How Anthropic's AI Red Team Finds Zero-Days: The Glasswing Methodology
A practitioner-grade breakdown of how Claude Mythos autonomously discovers and chains zero-day exploits across thousands of targets

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Most red team engagements produce a PDF report with a handful of findings, a CVSS score table, and a remediation checklist that gets filed and forgotten. Project Glasswing is not that. Anthropic's AI-powered vulnerability discovery operation, driven by Claude Mythos, has surfaced more than 10,000 high- and critical-severity findings across 200+ partner organizations in roughly 90 days of operation. Nine of those findings are now public CVEs. Another 1,596 are moving through coordinated disclosure pipelines. For security engineers trying to understand what this methodology actually is and what it means for their own programs, the answer requires unpacking how Mythos differs from every prior approach to automated vulnerability discovery.
Traditional Red Team Methodology: What AI Is Replacing
A traditional red team engagement follows a predictable arc. A scoped team of three to eight researchers spends two to four weeks against a defined target set. They run automated scanners, manually review high-value code paths, chain together known CVEs in the environment, and attempt to simulate attacker behavior. The output is constrained by human working hours, individual expertise, and the economics of consulting engagements that charge by the day.
The fundamental limitation is not skill but throughput. Even the best red teams can hold maybe a dozen active exploit hypotheses in working memory at once. Attack surface coverage is necessarily shallow across any large organization, and zero-day discovery on a consulting timeline is rare enough that most engagements never produce one. Human researchers also self-select for attack paths that look promising early, abandoning lower-probability chains that might eventually yield high-severity findings.
What AI Changes: Scale, Simultaneity, and Persistence
Claude Mythos operates without the constraints that bound human red teams. It runs 24 hours a day, seven days a week, against the full attack surface of every Glasswing partner organization simultaneously. It does not get tired, does not switch context between client engagements, and does not abandon exploit chains because the payoff is uncertain. It can hold thousands of parallel vulnerability hypotheses in active development at once.
More importantly, Mythos was purpose-built for offensive security research. It is not a general-purpose language model prompted to find bugs. Anthropic built Mythos on the Claude 4 architecture and specifically trained it for end-to-end exploit chain development: from initial target reconnaissance through exploit validation. The May 22, 2026 Exploit Evals benchmark report documented the result: Mythos solved 21 of 41 V8 arbitrary code execution challenges on ExploitBench. No other model scored above zero.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Mythos Discovery Pipeline: From Target to PoC
The Glasswing discovery pipeline runs in several distinct phases. In the reconnaissance phase, Mythos catalogs the attack surface of each partner organization, mapping software components, versions, dependency trees, exposed interfaces, and trust boundaries. This is not passive scanning. Mythos analyzes source code, binary artifacts, build configurations, and API surface to build a comprehensive attack surface model.
In the hypothesis generation phase, Mythos proposes vulnerability hypotheses across the cataloged attack surface, prioritizing by estimated severity and exploitability. It draws on a training corpus that includes historical CVE patterns, published exploit techniques, and vulnerability research literature, but it applies this knowledge to generate novel hypotheses rather than pattern-matching against known signatures.
In the exploit development phase, Mythos attempts to develop working exploits for high-priority hypotheses. This is where Mythos most sharply diverges from prior automated tools: it develops full exploit chains, not just proof-of-concept crashes. A 17-year-old FreeBSD NFS remote code execution vulnerability (CVE-2026-4747) represents the kind of finding this pipeline surfaces: deep, complex, not amenable to signature-based detection, and missed by every prior analysis of the codebase.
End-to-End Exploit Chain Development: Beyond PoC Crashes
The distinction between a crash PoC and a full exploit chain matters enormously for prioritization. Many automated fuzzing and static analysis tools produce crash reports that vendors correctly deprioritize because exploitability is unclear. A crash is not a vulnerability until someone demonstrates that an attacker can control execution, escalate privilege, or exfiltrate data through it.
