AI Found 10,000 Critical Bugs. Most Still Aren't Fixed.

On June 2, Anthropic expanded Project Glasswing from roughly 50 partners to 150 organizations across 15 countries, including the European Union’s cybersecurity agency ENISA, and committed $100 million in usage credits to underwrite the work. One week earlier, the program’s first-month receipts showed Claude Mythos surfacing 23,019 issues across 1,000 open-source projects, with 6,202 of them rated high or critical at a 90% true positive rate confirmed by six independent security firms.

Here’s the line that should be on every CISO’s whiteboard this week. Of 530 critical bugs that Glasswing has already disclosed, only 75 have been patched.

That’s 14%. The other 86% are sitting in a queue with public clocks running on them, and Anthropic just multiplied the number of organizations producing findings by three.

Quick Verdict

Signal from the June 2 Update	What It Means for You
Glasswing partners: 50 to 150 organizations across 15+ countries	The disclosure firehose just tripled the partner count
ENISA (EU cybersecurity agency) joined	Regulators are now inside the discovery side. Compliance signal is imminent
$100M usage credits committed by Anthropic	Discovery side is fully funded. Patching side is not
75 of 530 disclosed critical bugs patched	14% patch rate against the program’s own first wave
23,019 findings across 1,000 OSS projects, 6,202 high or critical	Your open-source dependency graph is the next wave
90% true positive rate confirmed by six security firms	This is not a SAST false-positive problem. The bugs are real
Oracle April 2026 Critical Patch Update	481 vulnerabilities across DB, Java SE, MySQL, Fusion, PeopleSoft, Siebel
Palo Alto Networks last release	5x the usual patch volume in one window
Microsoft’s guidance	Patch volume “will continue trending larger for some time”
Claude Security public beta in first three weeks	2,100+ vulnerabilities patched inside Claude Enterprise tenants
Your real lever this week	Revisit patch posture before ENISA writes the framework that does it for you

What Changed on June 2

The May 25 announcement was the first month of receipts. The June 2 announcement is the scale-up. Three numbers matter here, and the third one is the one most enterprise security teams are missing.

Glasswing’s partner count tripled. The original 50 organizations included AWS, Apple, Cisco, Google, JPMorgan, Microsoft, CrowdStrike, NVIDIA, Palo Alto Networks, and the Linux Foundation. The new cohort adds another 100 organizations spanning 15 countries, with ENISA as the first named regulator inside the program. The disclosure pipeline now runs through three times the number of partner security teams as it did one week ago.

Anthropic put $100 million in usage credits on the table. The frontier model that’s doing the scanning, Claude Mythos Preview, is expensive to run at the volume Glasswing partners are running it. Anthropic is underwriting the compute cost so the program can scale without procurement gates inside each partner. The discovery side is now operating on free credits. The patching side is operating on whatever budget the partner already had.

The 14% patch rate is the receipt. Of 530 critical bugs that Glasswing partners have already disclosed publicly, 75 have been patched. That number was inside the broader update and has not gotten the headline coverage it deserves. The discovery side has produced ten times the output of the patching side inside the same partner organizations that are running both. If the partner organizations running Glasswing are at 14% patch completion, the median enterprise consuming their disclosures is going to be lower.

I covered the structural framing of this problem in AI Found 10,000 Flaws. Can You Patch Them? one week ago, before the expansion landed. The core mechanic has not changed. The slope just got steeper.

The Vendor Side Is Already Reorganizing

Look at three vendor signals from the last 30 days. They tell you where this is going inside your environment.

Oracle’s April 2026 Critical Patch Update closed 481 vulnerabilities across Oracle Database, Java SE, MySQL, Fusion Middleware, PeopleSoft, and Siebel CRM. That’s one quarterly Oracle CPU. The product list reads like the standard enterprise stack at most Fortune 500 companies. The patch window is the standard 30 days from disclosure. If your Oracle DBA team is sized for a normal CPU, this one already exceeded their capacity, and the next one is 12 weeks away.

Palo Alto Networks pushed a release that contained roughly five times its usual patch volume in one disclosure window. The network security stack is the part of your environment with the tightest change-management windows and the longest regression test cycles. Five times the patch rate means five times the change windows, or five times the deferred work. Pick one.

