Project Glasswing: What Anthropic's AI Security Initiative Means for Your Security Program

Jeff Sowell · 2026-04-09 · Industry Trends

Anthropic's Claude Mythos has discovered thousands of zero-day vulnerabilities in every major OS and browser. A flood of new CVEs is coming. Here's what vCISOs, MSPs, and security leaders need to do now.

The landscape just shifted

On April 7, 2026, Anthropic announced Project Glasswing — a $100 million initiative to use AI to find and fix vulnerabilities in critical software. The centerpiece: Claude Mythos, an AI model that has already discovered thousands of zero-day vulnerabilities in "every major operating system and web browser," including bugs that survived decades of human review and millions of automated security tests.

The partners read like a who's-who of cybersecurity: CrowdStrike, Palo Alto Networks, Microsoft, AWS, Apple, Google, Cisco, NVIDIA, JPMorgan Chase, and the Linux Foundation.

This isn't theoretical. These vulnerabilities are real, they're being responsibly disclosed, and patches will follow. For every security leader, vCISO, and MSP managing client environments, this changes the game.

What's actually happening

The AI model: Claude Mythos Preview is a frontier AI with coding capabilities that surpass humans at finding and exploiting software vulnerabilities. Anthropic is deliberately NOT making it generally available — only ~40 organizations with responsibility for critical infrastructure get access.

The output: Thousands of zero-day vulnerabilities across every major platform. These will flow through responsible disclosure to vendors, who will issue patches. Those patches flow through your vulnerability scanners (Tenable, Qualys, Rapid7), your endpoint platforms (CrowdStrike, SentinelOne), and your cloud security tools (AWS Security Hub, Azure Defender).

The timeline: Expect a significant uptick in CVE publications and emergency patches over the coming months as Glasswing findings are disclosed and remediated.

What this means for your security program

1. Patching urgency is about to spike

When Glasswing findings start flowing as CVEs, the volume of critical patches will increase substantially. Organizations with poor patch management will be exposed.

What to do now:

- Verify your vulnerability management program has automated scanning on at least a weekly cadence

- Ensure your patching SLAs are defined and enforced: critical within 72 hours, high within 14 days

- If you're using Tenable, CrowdStrike, or other tools with Radius360 deep integrations, these findings will automatically surface as risks with mitigation tasks

- Brief your clients: "A wave of new vulnerability disclosures is coming. Our scanning and patching process will handle it, and here's how we'll report on it."

2. Risk registers need an AI-discovered vulnerability category

This is a new class of risk. AI-discovered vulnerabilities are different from traditional CVEs in important ways:

- They were missed by decades of human review — these are deep, structural bugs

- They may be harder to patch — some may require architectural changes, not just code fixes

- The disclosure cadence will be faster — AI finds them in hours, not months

- Adversaries will develop similar capabilities — if Anthropic can find them, so can nation-state actors

Your risk re