Mythos develops chains. The wolfSSL certificate forgery vulnerability (CVE-2026-5194, CVSS 9.1) is not just a parser edge case. It is a demonstrated path from malformed certificate input to authentication bypass. The Linux local privilege escalation finding comes with a working exploit chain demonstrating root access from an unprivileged process. This distinction is why Glasswing findings carry immediate remediation urgency: Anthropic is not presenting theoretical attack paths. It is presenting demonstrated ones.
The ExploitGym benchmark further quantifies this capability: Mythos generates 10.5 times more working exploits than Claude Opus 4.6, the next most capable model in the suite. The SCONE-Bench result ($35 million in smart contract vulnerability value identified) demonstrates that the exploit chain development capability extends across software domains, not just traditional systems software.
Human-in-the-Loop Safeguards
Anthropic has been explicit that Project Glasswing is not fully autonomous in the sense of Mythos independently deciding which vulnerabilities to disclose or how to handle sensitive findings. Human Anthropic security researchers review findings before disclosure, prioritize CVD notifications, and make judgment calls about extended timelines for particularly sensitive findings in critical infrastructure.
This human oversight layer serves several functions. It provides a quality control check on Mythos outputs, filtering false positives before they consume vendor triage bandwidth. It handles the legal and ethical judgment calls that purely automated systems cannot make: when does a finding warrant emergency notification to CISA before the standard 90-day window? Which findings in a hospital system require coordination with the HHS before disclosure? These are not algorithmic decisions.
The loop also runs in the other direction. Anthropic researchers provide feedback that shapes how Mythos prioritizes future investigation, effectively guiding the autonomous discovery process toward the highest-value attack surfaces.
The Coordinated Disclosure Process: CVD at AI Scale
The traditional coordinated vulnerability disclosure model was designed for a researcher finding one bug and notifying one vendor. Glasswing has issued 1,596 CVD disclosures as of July 5, 2026. Managing this volume required Anthropic to build disclosure infrastructure that scales beyond what any prior CVD operation has attempted.
The process flow: Mythos identifies and validates a finding. Human researchers review and confirm. Anthropic generates a structured disclosure notification that includes the technical finding, a CVSS assessment, and remediation guidance. The notification goes to the affected vendor's security team under a 90-day embargo. Anthropic tracks patch status and follows up at defined intervals. After 90 days (or upon confirmed patch release), the finding moves toward public disclosure, CVE assignment, and Glasswing progress reporting.
The UK AI Security Institute independently validated Glasswing's capability by testing Mythos against two classified cyber ranges used for national security research. Mythos became the first AI system to solve both ranges, providing external confirmation that the findings Glasswing generates are not artifacts of an overfitted internal benchmark.
What the 90-Day Progress Report Reveals
The July 5, 2026 Glasswing progress report represents the first comprehensive accounting of what 90 days of continuous AI-powered vulnerability discovery produces at scale. The headline numbers (10,000+ findings, 9 confirmed CVEs, 1,596 disclosures) are significant, but the distribution matters more than the count.
The 9 confirmed public CVEs span FreeBSD, wolfSSL, FFmpeg, the Linux kernel, a VMM escape chain, a browser JIT vulnerability, V8 arbitrary code execution, an OpenBSD denial of service, and a smart contract class of vulnerabilities. This is not a distribution concentrated in one technology stack or one vulnerability class. It spans memory safety errors in C, logic flaws in cryptographic implementations, escape vulnerabilities in virtualization layers, and economic exploit patterns in smart contract code. The breadth of the finding distribution suggests that Mythos is conducting genuine broad-spectrum analysis rather than applying narrow specialist techniques.
What Defenders Can Learn: Building an AI-Augmented Vulnerability Program
Security engineers looking to apply the Glasswing methodology to their own programs face a practical question: what is actionable without access to Mythos itself? Several elements of the methodology translate to defensive programs today.
First, end-to-end thinking: prioritize vulnerabilities by demonstrated exploitability, not theoretical severity. CVSS scores are a starting point, not a prioritization framework. Treat any finding that comes with a working exploit chain as P0 regardless of the CVSS score.
Second, attack surface depth: most vulnerability management programs optimize for breadth (covering all assets) at the cost of depth (understanding complex multi-step attack chains). The Glasswing CVEs confirm that the highest-severity findings are deep, not shallow. Investing in code review, binary analysis, and dependency chain auditing for your most critical software components is higher-value than running automated scanners across a broad perimeter.
