Anthropic has just published the first Project Glasswing data, and if you work in cybersecurity or compliance, here’s what it means concretely for your organization.
What Glasswing Accomplished in One Month
In collaboration with about fifty partners, Anthropic used its Claude Mythos Preview model to analyze the world’s most critical software. The tally after 30 days:
- More than 10,000 high or critical severity vulnerabilities identified
- Cloudflare: 2,000 bugs detected, with a false positive rate lower than human testers
- Mozilla: 271 vulnerabilities found in Firefox 150, or 10 times more than with the previous model version
- More than 1,000 open source projects analyzed, with an estimated 6,202 high/critical vulnerabilities
This isn’t a marginal improvement. It’s an order-of-magnitude change.
The Real Problem: It’s No Longer Detection
Here’s the most important sentence in the report, and the one we don’t read enough:
“Progress on software security used to be limited by how quickly we could find new vulnerabilities. Now it’s limited by how quickly we can verify, disclose, and patch them.”
Direct translation: finding flaws has become trivial. Fixing them is where it gets stuck.
Several open source project maintainers asked Anthropic to slow down disclosures because they don’t have the human capacity to handle the volume. On average, a critical bug takes two weeks to fix after discovery.
The Lesson Our Practices Haven’t Integrated Yet
For decades, the industry operated on a 90-day disclosure model: discover a flaw, wait, notify, deploy a patch. That cycle was tolerable when finding flaws took weeks.
That’s no longer the case.
Mythos Preview can find and exploit vulnerabilities at a speed humans can’t match. Comparable models will soon be available everywhere, including to attackers.
Waiting 30, 45, or 90 days before deploying a patch is now a high-risk decision.
Palo Alto Networks released an update with 5 times more patches than usual. Microsoft announced that patch volumes “will continue to increase for a good while.” This isn’t a calendar accident — it’s forced adaptation to a new reality.
What This Requires of Us, Concretely
Anthropic says it explicitly in its report:
- Developers: shorten patch cycles, make updates as easy as possible for users, be more insistent with those still running known vulnerable versions.
- Network defenders: shorten patch testing and deployment timelines. Basic controls (MFA, logging, configuration hardening) are no longer optional.
But beyond these technical recommendations, a deeper cultural shift is required:
Vulnerability management must move from a periodic process to a continuous process.
Monthly update cycles, quarterly maintenance windows, approvals that take two weeks — these practices were designed for a world where attackers needed time to find and exploit flaws. That world no longer exists.
The Exposure Window Is No Longer Acceptable
AI radically accelerates the ability to find vulnerabilities. It’s beginning to accelerate the ability to fix them. But between the two, there’s still an exposure window that can last weeks, even months.
That’s exactly where tomorrow’s major security incidents will play out.
The question is no longer “did we update this quarter?” It’s: “what is our capacity to deploy a critical patch in less than 24 hours?”
If you don’t have the answer, now is a good time to find it.
Source: Project Glasswing: An initial update — Anthropic, May 22, 2026
#Cybersecurity #VulnerabilityManagement #AI #PatchManagement #CISO