10,000 critical vulnerabilities in one month. Anthropic is claiming that figure for Project Glasswing, its security research initiative that deploys Claude to scan codebases and infrastructure for exploitable flaws.
The scale is worth examining carefully. Traditional security auditing - hiring penetration testers, running static analysis tools, doing manual code review - might surface dozens of critical issues per engagement over weeks of work. A figure like 10,000 critical vulnerabilities in 30 days suggests either a fundamentally different pace for security research, or a very different definition of what counts.
What "Critical" Means Here
In security terms, critical vulnerabilities are the class of bugs most likely to lead to full system compromise - not configuration typos or low-risk edge cases, but the flaws that enable data breaches, ransomware infections, and infrastructure takeovers. 10,000 of them in 30 days, if independently verified, would be a striking output by any standard.
Project Glasswing appears to use Claude as an AI-assisted vulnerability scanner, reading code and configuration files the way a security researcher would but at speeds no human team can match. The approach - sometimes called "agentic" security work, where an AI traces how a flaw could be exploited across multiple connected systems rather than just flagging a single line - is increasingly common in serious security tooling, including Claude Code.
Anthropic hasn't published a full methodology breakdown, which leaves important questions open: How were vulnerabilities independently verified? What codebases and organizations participated? How many were genuinely novel discoveries versus previously known issues being re-flagged by a new scanner? Those details matter before the 10,000 figure becomes a talking point.
The direction is clear regardless of where the exact number lands. AI-assisted security research has been accelerating, and a credible claim of this scale - even with uncertainty around it - points to a meaningful shift in how fast vulnerability discovery can move.
The same capability applies in both directions. Defenders can scan their own infrastructure faster, but so can anyone looking for targets. The window between vulnerability discovery and active exploitation has been shrinking for years. AI narrows it further on both sides.