Third, disclosure readiness: Glasswing has demonstrated that the volume of AI-discovered vulnerability notifications will increase. Organizations should have a documented CVD intake process, a designated point of contact, and a patch deployment SLA before they receive a Glasswing or equivalent disclosure, not after.
The Full Methodology Breakdown: Mythos Brief
The defensive implications of the Glasswing methodology run deeper than this overview covers. The Mythos Brief at decryptiondigest.com/mythos-brief provides practitioner-level detail on the following topics.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Project Glasswing is not a preview of where offensive AI security is heading. It is where it already is. Mythos is finding 17-year-old zero-days in core infrastructure software, developing full exploit chains, and issuing coordinated disclosures at a volume the industry has never handled before. Defenders who wait for the threat model to stabilize before adapting are ceding ground that may be difficult to recover. The Mythos Brief at decryptiondigest.com/mythos-brief provides the practitioner-level detail you need to build a defensive program that accounts for AI-powered discovery as the new baseline.
Frequently asked questions
How long does Mythos take to find a zero-day?
Anthropic has not published per-vulnerability discovery timelines, but the scale of findings (10,000+ high/critical severity issues across 200+ partner organizations) suggests Mythos operates continuously and finds vulnerabilities far faster than human researchers can triage them. The bottleneck is now disclosure coordination and vendor patching, not discovery.
Does Anthropic disclose all vulnerabilities it finds?
Anthropic follows coordinated disclosure principles. Findings are shared with affected vendors under a 90-day disclosure window before public release. As of July 5, 2026, Anthropic has issued 1,596 CVD disclosures and confirmed 9 public CVEs. Many findings are still in the disclosure pipeline with vendors actively patching.
Can I hire Anthropic for red team work?
Project Glasswing is not a commercial red team service. Anthropic is inviting partner organizations under a structured program, prioritizing critical infrastructure, healthcare, and high-impact software vendors. Organizations interested in participation should monitor Anthropic's official communications for partner program updates.
How does AI red teaming compare to bug bounties?
Bug bounties rely on external researchers who choose which targets to investigate, constrained by their own time and expertise. Mythos operates autonomously across all Glasswing partner attack surfaces simultaneously, 24 hours a day, seven days a week. It does not cherry-pick easy targets and generates full exploit chains, not just crash reports.
What is the coordinated disclosure timeline?
Glasswing follows a 90-day coordinated disclosure window aligned with industry standards established by Google Project Zero and the CVE Program. Vendors receive private notification, have 90 days to issue a patch, and then findings are published. Critical infrastructure findings may receive extended timelines at Anthropic's discretion.
How should internal red teams adapt their methodology when the adversary is using AI-assisted exploit development like Mythos?
Internal red teams competing against AI-assisted adversaries need to shift from depth-first to breadth-first coverage: prioritizing broad attack surface enumeration and chain identification over deep manual exploitation of a single vector, because Mythos excels at the deep exploitation phase once a vulnerability hypothesis is identified. Red teams should focus on identifying the invariant violations and trust boundary crossings that AI tools are most effective at exploiting once discovered -- specifically, memory safety errors in C and C++ codebases, JIT compiler type confusion bugs, and authentication logic flaws in cryptographic library integrations. Operationally, internal red teams benefit from running AI-assisted tooling alongside manual techniques: using AI to generate exploit hypotheses in bulk and applying human judgment to prioritize which chains are most likely to produce findings the blue team is not already detecting. Red teams should also begin testing their organization's detection and response velocity against AI-paced exploitation -- if the team can develop a working exploit in hours, does the SOC detect and contain the simulated breach before the window closes? That timing gap is the most operationally meaningful metric the red team can provide to leadership.
Sources & references
- Anthropic Project Glasswing Announcement
- Anthropic Exploit Evals Benchmark Report (May 22, 2026)
- Anthropic 90-Day Glasswing Progress Report (July 5, 2026)
- UK AI Security Institute Cyber Range Results
- CVE Program Database
- CISA Coordinated Vulnerability Disclosure
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
