Last week, Anthropic announced Project Glasswing, an AI model so effective at discovering software vulnerabilities that they took the extraordinary step of postponing its public release. Instead, the company has given access to Apple, Microsoft, Google, Amazon, and a coalition of others to find and patch bugs before adversaries can.

Mythos Preview, the model that led to Project Glasswing, found vulnerabilities across every major operating system and browser. Some of these bugs had survived decades of human audits, aggressive fuzzing, and open-source scrutiny. One had been sitting for 27 years in OpenBSD, generally considered to be one of the world’s most secure operating systems.

It’s tempting to file this under “AI lab says their AI is too dangerous,” the same playbook OpenAI ran with GPT-2. 

Not so fast; there’s a material difference this time. 

Mythos didn’t just find individual CVEs. 

  • It chained four independent bugs into an exploit sequence that bypassed both the browser renderer and the OS sandboxing
  • It performed local privilege escalation in Linux through race conditions
  • It built a 20-gadget ROP chain targeting FreeBSD’s NFS server, distributed across packets.

Claude Opus 4.6, Anthropic’s previous frontier model, failed at autonomous exploit development almost entirely.Mythos hit a 72.4% success rate in the Firefox JS shell.

This isn’t theoretical, nor some new three-to-five-year prediction. This is about to be a real-world engineering reality.

Why Project Glasswing Exposes the Real Cybersecurity Gap

Here’s the number that should keep security leaders awake at night: fewer than 1% of the vulnerabilities found by Mythos were patched.

Let that sink in for a moment. 

The most powerful vulnerability discovery engine ever built ran against the world’s most critical software, and the ecosystem couldn’t absorb the output. 

Glasswing solved the finding problem. 

Nobody solved the problem of fixing.

Why Defenders Can’t Keep Up: Calendar Speed vs. Machine Speed

This is the structural issue the cybersecurity industry has been circling for years. AI just made it impossible to ignore. 

Defenders operate on calendar speed. They: 

  • Gather intelligence 
  • Build a campaign
  • Simulate the threats 
  • Mitigate 
  • Repeat

That cycle takes about four days on a good day. Attackers, especially those now leveraging LLMs at every stage of their operation, are moving at machine speed. 

For an up-to-the-minute take, David B. Cross, CISO at Atlassian, will be speaking at the Autonomous Validation Summit on May 12 about what this looks like from the inside, why periodic testing can’t keep pace with adversaries that operate autonomously, and what defenders should be doing instead.

AI-Powered Attacks Are Already Autonomous

Earlier this year, a threat actor deployed a custom MCP server hosting an LLM as part of their attack chain against FortiGate appliances. 

The AI handled everything: 

  • Automated backdoor creation
  • Internal infrastructure mapping fed…

Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: April 23, 2026