Microsoft said the quiet part on the record. The company’s May 2026 MSRC Patch Tuesday note to enterprise customers acknowledges that patch volume “will continue trending larger for some time.” Microsoft has visibility into both sides of this. It runs internal AI scanning against its own code. It also receives the disclosures coming through Glasswing partners targeting Microsoft platforms. The guidance is a soft warning that the patch volume going forward is structurally higher than the prior baseline.

Three vendors, three different positions in the stack. All three are telling the same story. The patch rate is the new operating constraint.

What Is Anthropic’s Project Glasswing?

Project Glasswing is Anthropic’s defensive AI security program, expanded on June 2, 2026 from roughly 50 partners to 150 organizations across 15 or more countries, giving them exclusive access to Claude Mythos Preview to identify vulnerabilities in widely deployed software before public disclosure. The program now includes regulators (notably the EU’s ENISA), the world’s largest cloud and infrastructure vendors, major financial institutions, and the Linux Foundation. Anthropic has committed $100 million in usage credits to underwrite the scanning workload and continues to withhold Mythos from public release because it believes the model is too capable for safe general distribution. The first wave produced more than 23,000 confirmed findings across 1,000 open-source projects, with a 90% true positive rate confirmed by six independent security firms.

The part most security leaders are still skipping past is the asymmetry. Anthropic is sitting on a model it believes is too dangerous to ship broadly. 150 organizations are running it under contract. The rest of the field is patching whatever those 150 partners disclose, on a clock the partners control.

The ENISA Signal Is the Compliance Lever

ENISA inside Glasswing is the part of the June 2 announcement that is going to drive the most enterprise change inside the next two quarters, and almost no analyst coverage has flagged it yet.

ENISA is the European Union Agency for Cybersecurity. It is the body that develops EU-wide guidance on the NIS2 Directive, the Cyber Resilience Act (CRA), and the implementing standards under DORA for financial services. Putting ENISA inside Glasswing means the regulator that writes the patch-management requirements for half of Europe is now seeing the same disclosure pipeline the vendors are. They will write the framework that institutionalizes the new patch cadence as a compliance requirement, and they will write it from the data they are seeing inside the program.

The practical implication for any enterprise with EU operations is that the patch-SLA expectations are about to move from internal policy to regulatory expectation. NIS2 already requires “appropriate technical and organizational measures” against known vulnerabilities. ENISA is the body that defines “appropriate” in operational terms. The Glasswing data set will be the evidence base for the next round of that definition.

The US version of this signal has not landed yet, but CISA is the analogous body and the relationship between CISA and the Glasswing US partners is close enough that the same pressure is going to surface inside the next two quarters. The orgs that get out in front of the EU expectation will already be positioned for the US one.

The 86% Backlog and What It Implies

Sit with the 75-of-530 number for a minute. That’s 455 critical-severity bugs already disclosed by Glasswing partners and not yet patched, inside the partner organizations themselves. The disclosure clock is public. The bug existence is public. The patch state is public. The window where attackers are operating against known-but-unpatched code is currently sitting at 86% of the disclosed wave.

Two structural reasons this gap exists, and one operational reason most enterprises will get wrong.

The first structural reason is that disclosure does not equal patch availability. Glasswing partners frequently disclose findings before the affected upstream maintainer has shipped a fix. The protocol is responsible-disclosure-first, which gives the maintainer time to patch, then public disclosure after a fixed window. The 530 disclosed bugs are a mix of patched-upstream-but-not-deployed-downstream and not-yet-patched-upstream. Both categories sit in the backlog.

The second structural reason is that some patches require coordination across multiple downstream consumers. An OpenSSL fix shipped today shows up in Debian within a week, in Red Hat Enterprise Linux within two to four weeks, in the container images downstream of those distros within another two to eight weeks, and in your production deployment whenever your container rebuild cadence catches up. The end-to-end clock from upstream patch to enterprise deployment is measured in months, not days, for most enterprise stacks.

The operational reason most enterprises will get wrong is the assumption that the patch ops team can absorb the new volume by working harder. The patch ops team is already working at capacity. The new volume requires automation at every gate. Most enterprise patch programs treat patch ops as a stable IT function with predictable inbound rates. The Glasswing expansion is the receipt that the inbound rate is no longer stable or predictable, and the org that automates the gates absorbs the wave while the org that does not gets buried by it.

