Anthropic published the Project Glasswing numbers on Thursday: Mythos Preview plus around fifty partners found more than 10,000 critical vulnerabilities in essential software in one month. Cloudflare reported 2,000 bugs of their own, at a false-positive rate better than their human testers. Mozilla found 271 in Firefox 150 — ten times what they found in Firefox 148 with Claude Opus 4.6. wolfSSL got a critical CVE (2026-5194) that allowed attackers to forge certificates impersonating banks and email providers.

Of those, 530 have been reported to open-source maintainers and only 75 have a patch applied. 14%.

The number that matters is not 10,000. It is 75 of 530. The bottleneck is no longer finding the work — it is the human capacity to process it. And that is exactly the bottleneck AI Maestro was designed to solve, because no agent, not even Mythos Preview, is going to break it for you.

Anthropic just published the proof

Glasswing launched last month as a collaborative cybersecurity effort. Anthropic gave ~50 partners access to Mythos Preview — their not-yet-public model. The pitch was simple: find vulnerabilities before attackers do.

In four weeks:

• 10,000+ high or critical-severity vulnerabilities found in essential software
• Cloudflare: 2,000 bugs across critical-path systems, 400 of them high or critical-severity
• Mozilla: 271 vulnerabilities patched in Firefox 150 — ten times what Opus 4.6 found in Firefox 148
• wolfSSL: CVE-2026-5194, certificate forgery against banks and email providers
• At one partner bank, Mythos detected and prevented a fraudulent $1.5M wire transfer after an email compromise
• Palo Alto Networks’ latest patch release: five times the usual count
• Microsoft said its patch volume “will continue trending larger for some time”

That is the finding side. Now the other side.

Of the 530 high or critical vulnerabilities already disclosed to maintainers, 75 are patched. Median patch time: two weeks. Several maintainers asked Anthropic to slow the disclosure pace because they could not keep up.

That line defines the moment. Slow down. The AI is not saturated. The humans who have to decide which patch to write, which CVE to assign, which version to roll to production — they are.

Anthropic wrote it explicitly: “the bottleneck in fixing bugs is the human capacity to triage, report, and design and deploy patches.” That sentence is buried in a middle paragraph of the update. It is the only number that matters.

Finding is not deciding

Dan Shipper published an essay in Every last week worth reading end to end. His company went from 4 to 30 humans since GPT-3 while automating everything that could be automated. The conclusion is not that AI replaced humans. It is that demand for expert humans exploded.

His framing — the frame versus the framer — describes exactly what Glasswing just proved with data. Models like Mythos commoditize yesterday’s competence: the work whose shape has already been captured in the training corpus. That now includes “find a buffer overflow in wolfSSL.” That skill is no longer scarce.

What stays scarce — and what every Glasswing disclosure confirms — is the capacity to frame the problem in the actual moment. Is this bug critical for our specific deployment? What dependencies will it break if we patch today? Can we ship the rollback path safely? Who signs this?

Aaron Levie named the same dynamic from the Jevons angle. “We’ve made it far easier to create and find security issues, which means the new bottleneck is our ability to actually review, respond to, and fix the issues.” A security engineer boom, not a contraction.

The 75 of 530 number is framer scarcity made visible. Mythos does not answer “what do I do with this?” — only “what’s happening here?” The first question is the expensive one, and the only one your organization is going to pay for.

I have watched this exact move twice before

I have been programming since 1990, when I was 15 and working on a Commodore 64. I have seen this pattern exactly two times before now.

Early 90s: compilers commoditized assembly. Suddenly you did not have to write registers by hand. Turbo C, Borland, the first Microsoft C releases. “This is going to eliminate systems programmers,” everyone said. It eliminated nothing. What happened is that demand for systems architects exploded. People who knew what to build with C — which architecture for which problem, which concurrency model, which memory layout — were scarce, and got scarcer because more teams could now attempt the work and needed someone to tell them whether they were doing it right.

The 2010s: frameworks commoditized boilerplate. Rails, Django, then React. “This is going to eliminate senior engineers,” everyone said again. It eliminated nothing. Demand for senior engineers — the ones who know which patterns to apply and when not to apply them — went up. A client told me almost verbatim in 2015: “any junior can spin up a CRUD now. What I can’t find is someone who tells me whether what we’re building is the right thing.”

Now: AI commoditizes implementation. Mythos finds vulnerabilities at machine speed. Claude Code writes code at machine speed. “This is going to eliminate engineers,” everyone says yet again. It will eliminate nothing. It is making framers scarce — the people who decide what to frame, what to prioritize, what to roll to production.

The latest evidence: the #1 trending repository on GitHub this week is a single CLAUDE.md file that codifies Andrej Karpathy’s observations on the mistakes LLMs make when coding. 146,000 stars in a week. 15,500 forks. It is an instruction file. Not code. The frame a human puts on the model. That is what the market is pricing right now.

Three cycles. Same move. Same wrong predictions every time. Every time the correct answer was the same: hire more framers, not fewer.

What to do in your org this week

This is not theory. It is operational. Three concrete moves for your team this week.

1. Inventory the triage capacity you already have. How many vulnerabilities, audit findings, monitoring alerts land in the queue per week? How many close? If the delta is positive, you already have a human bottleneck. Drop in an agent that multiplies the queue by ten without adding decision capacity, and the bottleneck chokes. Mythos-class finding speed is coming to your sector soon whether you like it or not.

2. Name a framer for your top three critical systems. Not a new role. Explicit assignment. Someone with the authority and context to say “this finding matters, this doesn’t, this gets patched Tuesday, that one we hold.” Without that person, the models will produce a river of output nobody uses.

3. Stop paying vendors for findings your team cannot process. Per-finding price is dropping fast — Anthropic already opened Claude Security in beta for Enterprise customers, and several open-source tools are coming in the next six months. If you deploy one, the cost math changes: the real cost is not the finding, it is the capacity to process it. The vendor optimizing for finding throughput is optimizing the wrong number for you.

This is exactly the problem AI Maestro was built to solve before any deployment. The two-month program delivers three artifacts: a Process Reality Map (the document a Mythos cannot write for you — it captures what decisions get made, who makes them, with what signals), an AI Opportunity Score (which tasks can be amplified, at what precision), and an explicit Go/No-Go gate. The gate exists because the right answer in many cases is not to scale yet.

For software companies that already have the technical capacity but lack the framer role on their teams, Technology Partner is the operational answer. You subcontract the framer, not the implementation. That is the pattern we saw repeat when runtime closed as commodity a month ago and that Starbucks just paid for by deploying NomadGo without a framer in the middle.

The bottleneck moved. Where you leave it this week is where your organization will lose or win the next two years.