Claude Mythos Just Found Thousands of Zero-Days. Expect an Exploit Explosion.
Anthropic's Claude Mythos Preview found thousands of zero-days in every major OS and web browser, many critical, some surviving decades of human review. Project Glasswing launches with Apple, Amazon, Google, Microsoft, CrowdStrike to deploy the model defensively. But when these findings inevitably leak, expect an AI-driven wave of exploits. Time to verify your WAF is actually in place.
AI Just Found Thousands of Zero-Days That Humans Missed for Decades
Anthropic has unveiled Claude Mythos Preview, a frontier AI model that discovered thousands of zero-day vulnerabilities in every major operating system and web browser. Some of these bugs survived 27 years of human code review and millions of automated security tests. The finding is part of Project Glasswing, a new cybersecurity coalition that includes Apple, Amazon, Google, Microsoft, [CrowdStrike](/waf/cloudflare/), Broadcom, Cisco, and [Palo Alto Networks](/waf/imperva/).
Project Glasswing: A Defensive Coalition
Project Glasswing brings together 12 launch partners and over 40 additional organizations to use Mythos Preview for defensive security work. Anthropic is committing up to $100 million in usage credits and $4 million in direct donations to open-source security organizations. The model will scan both first-party and open-source software for vulnerabilities that human reviewers and existing tools have missed.
The partners include some of the biggest names in infrastructure and security. Companies like [Imperva](/waf/imperva/), [Cloudflare](/waf/cloudflare/), and other major [WAF providers](/waf/) will need to adapt as this capability reshapes the vulnerability landscape.
What This Means for Web Application Security
Here is the uncomfortable math. If an AI model can find thousands of zero-days autonomously, so can adversaries using similar models once they proliferate. The window between vulnerability discovery and exploitation is about to shrink dramatically. Organizations that rely only on default security headers and hope for the best are sitting ducks.
A properly deployed [Web Application Firewall](/waf/) is no longer optional. Solutions like [Cloudflare WAF](/waf/cloudflare/), [Imperva](/waf/imperva/), [FortiWeb](/waf/fortiweb/), and [Open-AppSec](/waf/open-appsec/) provide rule-based and ML-driven protection that can block exploit attempts even when the underlying vulnerability is not yet patched. With zero-days now being found at AI speed, the patching cycle alone cannot keep up.
The Leak Risk Is Real
Anthropic is limiting access to Mythos Preview for now, but the company itself recently leaked nearly 2,000 source code files and accidentally took down thousands of GitHub repositories during cleanup. If these vulnerability findings leak, expect an AI-driven wave of targeted exploits against unpatched systems. The best time to verify your WAF is actually in place and correctly configured was yesterday.
WAFplanet Take
This is a watershed moment. AI has crossed the threshold where it can find bugs that decades of human expertise missed. That is terrifying and useful at the same time. The defensive applications are real, but the offensive side will catch up fast. If your organization does not have a properly configured [WAF](/waf/), you are behind. Compare [WAF solutions](/compare/cloudflare-vs-imperva-vs-aws-waf/) on WAFplanet and make sure your protection is not just theoretical.
The era of "we will patch it eventually" is over. Patching at human speed against AI-found vulnerabilities is a losing strategy. Layered defense with a WAF as the front line is the only sane approach.
