As hype builds around Anthropic’s offensive AI model, VulnCheck’s analysis finds just one confirmed CVE tied directly to Project Glasswing, raising questions about how Mythos’ real-world impact should be measured.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

VulnCheck researcher Patrick Garrity analyzed Anthropic's Project Glasswing — the controlled access program for its offensive AI model Mythos — and found that only one CVE (CVE-2026-4747, a FreeBSD NFS RCE flaw) is directly attributable to Glasswing itself. Of 75 CVE records mentioning Anthropic, only 40 credit Anthropic researchers, and just one explicitly names Glasswing. Despite the limited public attribution, security experts note Mythos achieved ~72% success on previously unseen exploits, suggesting AI-driven exploit development is no longer a high-skill bottleneck. Concerns are raised about whether organizations can patch vulnerabilities before such capabilities spread to less-regulated models. A full public accounting from Anthropic is expected by July 2026.

Behind the Mythos hype, Glasswing has just one confirmed CVE