The pattern matches the one I covered in Anthropic Goes Public. Lock In Your Contracts Now. at the procurement level. The vendor changes the operating regime on a clock the buyer does not control. The buyer either restructures the operating layer to match, or the buyer pays the gap. Same dynamic, different layer.

Where Most Security Programs Are Already Misallocated

A reasonable CISO read on the June 2 expansion is that the security team needs more headcount. That reasonable read is wrong for the same reason it was wrong on May 27, and the June 2 data sharpens the point.

Here are the reallocations that move the needle this quarter.

Patch ops automation over net-new detection. Anthropic just funded the discovery side with $100 million in credits. The marginal value of adding another SAST product to the detection stack is functionally zero against that baseline. The marginal value of automating one critical patch path end-to-end is substantial. Move budget from detection licenses to canary deployment infrastructure, automated regression suites, and rollback automation. Inside one disclosure cycle the math pays back.

SBOM accuracy over SBOM coverage. Your software bill of materials is about to be measured against 6,202 high and critical findings inside the open-source projects most enterprise software depends on. The accuracy gap is the gap between what your SBOM says you use and what you actually use in production. Investing in continuous SBOM generation now is the difference between catching the wave and being surprised by it. The supply chain disclosures are coming through standard CVE channels, but the matching against your actual dependency graph requires SBOM accuracy that most enterprises do not have today.

Patch operations as a governance function. Patch ops in most orgs reports two layers below the CISO and three layers below the CFO. The Glasswing data is the receipt that patch ops is a top-three operational risk and needs governance visibility to match. Move it into the same monthly forum that already covers vendor risk, change management, and security incident review. The orgs that promote patch ops to a governance function will respond faster than the orgs that leave it as an IT chore.

The trap is treating any of this as a tooling problem. It is a process design problem with a tooling component. The tooling already exists. The process around it was built for a different patch cadence and is now structurally undersized.

The Claude Security Beta Is the Available Lever

The frontier-capable scanner inside Glasswing is Claude Mythos Preview, which Anthropic is not releasing publicly. The product enterprise buyers can deploy themselves is Claude Security in public beta for Claude Enterprise customers. In its first three weeks of public beta, the product patched more than 2,100 vulnerabilities inside customer environments running it.

That last number is the part to focus on. Patched, not just found. The Claude Security beta produces findings, suggests remediations, and in the cases where the customer authorizes automated patching, it executes the fix and verifies the patch landed. That workflow is the productized version of the Glasswing capability, scoped to what is safe to ship publicly.

Two clarifications before this becomes a procurement decision.

Claude Security is not Claude Mythos. The capability gap is real. Mythos is finding the long tail of subtle reasoning bugs that the safer model is not yet finding. The Claude Security tier is the safer, slower version that catches the bulk of the high-confidence finding category. The right move is to deploy the available product against your code today while the more capable one is still gated inside Glasswing.

The product requires a Claude Enterprise contract. If you are already a Claude Enterprise customer, the Claude Security beta is a configuration switch, not a separate procurement. If you are not, the contract path runs through the same negotiation window that closes around the October Anthropic IPO. The pre-IPO contract pricing is materially better than the post-IPO version is going to be.

OpenAI’s GPT-5.4-Cyber is the obvious comparison. Gated to vetted defenders. Focused on the same problem space. The competitive dynamic between Anthropic and OpenAI inside frontier security is the next 12 months of the category, and the Glasswing expansion just changed the terms by tripling the partner count on one side.

The Anti-Hype Read

A few cautions before this becomes a board-deck conclusion.

The 14% patch rate is a snapshot, not a steady state. Some of the 455 unpatched critical bugs are inside the standard disclosure-to-patch window and will close on schedule. The headline patch rate at the end of Q3 is going to be meaningfully higher than 14%, probably in the 40 to 55% range, just based on normal patch cadence catching up. The right read is that the 14% number captures the snapshot at the moment the discovery side is running ten times faster than the patch side. The gap will close in absolute terms while the discovery rate keeps accelerating. The relative gap may not close at all.

