AI Unveils Decades-Old Flaws: Shifting Cybersecurity from Discovery to Remediation

Anthropic's Project Glasswing, a defensive cybersecurity initiative, is making waves in the tech industry after identifying over 10,000 high- or critical-severity vulnerabilities in critical software within its first 30 days. The AI-driven project, which uses the unreleased Claude Mythos Preview model, has uncovered a 27-year-old flaw in OpenBSD and a 16-year-old flaw in FFmpeg, shifting the focus from discovering vulnerabilities to fixing them.

Unprecedented Vulnerability Detection

The AI system, in collaboration with approximately 50 partner organizations, flagged more than 10,000 issues across over 1,000 open-source projects. Of these, 6,202 were classified as high- or critical-severity, and subsequent expert analysis confirmed 1,726 as valid true positives, with 1,094 being either high or critical severity.

Cloudflare, one of the launch partners, discovered 2,000 bugs in its systems, 400 of which were high or critical. Mozilla, another partner, found and fixed 271 vulnerabilities in Firefox, marking a tenfold increase compared to findings from an earlier Claude model.

Shifting Bottleneck in Cybersecurity

The most significant insight from the Glasswing update is the shift in the bottleneck from discovery to remediation. For decades, finding vulnerabilities was the most challenging part. Now, AI can find them at a rate that overwhelms human capacity to verify, disclose, and patch them. Anthropic maintains a strict 90-day Coordinated Vulnerability Disclosure policy, but the ratio of discoveries to available patches is stretching thin.

Decades-Old Flaws Exposed

Among the thousands of vulnerabilities, two stand out for their age and implications. A remote crash vulnerability in OpenBSD, known for its security-focused design, had been present for 27 years. This flaw not only highlights the qualitative difference between AI-assisted and human-driven security reviews but also raises concerns about critical infrastructure security.

Additionally, a 16-year-old flaw in FFmpeg, a widely used open-source audio-video processing library, was identified. This flaw affects virtually every streaming platform, video editor, and media tool, underscoring the need for robust and continuous security measures.

Industry Expansion and Future Outlook

Simultaneously, Anthropic is expanding its global presence with new offices in Milan (May 27) and Seoul (May 26). Korea's Claude usage rate is running 3.5 times higher than population would predict. Amazon also confirmed its custom chip business is operating at a $20 billion annual rate, with $225 billion in Trainium commitments and Trainium3 nearly fully subscribed at launch.

As the industry prepares for Microsoft Build and the SpaceX IPO roadshow, the focus remains on the rapid pace of AI-driven cybersecurity advancements and the urgent need for effective remediation strategies.

References

• AI News Today - May 30, 2026: 11 Biggest Stories