[DigitalToday reporter Jinju Hong (홍진주)] Cloudflare said it tested Anthropic’s security-focused AI model Mithos Preview on its code repositories and saw major improvements in vulnerability detection and attack code generation. It also warned that as AI spreads, the time from finding vulnerabilities to exploiting them is rapidly shrinking, signalling a changing security environment.

On May 19 local time, Japanese outlet ITmedia reported that Cloudflare recently tested Mithos Preview on more than 50 internal code repositories. The test was carried out as part of the AI-based cyber defence effort Project Glasswing.

Project Glasswing includes Anthropic, Amazon Web Services (AWS), Google, Microsoft (MS) and CrowdStrike. Its goal is to protect and strengthen key software infrastructure using AI.

Mithos Preview is a security-focused AI model developed by Anthropic. It can go beyond simple code analysis to find software vulnerabilities and generate proof-of-concept (PoC) code that demonstrates an attackable form.

Cloudflare assessed that Mithos Preview showed performance a step beyond existing general-purpose AI models in the test. It said the model was strong at generating exploit chains that link multiple minor vulnerabilities into an actual attack path, and at writing and running its own attack-verification code.

The company said false positives, repeatedly flagged as a problem in existing AI vulnerability scans, fell sharply because the AI presented proof-of-concept code alongside its findings. It added that this significantly reduced the burden on people to select and verify vulnerabilities.

But limitations also emerged. Cloudflare said the model’s guardrails intermittently kicked in and refused work even during legitimate security research. That means constraints can arise even for defensive use, given the nature of security research that must verify real attack feasibility.

It also said that even a powerful AI model did not deliver enough effect if a general-purpose coding agent was applied to a codebase as-is. To address limits in context handling and performance issues, it said a dedicated execution pipeline was needed to break work into smaller tasks and run multiple specialised AI agents in parallel.

Cloudflare also warned of changes in the security environment in the AI era. In the past, it said, it often took months from vulnerability discovery to a real attack, but AI is now shortening that time from months to minutes.

It stressed that security organisations must go beyond simply speeding up patching and instead redesign application architecture and the defence layers themselves so attackers cannot reach vulnerabilities.

In the industry, some assessments say this case shows the double-edged nature of AI-driven cyber security competition. That is because AI is boosting accuracy in vulnerability detection and defence efficiency, while also accelerating attack automation and the pace of exploitation. Ultimately, an analysis says companies’ core task depends less on the AI security tools themselves and more on what operating system and defence structure they use them within.