In June 2026, 21 major tech companies reported around 1,500 high- or critical-severity security vulnerabilities – more than 3.5 times the previous record month. That is according to a recent analysis by the non-profit organization Epoch AI, first reported on by The Decoder. The jump coincides almost to the day with the announcement of an AI model that can autonomously hunt for security flaws – raising the question of whether software is actually becoming less secure today, or whether we are simply finally seeing what had long been hidden.
The Numbers: What Epoch AI Measured
Epoch AI draws on data from the public CVE repository cve.org, focusing on 21 organizations it classifies as “notable” – including Microsoft, Google, Apple, Cisco, Red Hat, Linux, Mozilla, and AWS – in order to filter out noisy submissions from smaller sources. In a data analysis published on July 2, 2026, Epoch author Luke Emberson puts the June increase at more than 3.5 times the previous monthly record. There are small discrepancies over the exact figure even within Epoch’s own publication: the body text cites around 1,500 CVEs, while the meta description of the same page cites around 1,300 – a sign that these are preliminary, rounded estimates rather than an exactly quantified figure.
The Trigger: Claude Mythos Preview and Project Glasswing
On April 7, 2026, Anthropic introduced its most capable model to date, which it is not making publicly available: Claude Mythos Preview. The company stated that the model can find and exploit software vulnerabilities autonomously, at a level matched by only the most skilled human security researchers. Rather than releasing it publicly, Anthropic simultaneously launched Project Glasswing – a program in which partners such as Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks use the model to harden their own systems before comparable capabilities end up in less careful hands. The program originally comprised around 50 organizations; as The Decoder reported, Anthropic expanded Glasswing on June 2, 2026 by around 150 additional partners from more than 15 countries, bringing the total to roughly 200 organizations with access – including new sectors such as energy, water, healthcare, and communications.
In a detailed interim report published on May 22, 2026, Anthropic presented initial figures: the roughly 50 partners at the time had together found more than 10,000 high- or critical-severity vulnerabilities in systemically important software, and several partners reported a more than tenfold increase in their bug-finding rate compared with previous tools. Anthropic writes that the bottleneck has now shifted from discovery to verifying, disclosing, and patching the findings.
What Partners Like Cloudflare and Mozilla Are Reporting
Cloudflare – itself a Glasswing partner – published its own technical account of its experience. The company tested Mythos Preview across more than 50 of its own repositories and found around 2,000 bugs, 400 of them high- or critical-severity, with what it describes as a better false-positive rate than human testers achieve. The company particularly highlights the model’s ability to autonomously chain several smaller vulnerabilities into a working exploit – a task at which other tested models mostly failed, according to Cloudflare. At the same time, the company describes Mythos Preview as responding inconsistently to legitimate security-research requests: depending on how a task was phrased, the same request was sometimes carried out and sometimes refused – a sign that the model’s built-in safeguards alone are not enough to make it safe for general availability.
Mozilla likewise reports significant improvements: while testing Mythos Preview, the company found and fixed 271 vulnerabilities in Firefox 150 – more than ten times as many as it had previously found with Claude Opus 4.6 in Firefox 148. Further external tests support this picture: the UK’s AI Security Institute reports that Mythos Preview is the first model to fully solve both of its in-house cyber ranges – simulations of multistep cyberattacks. The independent security platform XBOW rates the model as a significant leap over every system it has tested before. Effects are also visible in patch delivery: Palo Alto Networks shipped five times as many patches as usual in its latest release, while Microsoft announced that the number of new patches would keep growing for the time being.
OpenAI Follows Suit With Daybreak
Anthropic is not the only one driving this forward. The Decoder reported on the expansion of OpenAI’s cybersecurity program Daybreak. In its own announcement, OpenAI stated that the bottleneck in cybersecurity has now shifted from finding vulnerabilities to patching them – an assessment nearly identical to Anthropic’s. According to the company, the Codex Security tool, available in preview since March, has by now scanned more than 30 million commits across more than 30,000 codebases; over 500,000 findings have been automatically classified as fixed, with another 70,000 manually confirmed by human reviewers.
At the same time, OpenAI released the final version of its specialized model GPT-5.5-Cyber, which it says sets a new best score of 85.6 percent on the CyberGym benchmark (versus 81.8 percent for GPT-5.5). Access is restricted to verified defenders. Through the Daybreak Cyber Partner Program, OpenAI now works with more than 25 security companies, including Cisco, CrowdStrike, Cloudflare, Palo Alto Networks, IBM, and Fortinet, as well as with several governments – according to the company, among others Australia, Canada, France, Germany, Japan, South Korea, the UK government, and the EU agency ENISA. Through the “Patch the Planet” initiative, run together with Trail of Bits, HackerOne, and Calif, OpenAI also specifically supports open-source projects such as cURL, Go, Python, and pyca/cryptography in closing discovered flaws.
