{"id":7733,"date":"2026-04-07T23:06:07","date_gmt":"2026-04-07T23:06:07","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7733"},"modified":"2026-04-07T23:06:07","modified_gmt":"2026-04-07T23:06:07","slug":"what-anthropic-glasswing-reveals-about-the-future-of-vulnerability-discovery","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7733","title":{"rendered":"What Anthropic Glasswing reveals about the future of vulnerability discovery"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>AI giant Anthropic has unveiled <a href=\"https:\/\/www.anthropic.com\/glasswing\">Project Glasswing<\/a>, a cybersecurity initiative built around Claude Mythos Preview, a model it describes as \u201ccybersecurity in the age of AI\u201d that can autonomously identify software vulnerabilities at scale.<\/p>\n<p>Rather than release the model publicly, Anthropic is restricting access to a closed consortium of more than 40 companies that includes Amazon, Microsoft, Apple, Alphabet-owned Google, and the Linux Foundation, along with a small group of security vendors such as CrowdStrike, Palo Alto Networks, and Cisco.<\/p>\n<p>\u201cMythos makes the first domino clearer: Once frontier AI can do large-scale bug hunting, the logic of paying humans for routine discovery starts to break down,\u201d says Jeff Williams, founder of OWASP and CTO of Contrast Security.<\/p>\n<p>According to Anthropic, the goal is to apply these capabilities in a controlled, defensive setting, enabling participating organizations to test and improve the security of widely used software and infrastructure.<\/p>\n<h2 class=\"wp-block-heading\">The economics of bug hunting shift<\/h2>\n<p>In early testing, Anthropic claims the model identified thousands of high-severity vulnerabilities across operating systems, browsers, and other widely used software. Some had persisted despite extensive prior review \u2014 including a 27-year-old flaw in OpenBSD, long considered one of the most security-hardened operating systems and widely used in critical infrastructure.<\/p>\n<p>As with many early AI capability claims, the results are largely self-reported and only partially externally verifiable, but they point to a clear direction: Vulnerability discovery is <a href=\"https:\/\/www.csoonline.com\/article\/3632268\/gen-ai-is-transforming-the-cyber-threat-landscape-by-democratizing-vulnerability-hunting.html\">becoming more automated<\/a> and scalable.<\/p>\n<p>That shift raises questions about how security work is organized and valued.<\/p>\n<p>For OWASP\u2019s Williams, the disruption begins with economics. If AI systems can perform large-scale vulnerability discovery, the rationale for relying on human-driven bug hunting \u2014 particularly for routine discovery \u2014 erodes.<\/p>\n<p>But the implications extend beyond <a href=\"https:\/\/www.csoonline.com\/article\/4082265\/ai-powered-bug-hunting-shakes-up-bounty-industry-for-better-or-worse.html\">bug bounty programs<\/a>. \u201cThis does not just threaten bug bounties,\u201d he says. \u201cIt threatens the whole idea that security can remain a find-and-fix afterthought. The era of the security backlog is coming to a welcome end.\u201d<\/p>\n<h2 class=\"wp-block-heading\">From backlog management to exposure-window risk<\/h2>\n<p>The issue, as Williams frames it, is not simply how many vulnerabilities exist, but how they are managed. \u201cMythos makes one thing painfully clear,\u201d he says. \u201cThis is not a prioritization problem. It\u2019s an exposure-window problem.\u201d<\/p>\n<p>Traditional vulnerability management has been <a href=\"https:\/\/www.csoonline.com\/article\/4119130\/vulnerability-prioritization-beyond-the-cvss-number.html\">built around prioritization<\/a> \u2014 ranking issues by severity, exploitability, and business impact, then working through remediation over time.<\/p>\n<p>Williams argues that the limiting factor is no longer how well organizations prioritize, but how long vulnerabilities remain exposed.<\/p>\n<h2 class=\"wp-block-heading\">Adapting to AI-powered cyber defense<\/h2>\n<p>Anthony Grieco, SVP and chief security and trust officer at Cisco, places the development in a broader operational context. In a <a href=\"https:\/\/blogs.cisco.com\/news\/rising-to-the-era-of-ai-powered-cyber-defense\">blog post<\/a>, Grieco argues that organizations must \u201crise to the era of AI-powered cyber defense,\u201d reflecting a shift in both the threat landscape and the capabilities required to respond.<\/p>\n<p>Cisco is among the organizations participating in Project Glasswing, joining what Anthropic describes as a collaborative effort to apply advanced AI capabilities to defensive security use cases. Grieco emphasizes that <a href=\"https:\/\/www.csoonline.com\/article\/4042494\/how-ai-is-reshaping-cybersecurity-operations.html\">security programs will need to evolve<\/a> alongside rapidly advancing AI capabilities.<\/p>\n<p>\u201cAI capabilities will continue to advance, the threat surface will evolve, and the organizations that protect the internet will need to operate at the speed of machines and the scale of networks,\u201d Grieco says. \u201cMuch of what we are now experiencing would have been unimaginable just a few years ago. There is no finish line, only a commitment to do everything possible to stay ahead of adversaries.\u201d<\/p>\n<p>For security leaders, that combination \u2014 more scalable discovery and the need to operate at greater speed \u2014 challenges longstanding assumptions about how risk is handled. Backlogs, long treated as an unavoidable operational reality, become harder to justify if vulnerabilities can be identified more quickly and comprehensively.<\/p>\n<h2 class=\"wp-block-heading\">A shift upstream \u2014 and open questions about control<\/h2>\n<p>\u201cThe future belongs to software factories that can reliably produce secure code and the assurance case to prove it,\u201d Williams says, pointing to a model in which security is built into development processes rather than addressed primarily after deployment.<\/p>\n<p>Grieco\u2019s emphasis on adapting to AI-powered threats aligns with that direction, underscoring the need for organizations to evolve both their tools and their assumptions about how quickly security-relevant conditions can change.<\/p>\n<p>At the same time, questions remain about how broadly these capabilities will spread. Anthropic has chosen to limit access to Mythos Preview, reflecting the dual-use nature of systems that can identify software vulnerabilities at scale but could also accelerate their exploitation.<\/p>\n<p>\u201cIt\u2019s highly questionable that Anthropic will be able to limit the malicious uses of this model,\u201d Williams says.<\/p>\n<p>Anthropic has committed $100 million in model usage credits to Project Glasswing, with participants expected to contribute additional usage during the research preview. Claude Mythos Preview will be available through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry.<\/p>\n<p>The company has also pledged funding to open-source security efforts, including donations to Alpha-Omega, OpenSSF, and the Apache Software Foundation to support maintainers responding to these changes. Maintainers interested in access can apply through the <a href=\"https:\/\/claude.com\/contact-sales\/claude-for-oss\">Claude for Open Source<\/a> program.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>AI giant Anthropic has unveiled Project Glasswing, a cybersecurity initiative built around Claude Mythos Preview, a model it describes as \u201ccybersecurity in the age of AI\u201d that can autonomously identify software vulnerabilities at scale. Rather than release the model publicly, Anthropic is restricting access to a closed consortium of more than 40 companies that includes [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7734,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7733","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7733"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7733"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7733\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7734"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}