Anthropic just launched Project Glasswing – a major initiative to hunt vulnerabilities in critical open-source software using its most capable AI model. The implications for defenders and attackers alike are significant, and most organisations are not ready for either.
On 7 April 2026, Anthropic launched Project Glasswing – a coordinated effort to give key technology providers early access to Claude Mythos Preview with one goal: find and fix long-hidden vulnerabilities in critical open-source software before attackers do.
It is the clearest signal yet that frontier AI has crossed a threshold. It is no longer just a productivity tool bolted onto existing security workflows.
It is becoming an active participant in the vulnerability lifecycle, capable of reasoning across vast codebases, identifying subtle logic flaws, and chaining issues into exploitable paths that would take a human researcher weeks to uncover.
That is worth taking seriously. Not because of the marketing, but because credible institutions are paying attention.
The AI Security Institute and the UK National Cyber Security Centre have both documented measurable progress in AI agents completing multi-step cyber attack scenarios. The NCSC has called on defenders to prepare for a world in which frontier AI amplifies attacker capabilities at pace.
Glasswing is a concrete attempt to tilt that balance back toward defence. The early findings suggest it is working.
The two-sided ledger of AI-assisted security
For most of computing history, finding and exploiting software vulnerabilities required rare expertise.
The people who could do it reliably numbered in the thousands globally. That constraint mattered – it was a practical limit on how fast attackers could operate and how broadly they could target.
Over the past year, that constraint has eroded sharply.
AI models have become increasingly effective at reading and reasoning about code, showing a particular ability to spot vulnerabilities and work out how to exploit them. The cost, effort, and level of expertise required have all dropped dramatically.
Here is the uncomfortable truth: the same capabilities that make a frontier model useful for vulnerability discovery make it useful for exploitation.
Claude Mythos Preview, Anthropic’s unreleased frontier model behind Glasswing, has reached a level of coding capability where it can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.
That is not a marketing claim – it is the assessment Anthropic has published alongside the initiative. The AISI’s evaluation of Claude Mythos Preview’s cyber capabilities tracks the same capability curve and reaches similar conclusions.
And it is not only expert hands that can wield it.
Anthropic’s own Red Team blog reports that engineers with no formal security training asked Mythos Preview to find remote code execution vulnerabilities overnight, and woke up the following morning to a complete, working exploit.
An AI that can read a codebase, reason about execution paths, and identify edge cases in authentication logic can do that work for a defender running a bug bounty programme or for an attacker building an exploit chain. The model does not care which side of the firewall it is on. And given the rate of AI progress, these capabilities will not remain confined to actors committed to deploying them safely.
The question for security teams is not whether to engage with this shift. It is – how fast.
What Glasswing tells us about where this is heading
Anthropic’s approach with Glasswing is instructive beyond the specific initiative. A few things stand out.
The focus on open-source infrastructure is deliberate
Open-source software underpins almost every critical system in operation today – cloud platforms, financial infrastructure, healthcare systems, industrial controls.
Vulnerabilities in widely used libraries do not stay contained. When one surfaces, the blast radius is enormous and the window between disclosure and exploitation has compressed to hours in many cases.
The Axios npm supply chain attack in March 2026 – where two malicious versions of one of JavaScript’s most-used libraries were quietly published – is a recent example of exactly how fast that window closes.
The results are concrete
Mythos Preview has already found thousands of zero-day vulnerabilities – flaws previously unknown even to the software’s own developers – including some in every major operating system and web browser.
Some of the specific findings illustrate just how significant the capability leap is:
- A 27-year-old vulnerability in OpenBSD – one of the most security-hardened operating systems in the world, widely used to run firewalls and critical infrastructure – that allowed an attacker to remotely crash any machine running the OS simply by connecting to it.
- A 16-year-old vulnerability in FFmpeg, the video encoding library used by an enormous range of software, in a line of code that automated testing tools had hit five million times without catching the problem.
- A chain of vulnerabilities in the Linux kernel – the software running most of the world’s servers – that the model found and linked autonomously to escalate from ordinary user access to full control of the machine.
- A web browser exploit that chained together four separate vulnerabilities, writing a complex attack that escaped both the browser’s renderer sandbox and the operating system sandbox beneath it.
The gap between Mythos Preview and the previous generation of models is also stark.
When tested against known vulnerabilities in Mozilla’s Firefox JavaScript engine, the previous best model – Claude Opus 4.6 – turned those vulnerabilities into working exploits twice out of several hundred attempts. Mythos Preview did it 181 times.
These are not theoretical weaknesses. They are exploitable flaws that survived decades of human review and millions of automated tests. The model found them.
The initiative is coordinated by design
Early access, structured disclosure, defined scope – Glasswing is built to funnel findings into responsible remediation rather than onto a paste site.
That framing is worth taking at face value, because the alternative – waiting for these capabilities to proliferate without a coordinated defensive response – is considerably worse.
For organisations watching from the outside, the implication is direct: if a frontier model can find vulnerabilities in your dependencies that survived decades of human review and millions of automated tests, you cannot rely on existing scanning and review processes to give you confidence that your attack surface is clean.
