Tiny Spoon

Big AI news, in small bites

← All items
RESEARCHAnthropic

The Security Bottleneck Just Flipped

22MAY

Anthropic's Mythos (a cybersecurity-focused AI model) found over 10,000 critical software vulnerabilities across 50 partners in one month. Mozilla used it to ship 271 Firefox fixes. Cloudflare found 2,000.

For decades, finding bugs was the constraint. Now it's patching them. Mozilla's 10x jump in Firefox fixes month-over-month is the proof point.

Bug bounty programs reprice toward verified exploits, not first-to-find. Patch Tuesday becomes Patch Daily. Microsoft already warned volumes will grow. Attackers get equivalent capability within 6-12 months. Defender lead is real but narrowing.

Regulators issue patch-velocity mandates before EOY (CISA, ENISA, UK NCSC). Rebuild your security budget around patch velocity, not discovery.

▾ full brief & sources

Why this matters

  • Anthropic's Mythos found 10,000+ critical vulnerabilities in one month.
  • Security bottleneck flipped: from finding bugs to patching them.
  • Every downstream assumption (bug bounties, CVD timelines, patch cadence) needs revisiting.

🔍 What happened

  • May 22, 2026. Anthropic publishes Project Glasswing initial results.
  • ~50 critical-infrastructure partners. >10,000 high/critical-severity vulnerabilities in one month.
  • Cloudflare: 2,000 bugs (400 high/crit). False-positive rate "better than human testers."
  • Mozilla: 271 Firefox 150 fixes vs <25 with Opus 4.6 in Firefox 148 (four months earlier).
  • Palo Alto Networks: 5x usual patch count.
  • Microsoft: monthly patch volumes "continue trending larger for some time."
  • One partner bank: Mythos detected $1.5M fraudulent wire transfer.
  • UK AISI: Mythos first to solve both end-to-end cyber ranges.
  • OSS scan: 23,019 candidate vulns across 1,000+ projects. 90.6% true-positive rate. 530 disclosed. 75 patched.
  • Claude Security in public beta. Opus 4.7 patched 2,100 vulns in three weeks.

💬 Smart takes

  • Anthropic: "Mythos-class models will soon be developed by many different AI companies. No company has developed safeguards strong enough to prevent such models from being misused."
  • Cloudflare: false-positive rate beats human testers. High-precision, not just high-recall.
  • OSS maintainers: asking Anthropic to slow disclosures. Patch-writing capacity is the binding constraint.
  • Skeptic: 10,000 vulns is a stunning aggregate, but only 75 are publicly patched. OSS ecosystem is digesting a backlog larger than its repair capacity. Same framing that lets defenders see asymmetric advantage lets attackers see asymmetric backlog.

🧭 Where this goes

  1. Patch Tuesday becomes Patch Daily. Microsoft, Adobe, Oracle, SAP move to bi-weekly or rolling by Q3.
  2. Bug bounty economics invert. Discovery is no longer scarce; verification and triage become the priced labor.
  3. Regulators issue patch-velocity mandates by EOY (CISA, ENISA, UK NCSC).
  4. Attacker-side capability gap closes by H2 2026. First publicly-attributed Mythos-equivalent criminal campaign lands.

🎯 Implication

  • For PMs and execs running customer-facing software: patch deployment timeline is your biggest risk surface for the next 18 months.
  • Three concrete moves: (1) baseline mean-time-to-patch; reduce by 50% by Q4 if >14 days. (2) Deploy Claude Security or equivalent into CI/CD this quarter. (3) Revisit CVD policy with legal.
  • For CISOs: budget shifts from more SAST/DAST tools to patch-velocity infrastructure.
·Anthropic - Project Glasswing: An initial update (May 22)·Cloudflare - 2,000 bugs / 400 high-critical findings·Mozilla - 271 Firefox 150 fixes (10x Opus 4.6)