Project Glasswing Shows That AI Will Break The Vulnerability Management Playbook

Anthropic, together with 11 different firms, just lately introduced Challenge Glasswing, an initiative that goals to safe software program within the wake of advances in AI capabilities, most notably Anthropic’s Claude Mythos Preview frontier mannequin.

Challenge Glasswing is made up of a who’s who of tech firms, cybersecurity distributors, and others: Amazon Net Companies (AWS), Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Basis, Microsoft, NVIDIA, and Palo Alto Networks. The undertaking’s acknowledged purpose is “to safe the world’s most important software program.”

This effort was began after Anthropic revealed its claims that the Claude Mythos Preview mannequin can discover beforehand unknown zero-day vulnerabilities in software program in document time, exceeding the efforts of present scanners and different applied sciences. Recognizing the potential for good — and evil — makes use of of this functionality, Anthropic assembled a coalition to make use of these capabilities to search out and repair issues earlier than adversaries can exploit them.

If true (and we have now little purpose to doubt the veracity of the claims), this can break the vulnerability administration playbook — and maybe the cybersecurity approaches of right this moment. It’ll drive organizations to drastically rethink their approaches to vulnerability administration and patching, transferring from right this moment’s often-glacial tempo to one thing a lot, a lot quicker.

With the present CVE ecosystem already operating on fumes, Glasswing units the stage for a possible new vulnerability discovery and cataloguing system closed and managed by permitted companions and software program maintainers. It will disrupt the way in which signature-based community and utility vulnerability scanners essentially function, giving method to AI-based instruments.

From Breakthroughs To Breakdowns

The technical breakthroughs promised by Claude Mythos Preview give safety execs the chance to find vulnerabilities — and attackers the flexibility exploit them — at unprecedented pace and scale. The actual work begins as soon as these vulnerabilities are identified. Then, organizations must rapidly check and patch techniques at a pace right this moment’s processes received’t help. Organizations will face challenges:

The vulnerability discovery and remediation pipeline you realize is not any extra. Zero-day discovery at this scale pushes us out of right this moment’s CVE disclosure course of and a must reindustrialize. Patch Tuesday will now not be marked on the calendar. A 30-day ready interval for patching received’t be acceptable in an atmosphere when attackers can go from discovery to take advantage of in minutes.
Tech debt will proceed to hang-out us. Just like the COBOL disaster introduced on us by 12 months 2000 initiatives, vulns present in getting older OSes and techniques would require the data of parents who constructed these techniques a long time in the past. Claude Code (and different fashions) are good at writing greenfield software program, however might not be as efficient at patching historic code with out breaking issues.
Discovery accelerates, however stock lags behind actuality. Many organizations nonetheless do not need an correct, repeatedly up to date stock of what they run, the place it runs, and the way it’s constructed. AI-driven disclosure cycles will outrun your means to determine publicity. Static asset inventories fail when discovery and patching occur repeatedly.
Autonomous remediation is required however continues to be rising. Anthropic didn’t specify the remediation movement in its announcement. It additionally didn’t spotlight how Claude Mythos Preview may also help write patches, and as an alternative referred to patch growth advances in Opus 4.6. No matter mannequin used, the LLM wants context concerning the code, the flaw, and steerage on fixing — all context that exists in siloes and nonetheless requires human perception. AI code repair brokers which are capable of deal with any enter, past what scanners output, are nonetheless rising. Enterprises ought to proceed experimenting with AI coding brokers and put together to increase that functionality in manufacturing.
The economics nonetheless don’t favor CISO budgets. CISOs might want to select to both: 1) run these fashions themselves and pay the identical or extra in tokens (offered they’re given entry); 2) use a pentest supplier that may run the identical fashions and cross on the prices of the tokens to clients (offered they’re given entry); or 3) choose a non-AI-led pentest that fails to search out bugs AIs should not able to discovering (in instances the place entry to those fashions is prohibited or too costly). None of those are preferrred eventualities.
Adversaries will (clearly) use this functionality to their benefit. Technical leaps ahead are double-edged. They introduce loads of alternatives for defenders however can be a boon to adversaries. As patches are launched, attackers will be capable of reverse-engineer them to create exploits at scale. Organizations which are gradual to patch and remediate might be weak to attackers utilizing automated capabilities to take advantage of them. Adversaries may develop or purchase their very own fashions that rival Claude Mysthos Preview’s capabilities, giving them highly effective instruments for locating and exploiting identified and unknown vulnerabilities.

What Safety Groups Ought to Do Now

If organizations don’t benefit from this new mannequin and the automation between discovery and patching, they are going to fall behind in vulnerability patching efforts. Attackers will exploit that hole, and safety groups should be prepared. Forrester recommends that safety execs:

Use this announcement as a forcing perform. Cybersecurity typically requires a compelling occasion to display that threat is actual. The pace at which these capabilities are transferring doesn’t give safety execs the luxurious of ready. Act now and educate your stakeholders about why altering your vulnerability identification and remediation course of is an crucial — now. Don’t wait. Don’t cross go. Do it now.
Automate regression testing. Make the case to automate regression assessments on your most important functions, even the legacy ones, that going offline would have vital impression to the enterprise. Within the case the place the code is now not out there, decide what controls can be needed to forestall an assault.
Base proactive and utility safety on choices, not findings. AI ought to help prioritization, clustering, and impression evaluation as a lot as discovery. Your proactive safety method must be remediation centric, not one which lists CVE after CVE. Fashionable proactive safety packages incorporate assault path modeling, reachability of exploits (together with efficacy testing of current and momentary compensating controls), and the exploit’s impression. Use these insights to conduct choke level analyses — the place a patch or management should be applied and the steps that should be taken throughout every stakeholder as your playbook.
Make SBOMs desk stakes, not compliance artifacts. As vulnerabilities are present in open-source software program and OSes, SBOMs turn into essential to grasp what weak software program might exist in your atmosphere and stock the place open-source and third-party weak software program exist. With out usable SBOMs, fixes arrive quicker than organizations can map impression.
Use the house subject benefit. Safety engineers should determine what to repair first primarily based on reachability, exploitability, blast radius, and enterprise impression — not merely the presence of a vulnerability. That is the safety staff’s benefit versus weaponized exploits. You’re on your house subject. Whereas Mythos, and future AI-led exploit discovery fashions, can objectively detect zero days and write exploits, they achieve this with out data of your management atmosphere and what’s most necessary to your group.
Implement compensating controls as a short-term Band-Support. Safety groups should introduce controls like digital patching in WAFs, automated detection and response, and asset containment for property that exceed threat thresholds as momentary measures whereas they watch for remediations to be accomplished. Apply Zero Belief ideas to phase functions on the community or, within the worst case, take the applying offline.

The cybersecurity distributors will reply predictably. Each vendor will declare AI powered zero-day discovery capabilities. A lot of will probably be quicker automation relabeled as innovation.

Practitioners ought to ignore the acronyms and ask more durable questions like:

Does this assist us perceive publicity quicker than attackers can weaponize fixes?
Does it assist us determine what to patch first?
Does it scale back uncertainty, or simply enhance backlogs?

The limiting think about safety is now not the flexibility and data to search out issues. It’s the means to soak up, prioritize, and act on them earlier than adversaries do.

AI is making this painfully clear. Extra perception doesn’t mechanically imply higher safety.