaneously. Claude Mythos analyzes a 27-year-old codebase with the same systematic attention it brings to code written last week.
What This Means for Defensive Security
Project Glasswing points toward a practical new model for enterprise security: AI-assisted continuous code review running against production codebases as an ongoing process, not a periodic audit. Not as a replacement for human security expertise, but as a force multiplier that consistently catches vulnerability classes that escape traditional review at any reasonable scale.
The coordinated multi-vendor response — five major technology companies participating simultaneously — also demonstrates a mature model for how AI-assisted vulnerability discovery can scale to an industry level when structured around responsible coordinated disclosure.
The security community has been watching offensive AI applications develop for years. Project Glasswing is a meaningful demonstration that the defensive applications are arriving with comparable capability — and that deploying them systematically is the right response.
Sources: Anthropic Project Glasswing announcement (April 8, 2026), TechPlanet (April 8, 2026), coordinated CVE disclosures (April 2026)