Visa: Claude AI identifies 10,000+ zero-day vulnerabilities
In brief
- Claude Mythos identified 10,000+ high- and critical-severity zero-day vulnerabilities in first month of testing
- Visa open-sourced Visa Vulnerability Agentic Harness tool for AI-based vulnerability management on June 10, 2026
- Project Glasswing expanded to 150+ organizations across 15+ countries by early June 2026
The scope of AI-driven vulnerability discovery
Anthropic's Claude Mythos model identified over 10,000 high- and critical-severity zero-day vulnerabilities within its first month of testing. The model uncovered flaws in older, deeply embedded systems including OpenBSD and FFmpeg, demonstrating that frontier AI can penetrate legacy code that's often overlooked by conventional security audits.
Project Glasswing launched on April 7, 2026, initially granting roughly 50 partners access to the Claude Mythos Preview model. By early June, the program had expanded to approximately 150 organizations across more than 15 countries. Anthropic backed the initiative with up to $100 million in usage credits and an additional $4 million for open-source security work.
Visa's defensive posture and open-source response
Visa's testing revealed a critical insight: its existing security infrastructure, including its zero-trust architecture, withstood exploitation attempts from the Mythos model. But the AI didn't stop there. The model found gaps that human security teams had missed, identifying actionable improvements the company needed to implement.
In response, Visa open-sourced its Visa Vulnerability Agentic Harness tool on June 10, 2026, designed for AI-based vulnerability management. The move signals a shift toward democratizing AI-driven security testing.
The broader threat landscape
The timing of Visa's findings aligns with escalating real-world risks. Visa's Spring Biannual Threats Report, released on May 20, 2026, documented escalating AI-enabled fraud. As network-level security improves, attackers are pivoting to tactics like deepfakes and social engineering.
The message from Rajat Taneja, Visa's president of technology, was clear: frontier AI models demand urgent strategic rethinking across the cybersecurity industry.
"frontier AI models are simultaneously the best defensive tool and the most dangerous offensive weapon the cybersecurity world has ever seen." — Rajat Taneja, Visa's president of technology
Frequently asked questions
What is Project Glasswing?
Project Glasswing is Anthropic's initiative launched on April 7, 2026, that provides organizations access to the Claude Mythos Preview model for security testing. The program expanded from 50 initial partners to approximately 150 organizations across 15+ countries by early June, backed by $100 million in usage credits and $4 million for open-source security work.
How many vulnerabilities did Claude Mythos find?
Within its first month of testing, the Claude Mythos model identified over 10,000 high- and critical-severity zero-day vulnerabilities, including flaws in older systems like OpenBSD and FFmpeg that human security teams had previously missed.
What did Visa open-source?
On June 10, 2026, Visa open-sourced the Visa Vulnerability Agentic Harness tool, designed for AI-based vulnerability management. The tool emerged from Visa's testing with the Claude Mythos model through Project Glasswing.