The 90% true positive rate is impressive but partner-validated, not field-validated. Six security firms confirmed the rate on a sampled subset. Field deployment against the long tail of enterprise codebases will produce a lower confirmed rate, probably in the 60 to 75% band for most internal environments. That’s still significantly above the 10 to 20% confirmed rate of conventional SAST tools, just not the headline rate from the partner validation. Plan budgets against the lower number and treat the partner rate as the ceiling.

ENISA inside Glasswing does not mean EU regulators are about to ship a rule. The framework cycle is 18 to 36 months from “regulator gets visibility” to “regulator publishes binding guidance.” The compliance pressure is real and worth getting in front of. The deadline pressure is not yet on the calendar. Orgs that pretend this is a Q3 2026 compliance issue will burn budget on the wrong problem.

None of those cautions changes the operational picture. The discovery side just tripled its partner footprint, picked up an EU regulator, and got $100 million in fresh credits. The patching side is sitting at 14% completion against the program’s own first wave. Whichever side of that gap your patch operation lives on at the end of Q3 is the side it will probably live on through 2027.

Three Moves Before Q3

These actions are sized for any enterprise running a real security program. Doable inside 90 days. Each one is a step toward the patch posture the next 18 months requires.

1. Stress test your patch SLA against a 5x to 10x inbound rate this week. Pull the last six months of inbound CVE volume against your stack. Multiply the critical and high counts by five. Then by ten. Walk the patch ops team through the queue at each multiplier and ask which gate breaks first. The answer is the specific automation gap. Document it. That document is the budget conversation for the next planning cycle, and the conversation is more credible when it lands with the Glasswing data attached.

2. Move one critical patch path to a fully automated pipeline this month. Pick the lowest-risk critical patch class in your environment. Browser updates, OS security patches, or a single contained enterprise platform. Wire it to a canary deployment, an automated regression suite, and a rollback gate. Measure the new mean time to patch against the prior manual baseline. The result is the operational template you replicate across the next three patch classes. Most enterprise environments already have the CI/CD and observability stack required. The missing piece is usually the regression test coverage, not the deployment automation.

3. Stand up Claude Security against one production repo this quarter. The Claude Enterprise contract is the only procurement requirement, and the public beta is open to existing Claude Enterprise customers without additional licensing. Pilot the scanner on one production repo. Compare the findings against your existing SAST output. Document the delta. That documentation is the case for rolling the scanner across the rest of the codebase before the OSS supply chain wave from Anthropic’s 1,000-project scan lands inside your dependency graph. The procurement clock on this also closes harder after October when Anthropic goes public and contract terms get less flexible.

The career version of this is also real and worth naming. The roles that are going to command the steepest premium through the back half of 2026 are patch ops automation engineers, SBOM specialists, and AI security analysts who can operate at the seam between the discovery side and the patching side. The labor market is not producing them at the rate the demand is going to hit. Build them internally or recruit them now.

Bottom Line

Anthropic just tripled the partner count on a program that already produced 23,000 findings against 1,000 of the world’s most depended-on open-source projects. The program brought in a regulator, committed $100 million in usage credits, and disclosed publicly that 75 of 530 critical bugs from the first wave have been patched. That is the cleanest enterprise security data point of 2026 and it lands in a different shape than the May 27 version.

The discovery side of AI security is now structurally faster than the patching side, by a factor most enterprise patch programs were not designed to absorb. The June 2 expansion locked that asymmetry in for at least the next 12 months. The orgs that restructure patch operations against the new rate inside this quarter will absorb the next disclosure wave. The orgs that wait for the regulator to define the requirement will spend 2027 catching up against a clock they did not set.

Run the patch SLA stress test this week. Automate one critical patch path this month. Pilot Claude Security against a production repo this quarter. Three moves. Doable inside one operating cycle. The disclosure wave is in flight, the regulator just got a seat at the table, and the patch backlog is the metric that defines which side of 2027 your security program sits on.

The defenders are winning the discovery race. Patching is the part that decides whether the win shows up in your environment.

---

Related Reading:

• AI Found 10,000 Flaws. Can You Patch Them?
• Claude Security Is Live. Here’s Your Move.
• Anthropic Goes Public. Lock In Your Contracts Now.
• GPT-5.4-Cyber and the New Enterprise Security AI Strategy
• Your AI Coding Budget Is About to Break