From Finding to Fixing: the Real Bottleneck
Anthropic and OpenAI independently arrive at the same conclusion: it is no longer finding vulnerabilities but fixing them that is now the limiting factor. Anthropic’s own figures from its open-source scanning illustrate the problem. According to the company, it has scanned more than 1,000 open-source projects with Mythos Preview, finding a total of 23,019 potential vulnerabilities of all severity levels, an estimated 6,202 of them high- or critical-severity. Of 1,752 findings independently assessed so far, 90.6 percent proved to be true positives, and 62.4 percent were actually confirmed as high- or critical-severity.
But there is still a long way to go before these issues are actually fixed: of the roughly 530 high- or critical-severity bugs reported to maintainers so far, only 75 had been patched by the time of Anthropic’s report, 65 of them with a public security advisory. Several open-source maintainers reportedly even asked Anthropic to slow down the pace of disclosures because they lacked the capacity to process the flood of reports – especially since many projects are already dealing with a wave of low-quality, AI-generated bug reports.
How Dangerous Is the Increase, Really?
The raw number of reported CVEs says little about how the actual risk is changing. In its mid-year forecast, the vulnerability-coordination organization FIRST offers a more nuanced view: the total number of CVEs expected for 2026 is now around 46 percent above the original forecast, at an estimated 66,000 disclosures for the year. Looking at vulnerabilities that are actually being actively exploited – those that make it into the KEV catalog of the US agency CISA or carry an EPSS score above 10 percent – the picture, according to FIRST, remains largely stable. The authors use the image of much heavier rainfall against a nearly unchanged flood level: more reports, in other words, do not automatically translate into more concrete danger, but mainly into more work sifting through and prioritizing findings.
Experts interviewed by Dark Reading about Microsoft’s June patch day, which came in at between 198 and 206 CVEs depending on how it is counted, are similarly divided. One Tenable security researcher expects patch cycles with more than 100 CVEs to become the norm going forward. A colleague from Fortra disagrees: over the past few years, only around 30 CVEs per year on average have actually made it onto CISA’s list of actively exploited vulnerabilities, and 2026 has so far tracked in line with that long-term average. AI is changing something, in other words, but so far more gradually than disruptively.
Well-known security researcher Bruce Schneier is considerably more critical. As early as April, he described Project Glasswing mainly as a savvy PR success for Anthropic and criticized much of the media for uncritically repeating the company’s claims. In a follow-up post on the May update, he argues that the striking gap between tens of thousands of vulnerabilities found and only a few dozen actually patched is hard to assess as long as Anthropic essentially publishes only aggregated figures rather than checkable detailed data. He further notes that a security firm was able to reproduce some of the reported vulnerabilities using older, publicly available models – suggesting Mythos Preview may be less unique than the coverage implies.
There is also a structural conflict of interest that The Decoder points out as well: alongside Project Glasswing, Anthropic markets Claude Security, a commercial product that scans codebases and proposes patches – in effect, a safeguard against exactly the risks the company itself has put in the spotlight through Project Glasswing. Anthropic itself points to Claude Security in this context as an offering that lets customers secure their own codebase using generally available Claude models.
What This Means for Companies and Development Teams
Regardless of how one assesses the exact figures, everyone involved agrees on one point: the time between discovering and fixing a vulnerability is becoming the decisive risk factor. Anthropic recommends that software makers shorten their patch cycles and make update mechanisms as frictionless as possible for end users. For network defenders, the company recommends well-established but effective basic measures such as multi-factor authentication, hardened default configurations, and comprehensive logging, as recommended by US and UK security agencies, among others. Cloudflare takes a similar stance: rather than relying solely on faster patching, the company argues for designing architectures so that a single vulnerability does not immediately grant full system access.
Conclusion
The sharp rise in reported vulnerabilities in the summer of 2026 is real, and it can be precisely linked in time to the emergence of AI-driven bug-hunting programs – on that point, Epoch AI’s CVE data and the consistent statements from Anthropic, OpenAI, and external partners leave little doubt. How large the actual security gain ultimately is, however, can only be judged to a limited extent based on the figures published so far, most of which come from the companies involved themselves. Until independent bodies such as FIRST or CISA provide more robust data on actual exploitability, the most cautious reading is probably the right one: more vulnerabilities are being found than ever before – whether that ultimately makes the world safer, or at first mainly more complicated, depends on how quickly the much-discussed gap between finding and fixing can be closed.


