What is Project Glasswing?
Project Glasswing is a new cybersecurity initiative from Anthropic to use advanced AI systems for defensive software security. Anthropic claims that their unreleased “Claude Mythos Preview” model can discover and exploit software vulnerabilities at a level beyond most human experts. If the claim is true, it will represent a major shift and transition from using AI as an assistant for developers and transitioning to using AI as an autonomous vulnerability researcher, thus changing the playing field in offensive and defensive security.
Glasswing brings together major technology companies, AI developers, cloud providers, chip companies, security vendors, financial institutions and infrastructure companies including Anthropic, Amazon Web Services, Apple, Cisco, Google, CrowdStrike, Microsoft, NVIDIA, Broadcom, Palo Alto Networks, Linux Foundation and JPMorganChase to begin using AI systems to secure infrastructure before attackers can exploit them. Anthropic claims that their unreleased “Claude Mythos Preview” model can discover and exploit software vulnerabilities at a level beyond most human experts.
The project takes its name from the glasswing butterfly, known for its transparent wings that enable it to remain concealed in plain sight, much like hidden cybersecurity vulnerabilities within infrastructures and systems. Simultaneously, these wings help it avoid danger, symbolizing the transparency and clarity that the project aims to promote in its approach.
Is Project Glasswing a Step in the Right Direction as far as Being Proactive with Cybersecurity Threats?
Assuming that Anthropic’s claims are authentic, the answer would be a resounding YES. However, the execution of the initiative will have to be handled in a responsible manner. All of the different organizations involved would have to be on the same page when it comes to adopting and embracing the new way of proactively defending against cybersecurity threats. Here are some reasons why the approach could work:
· Finally, a defense-first AI capability designed to empower defenders. It may provide powerful automation that continuously scans codebases, generates patches faster, improves response times, and automatically prioritizes the most dangerous vulnerabilities.
· If the Claude Mythos model can discover vulnerabilities faster than humans, it will ultimately change the imbalance of the attacker needing only one successful exploit, against the defender needing to secure all. It will also be the beginning of “continuous red teaming” to find and fix vulnerabilities for defensive purposes.
· The Claude Mythos model could help uncover “hidden” exploits from attack chains by connecting individual, minor weaknesses together.
· The software industry may finally shift from reactive patching of code into a security resilience architecture.
· It recognizes that cross-industry and open-source infrastructure are critical to defending against security vulnerabilities which could make them much safer against attackers and exploiters.
· Anthropic has recognized the defensive problem early and is showing caution in its model release compared to other typical AI model releases in the industry.
· Anthropic is already telling the cyber community that these AI capabilities exist.
Are there Concerns with the Project Glasswing Approach?
The project is well-intentioned but there are still some concerns that should be addressed for this initiative:
· At present not all companies or businesses that need or want to use the Claude Mythos model can get access to it. The concentration of power lies with the largest technology companies.
· Anthropic makes the extraordinary claims of “thousands of high-severity vulnerabilities across every major operating system and browser” which could be hype risk or exaggerated, may not withstand all human researchers and could be exaggerated benchmarks, selective demonstrations for market driven narratives.
· Research generated by using AI for defensive cybersecurity could unintentionally accelerate offensive cyber capabilities by lowering the expertise required to identify and exploit vulnerabilities. There are also rumors that the model’s code may have been leaked and obtained by Chinese actors. Although the model was designed for defensive vulnerability discovery, adversaries could potentially adapt similar capabilities for offensive purposes. This could enable cheaper, faster, and more scalable cyberattacks, potentially reducing the advantage provided by defensive AI systems.
· Initially there needs to be some Independent Verification and Validation of the high-severity vulnerabilities by a human.
· Organizations may begin to over trust the AI generated findings when the dependence on AI algorithms and models is a reality.
· Where is the governance framework going to come from to handle the AI cyber capabilities? Who audits these AI systems? How are vulnerabilities prioritized? What happens if the model discovers critical infrastructure vulnerabilities? Who applies the safeguards?
What is the TAC’s Role with Project Glasswing?
Since Anthropic has only released the “Claude Mythos Preview” to a small number of businesses and companies, the TAC will have to wait until the public release to engage the AI model. In the meantime, the TAC can provide the following guidance:
· Don’t panic or chase the hype. AI assisted vulnerability discovery is becoming real and will scale. Treat it as inevitable and begin planning for it now.
· Stop reacting to patching code to design security resilience from the start of development. Prioritize memory-safe and secure-by-design architectures.
· Traditional patch cycles are too slow. Use automated patch testing and continuous vulnerability management tools.
· Begin preparing for AI-assisted attacks that are much faster. Educate the security defenders to respond to these attacks in faster more automated methods.
· Avoid becoming overly dependent on AI vendors; while their security tools can be highly effective, they are not foolproof.
· Stress to leadership that cybersecurity is becoming a strategic infrastructure and not just an IT issue. Encourage, without alarming them that AI is likely to increase both defensive and offensive cyber capability. Articulate that organizations that modernize security practices early will be better positioned than those that delay.
· Begin implementing pilot programs using AI models that can assist with code reviews, vulnerability triage, red-team simulation, and AI supported SOC tooling.
Reflections on This Topic
Project Glasswing represents a significant leap forward in the realm of cybersecurity, leveraging AI to proactively secure systems against vulnerabilities. While the potential benefits are enormous, it is crucial to address the associated concerns with transparency and caution. As the technology continues to evolve, collaboration across industries, governments, and individual stakeholders will be essential to utilize its full potential while lessening risks.
If you are part of a local, state, or federal government agency looking to shape policies surrounding AI and cybersecurity, we encourage you to reach out. Likewise, if you’re from an industry seeking to understand or enhance your market capabilities in this area, contact us. For individuals passionate about personal or organizational security, your engagement is equally important. By participating in TAC events and reading our blog posts, you can contribute to a collective effort to bolster vigilance and collaboration, ensuring a safer digital future for everyone



