Anthropic Project Glasswing: 10,000 Critical Vulnerabilities Found — The Economics of AI Security Scanning
May 26, 2026 · 6 min read
One Month In: The Numbers From Project Glasswing
Project Glasswing launched in April 2026 with a specific mandate: use Anthropic's Claude Mythos Preview model to find security vulnerabilities in critical software infrastructure. One month later, the initial results update is striking.
Across approximately 50 partner organizations and more than 1,000 open-source projects, Glasswing has identified over 10,000 high or critical severity vulnerabilities in systems that underpin global internet infrastructure. Independent verification of findings showed a 90.6% accuracy rate. Multiple partners reported vulnerability discovery rates more than ten times faster than their prior human-led processes.
Specific results include Cloudflare finding 2,000 vulnerabilities in critical path systems, and Mozilla identifying 271 bugs in Firefox 150 — far more than any previous model had surfaced. The headline number may understate the actual impact: these are the vulnerabilities that were found and reported. The total number surfaced and triaged is likely higher.
What "10x Efficiency" Actually Means in Cost Terms
A 10x improvement in vulnerability discovery rate is a compelling marketing claim. What does it mean in practice?
A traditional security audit for a large open-source project might involve a team of three to five security engineers working for two to four weeks. At blended rates of $150–$250 per hour for specialized security talent, that is roughly $60,000–$200,000 per engagement — and that team might surface 20–50 significant vulnerabilities if the codebase is well-maintained.
Glasswing found 271 vulnerabilities in Firefox 150 alone. Assuming even half are high-quality findings, that is 135+ significant bugs in a single model run. The token cost of scanning a large codebase at Claude Mythos rates — assuming pricing comparable to Claude Opus 4.7 at $5.00/M input — for a repository of Firefox's scale (roughly 20M lines of code) might run:
| Scan Scope | Est. Input Tokens | Est. API Cost | Traditional Audit Cost |
|---|---|---|---|
| Small library (50K lines) | ~500M | ~$2,500 | $15,000–$40,000 |
| Medium project (500K lines) | ~5B | ~$25,000 | $60,000–$150,000 |
| Large codebase (5M+ lines) | ~50B | ~$250,000 | $300,000–$1,000,000+ |
Note: these are rough estimates. Glasswing almost certainly does not scan entire repositories naively — it uses chunking, prioritization, and smart context selection to make the process tractable. Real costs would depend heavily on the scanning strategy and caching rates.
The Emerging Market for AI Security-as-a-Service
Project Glasswing is currently operating as a research initiative with hand-selected partners. But its results point toward a viable commercial model: AI-powered security scanning at a fraction of traditional audit costs, with coverage that scales far beyond what human teams can review manually.
The 90.6% accuracy rate matters because false positives are expensive. Security teams that chase 10 false alarms for every real finding will quickly abandon the tool regardless of cost. At 90%+ accuracy with 10x the discovery rate, Glasswing-style scanning becomes an attractive continuous monitoring layer — not a replacement for human security engineers, but a force multiplier that surfaces the high-priority work for them to review.
For enterprises currently spending $200,000–$500,000 annually on security audits, a service that delivers 10x the vulnerability coverage at comparable total cost would represent an immediate and significant ROI. That is the commercial opportunity Anthropic is positioning for.
What This Means for AI Coding Cost Models
Project Glasswing is a preview of a broader pattern: AI taking on high-skill professional tasks previously reserved for expensive specialists, and doing so at costs that are 5–10x lower per unit of output. Security auditing is just the clearest current example.
The implication for developers is that the most interesting cost question is no longer "how much does this model cost per token?" but "how much does this model cost per outcome?" Glasswing makes the outcome-based calculation obvious — $2,500 per 135 vulnerabilities found versus $40,000 per 20 found via traditional methods.
As this type of AI-powered professional service expands beyond security into testing, documentation, and architecture review, the same outcome-based economics will reshape how teams think about AI spend. The AI Cost Estimator can help you model the token costs for your own automated code analysis workflows.
Want to calculate exact costs for your project?
Related Articles
Anthropic's Zero-Trust AI Agent Security Framework: The Hidden Compliance Costs
Anthropic released a three-layer zero-trust security framework for enterprise AI agents. We break down what implementing it actually costs and how to factor security into your AI coding ROI calculation.
Anthropic CEO Predicts Free Software: What Dario Amodei's Vision Means for AI Coding Economics
Anthropic CEO Dario Amodei predicts software will become essentially free. Here's what that means for AI API pricing, developer economics, and the future cost of building software with AI.
Anthropic and OpenAI Found PMF in Coding Agents — And Enterprise Costs Are Rising
Both Anthropic and OpenAI shifted enterprise pricing to usage-based API billing tied to coding agents. We analyze what this pricing inflection means for engineering team budgets in 2026.