Published April 29, 2026
Anthropic’s Project Glasswing signals a structural shift in vulnerability discovery. AI models are finding and enabling the exploitation of software flaws faster than human teams can respond. Anthropic’s Project Glasswing signals an acceleration, as it is specifically designed for this purpose; it provides increased data processing context without constraints on vulnerability discovery. While participation in this project is currently limited, there is a growing risk that similar capabilities, whether through expanded access or replication using other AI platforms, could quickly become a critical factor in the cybersecurity landscape. As AI-driven Vulnerability Discovery evolves, organizations should anticipate an acceleration in how vulnerabilities are discovered and exploited, reinforcing the need for more adaptive, resilient security and risk management strategies.
What is Project Glasswing
On April 7, 2026, Anthropic announced Project Glasswing, a closed preview program for a new AI model called Mythos. Mythos is capable of autonomously discovering and exploiting software vulnerabilities at a scale and velocity that previously required large, well-funded human research teams.
In early testing, Mythos has identified thousands of high-severity vulnerabilities across every major operating system and web browser, including zero-day flaws and long-standing issues that had gone undetected for more than a decade. Access is currently limited to approximately 50 organizations, including major cloud providers, security vendors, and software maintainers such as AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, and Palo Alto Networks.
Anthropic has stated it is restricting access because the capability is too easily repurposed by adversaries. The security community has broadly accepted that this restriction is temporary. Equivalent AI-driven discovery capabilities will reach adversary tool chains within the next 12 to 24 months, whether through model leaks, independent development, or commercial availability.
How Project Glasswing Puts Additional Pressure on Security Operations and Risk Management
Vulnerability management has operated on a cadence: vendors disclose, customers patch; the window between disclosure and exploitation is measured in days or weeks. Vulnerability exploitation can occur during these windows if an adversary has the means and focus, and if a compensating control is not in place to contain the risk.
When AI can discover and immediately provide a proof of concept for a vulnerability, or family of vulnerabilities based on the underlying code weakness discovered, there is an immediate weaponization potential in minutes. This risk acceleration is of great concern when current security operations cannot keep pace with today’s critical security patch guidelines.
What to Focus on for Resiliency against AI-Driven Vulnerability Discovery
Accelerated Patch Orchestration
Critical patch response windows and extended emergency change capacity so patching of risk-based systems can be automated or patched within hours.
Strengthen Segmentation and Monitoring for Containment
When patching is not immediately possible, containment is what prevents a single vulnerability from becoming a major incident. Audit segmentation at DMZ boundaries, reviewing egress controls, and monitoring traffic and system access control changes.
Legacy System Inventory and Aligning Compensating Controls
AI-driven vulnerability discovery excels at finding vulnerabilities in older code bases that have not been updated or no longer supported. It’s much easier now to reverse-engineer one known vulnerability and then discover others based on similar weaknesses or code functions. Perform a legacy system exposure review for identifying end-of-life operating systems, unsupported firmware, and abandoned software libraries. Prioritize remediation recommendations, risk acceptance options, and compensating controls where retirement is not immediately feasible.
Open-Source and Software Build of Materials
We predict that open-source code, due to its availability, multiple packages, and code management, will be a prime attack target for exploitable vulnerabilities. Code maintenance and patches may be delayed, exposing organizations. Going through an open-source inventory within your organization and having software build of materials from your vendors will provide insight needed to adjust security controls for resiliency
Credential Rotation and Emergency Break-Glass Procedure
Many adversarial tactics used require code exploits and privilege escalation. Considering the speed at which vulnerability exposure may occur, having the immediate ability to rotate credentials for users and systems will allow an organization to be ready to thwart the advancement of an adversary if they gain access. In addition, create dedicated emergency accounts (not reused admin) that will work even if SSO is down, to act when admin account are compromised.
Clearwater provides Vulnerability Management and Managed Security services for organizations that want to proactively prepare for AI-driven vulnerability discovery and exploitation and are resource-constrained. In addition, we have security engineering and consulting that can help advance the resiliency recommendations above. Contact Us if you would like to discuss how your organization can prepare for the ramifications of AI-driven vulnerability discovery.
