
Project Glasswing: How Anthropic's AI Uncovered Decade-Old Vulnerabilities Across Every Major Platform
Anthropic's Project Glasswing used Claude AI to discover thousands of critical vulnerabilities — including a 27-year-old OpenBSD flaw and 16-year-old FFmpeg bug — across major OS and browser codebases.
The Security Audit That Survived 27 Years of Human Review
Consider this number: 27 years. That is how long a critical vulnerability in OpenBSD survived every human code review, automated static analysis tool, and fuzzing campaign that passed over it — until Anthropic's Claude Mythos Preview identified it as part of Project Glasswing. A 16-year-old bug in FFmpeg met the same fate in the same initiative.
Project Glasswing is Anthropic's AI-powered proactive security initiative, and the depth of what it found is prompting a genuine reevaluation of systematic vulnerability discovery across the security community.
What Project Glasswing Did
The core methodology: deploy Claude Mythos Preview to systematically analyze codebases across every major operating system and web browser in scope. The model was not performing narrow pattern-matching against known vulnerability signatures. It was doing what a skilled security researcher does — reasoning about code semantics, tracing data flows across function boundaries, and identifying conditions under which software behavior deviates from its intended design.
The results: thousands of high-severity vulnerabilities identified across the scope of the initiative, with the headline findings being decades-old flaws that survived in production code without detection. Amazon, Apple, Microsoft, Google, and Cisco are collaborating on coordinated disclosure and patch development.
Why Long-Lived Vulnerabilities Survive
The persistence of decade-old security flaws is not a mystery to practitioners. Several compounding factors explain it:
- Cognitive anchoring: Human reviewers naturally focus scrutiny on recently changed code. Stable legacy code receives progressively less attention over time as reviewer familiarity becomes an assumption rather than a verification
- Context loss: Original authorship knowledge dissipates over years. Subtle behavioral assumptions embedded in legacy code become invisible without the original design rationale
- Cross-boundary blindness: Traditional static analysis tools struggle significantly with vulnerability patterns that span multiple function calls, modules, or translation units
- Combinatorial complexity: Modern codebases involve millions of lines with interdependencies that exceed what any human can hold simultaneously in working memory
AI-driven analysis sidesteps cognitive anchoring entirely and scales to complete codebase coverage simultaneously. Claude Mythos analyzes a 27-year-old codebase with the same systematic attention it brings to code written last week.
What This Means for Defensive Security
Project Glasswing points toward a practical new model for enterprise security: AI-assisted continuous code review running against production codebases as an ongoing process, not a periodic audit. Not as a replacement for human security expertise, but as a force multiplier that consistently catches vulnerability classes that escape traditional review at any reasonable scale.
The coordinated multi-vendor response — five major technology companies participating simultaneously — also demonstrates a mature model for how AI-assisted vulnerability discovery can scale to an industry level when structured around responsible coordinated disclosure.
The security community has been watching offensive AI applications develop for years. Project Glasswing is a meaningful demonstration that the defensive applications are arriving with comparable capability — and that deploying them systematically is the right response.
Sources: Anthropic Project Glasswing announcement (April 8, 2026), TechPlanet (April 8, 2026), coordinated CVE disclosures (April 2026)
More Ai Security Stories
Rustinel Is a Fast Open-Source EDR Built in Rust
Rustinel, launched July 8, is an open-source endpoint detection tool in Rust that unifies Windows and Linux monitoring into one clean codebase.
CVE Lite CLI Scans npm Projects Right in Your Terminal
CVE Lite CLI, now an OWASP Incubator project, checks JavaScript lockfiles against the OSV database and suggests one-line fixes for npm, pnpm, Yarn, and Bun.
Cloudflare Adds IPsec Downgrade Protection for Post-Quantum Tunnels
Cloudflare shipped beta IPsec downgrade protection that makes both VPN peers sign the full handshake, blocking attackers from quietly weakening a tunnel's encryption.



