Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them?

Anthropic's Project Glasswing demonstrates AI's terrifying efficiency in discovering software vulnerabilities, revealing a critical gap: while AI finds bugs at machine speed, human-led remediation still moves at calendar speed.
Last week, Anthropic announced Project Glasswing, an AI model so effective at discovering software vulnerabilities that they took the extraordinary step of postponing its public release. Instead, the company has given access to Apple, Microsoft, Google, Amazon, and a coalition of others to find and patch bugs before adversaries can.
Mythos Preview, the model that led to Project Glasswing, found vulnerabilities across every major operating system and browser. Some of these bugs had survived decades of human audits, aggressive fuzzing, and open-source scrutiny. One had been sitting for 27 years in OpenBSD, generally considered to be one of the world’s most secure operating systems.
It's tempting to file this under "AI lab says their AI is too dangerous," the same playbook OpenAI ran with GPT-2. Not so fast; there's a material difference this time.
Mythos didn't just find individual CVEs. It chained four independent bugs into an exploit sequence that bypassed both the browser renderer and the OS sandboxing; it performed local privilege escalation in Linux through race conditions; and it built a 20-gadget ROP chain targeting FreeBSD's NFS server. Claude Opus 4.6 failed at autonomous exploit development almost entirely, but Mythos hit a 72.4% success rate in the Firefox JS shell.
Why Project Glasswing Exposes the Real Cybersecurity Gap
Here's the number that should keep security leaders awake at night: fewer than 1% of the vulnerabilities found by Mythos were patched. Glasswing solved the finding problem, but nobody solved the problem of fixing.
Defenders operate on calendar speed, taking about four days to mitigate a threat in a good scenario. Attackers, leveraging LLMs, are moving at machine speed. Earlier this year, a threat actor deployed a custom MCP server hosting an LLM against FortiGate appliances. The AI handled everything from backdoor creation to domain admin access, compromising 2,516 organizations across 106 countries in parallel.
How to Build a Mythos-Ready Security Program
The right question isn't "how do we find more bugs?" but "can your program process thousands of exploitable vulnerabilities tomorrow morning?" A Mythos-ready program needs three pieces:
- Signal-Driven Validation Over Scheduled Testing: Defenses need to be tested against specific changes in the moment, not during a quarterly pentest.
- Environment-Specific Context Over Generic CVSS Scores: Context-free prioritization will break your process when findings jump from hundreds to thousands.
- Closed-Loop Remediation Without a Manual Handoff: The chain of manual handoffs is where the system disintegrates. The cycle from finding to fix must run at machine speed.
This isn't about buying more tools; it's about leveraging the asymmetric advantage of knowing your own topology and acting on it at machine speed.
Source: The Hacker News