The attacker’s advantage – and how to close it
Defenders have always operated at a structural disadvantage.
An attacker needs to find one way in. A defender needs to close every path. AI widens that gap if defenders do not move.
The realistic near-term threat is not yet a fully autonomous AI attacker operating without human direction. But it is human attackers using AI to operate faster, at a greater scale, and with less specialised knowledge than was previously required.
A moderately skilled attacker with access to a capable model can accelerate reconnaissance, generate targeted phishing content, identify patch-gap windows, and synthesise public vulnerability research into working attack chains.
Attacks that previously required specialist knowledge are now within reach of far more people.
We explored a version of this problem in our analysis of security gaps in vibe-coded applications.
AI-generated code introduces vulnerabilities not because the model is careless but because it optimises for functional correctness, not security depth. An attacker using the same models to probe those applications has a natural advantage over a developer who did not think adversarially when prompting.
The answer is not to avoid AI in development.
It is to apply deliberate security discipline at every stage – including to the AI-generated output itself. That means combining automated scanning with human-led testing rather than assuming one replaces the other.
What organisations should do before the surge hits
Glasswing is likely to accelerate vulnerability disclosures across the open-source ecosystem. Organisations that are unprepared for a sudden increase in security advisories affecting their dependencies will struggle to respond at pace.
Martin Walsham, Director of Cybersecurity at AMR Cybersecurity – Part of Infinum, has been tracking this shift closely: “Frontier AI models are progressing at pace, and the same technologies that defenders can use to increase overall security posture can equally be used by attackers to amplify their capabilities. This heightens the need for organisations to implement strong security baselines, defence in depth, and robust secure code, and to patch at pace to make them less susceptible to attacks.”
Ahead of an anticipated surge in vulnerability reporting, organisations should be assessing and investing in advanced tooling and enhanced services to continually protect, detect, and respond to cyber threats – because the pace at which attackers operate will only increase.
The precautionary steps below are not dramatic departures from good security hygiene. They are the foundations that make rapid response possible when it is needed.
Review and test your incident response plan now.
Not the version that was written two years ago and has not been touched since. Run a tabletop exercise against a realistic scenario – a critical CVE in a dependency you cannot patch immediately, combined with active exploitation attempts.
Prepare for increased advisory volume.
If AI-assisted vulnerability research delivers on its promise, the rate of disclosures in widely used open-source libraries will increase. Security and engineering teams need the capacity to triage and prioritise that volume without dropping everything else. Build that capacity before the surge, not during it.
Get your asset management list accurate.
You cannot patch what you do not know you are running. This is the most consistent gap we see in organisations that have otherwise mature security programmes. A dependency buried four levels deep in your supply chain is still your problem when a CVE drops against it. Our step-by-step software supply chain security framework covers how to map and manage that exposure systematically.
Monitor updates and advisories actively.
Subscribe to feeds for the libraries and platforms you depend on. Automated dependency scanning tools have improved significantly – if you are not running one, start.
Review third-party agreements with critical suppliers.
If a vulnerability surfaces in a service you depend on and your contract does not specify patching SLAs, you have no lever to apply. Review those agreements and open conversations with suppliers about their response posture before you need to have that conversation under pressure.
Test your external perimeter.
If your last penetration test was more than twelve months ago, you do not have an accurate picture of your exposure. This is especially true for organisations that have made infrastructure changes, onboarded new services, or shipped significant product updates since the last test.
Have a plan for enhanced monitoring at short notice.
Not all threats give you advance warning. Know what elevated monitoring looks like for your environment and how quickly you can activate it.
Security baselines matter more, not less
There is a temptation to frame AI-powered threats as something categorically new that requires a categorically new response.
In some respects, that is true – the speed and scale at which AI-assisted attacks can operate does change the calculus. But the vulnerabilities being exploited are mostly the same ones that have always existed: missing input validation, broken access control, insecure defaults, and unpatched dependencies.
Our cybersecurity trends outlook for 2026 covers how AI-driven attacks, stricter compliance requirements, and supply chain exposure are converging into a single pressure point for security teams.
The NIS2 and DORA frameworks that came into force across the EU reflect this same reality. The technical requirements they mandate – multi-factor authentication, incident reporting, supply chain risk management, regular penetration testing – are not responses to AI-powered threats specifically. They are the baseline hygiene that makes an organisation resilient regardless of what the attacker is using.
If your organisation is not meeting that baseline, the sophistication of the threat is almost beside the point.
Strong foundations beat reactive firefighting
Project Glasswing is a meaningful development in the responsible use of frontier AI for defence.
The AISI and NCSC assessments confirm what security practitioners have been observing in practice: capability is advancing faster than most organisations have adjusted for.
The right response is not to wait and see how the landscape settles. It is to invest in the defences that reduce exposure across the board – sound architecture, secure development practices, regular testing, and the operational readiness to respond when something goes wrong.
Infinum’s penetration testing and cybersecurity services are built around exactly that kind of proactive posture. If you want to understand your current exposure before the next wave of disclosures hits, talk to our security team.
