Opinion
Project Glasswing by Antropic didn't just find the bugs. It also found the real vulnerability in cybersecurity.
By the end of last week, Anthropic published an update on Project Glasswing that most people missed. I think it's one of the most consequential signals in cybersecurity in years - and the headline numbers are only half the story.
In one month, Claude Mythos found over 10,000 critical vulnerabilities across the world's most important software. Mozilla found 271 vulnerabilities in Firefox - ten times more than with the previous model. Cloudflare - 2,000 flaws, 400 of them critical, with a lower false positive rate than human testers. Palo Alto released five times its usual volume of security patches. wolfSSL, a cryptography library running on billions of devices, contained a flaw that would have let attackers forge certificates for any bank or email provider - completely invisible to an end user. AI caught it before the attackers did.
But that's not the story.
The story is that out of 6,200 critical vulnerabilities found in open-source software alone, only 75 have been patched. Some open-source maintainers even actually asked Anthropic to slow down its disclosures. Anthropic's own words from this week's update: "even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem".
The assumption that broke - and the system built around it
For thirty years, cybersecurity was built on one foundational assumption: finding vulnerabilities is the hard part. Slow, expensive, requiring rare expertise. So every system downstream was calibrated for that pace - the 90-day disclosure windows, the coordinated vulnerability programs, the patch release cycles, the manual triage processes, the open-source maintainer model running on volunteer capacity with no security budget and no SLA.
Those systems are broken by design - built around a constraint that no longer exists. When you remove the bottleneck of finding vulnerabilities without redesigning what comes after it, you get a flood hitting a wall and not a faster pipeline.
As Anthropic noted this week: there is currently a long lag between discovery, patch creation, and deployment at scale. Mythos-class models shrink the time and cost required to find and exploit vulnerabilities - which means that lag is now a dramatically more dangerous place to be sitting. We are in what Anthropic calls an "interim period" - vulnerabilities being rapidly discovered and slowly patched - that presents risks the industry has never faced at this scale.
Glasswing exposed a paradigm problem.
Two futures - and we don't know which one we're in
Anyone giving you a confident single prediction right now isn't paying attention. There are two genuinely plausible outcomes, and which one materializes depends on decisions being made in the next 18 months.
The optimistic scenario: AI becomes the great equalizer for defenders. For the first time in the industry's history, the people protecting software can move faster than the people attacking it. Patch cycles compress, the open-source ecosystem finally gets the infrastructure it always needed, and we come out with substantially more hardened software than we've ever had. The interim period is painful but short.
The harder, more realistic scenario: Models as capable as Mythos will soon be built by many other AI companies - some without the same safeguards, some in jurisdictions with very different incentives. If the patch pipeline doesn't catch up before capable models proliferate widely, we don't get a safer internet. We get an internet where the attack surface is continuously and automatically probed by adversaries operating at AI speed - while defenders are still working through a backlog from months prior.
What it means for the giants
When Glasswing launched in April, CrowdStrike and Palo Alto dropped 8-10%. Then they recovered. The market decided this was an opportunity, not a threat. I think the market is right that the category survives - but wrong if it thinks the recovery means business as usual.
The incumbents built their value around detection. Finding more threats than the other guy. That is exactly the part of the stack getting commoditized fastest. Any frontier model can now scan for vulnerabilities at scale, and the cost curve on that capability only goes in one direction.
The CISO of 2028 doesn't need another dashboard showing more vulnerabilities. They need a system that closes them. Companies that rebuild their core value around remediation - automated patch generation, validation, deployment at scale - will define the next decade. Those that treat this as a feature update rather than a strategic pivot will become very expensive alert systems. And in a world of AI-speed discovery, an alert system is not a defensible business.
Where the next companies get built
Detection, sharper signals, better threat intelligence - that era is ending. The value is migrating along the pipeline. Triage at scale - who separates 10,000 findings into what actually needs to be fixed today. Patch generation and validation - who writes and tests the fix, not just flags the problem. Deployment acceleration - who gets that patch to millions of endpoints before the window closes.
And the open-source commons: seventy percent of the world's software runs on code maintained by volunteers with no security budget and no capacity to absorb AI-scale discovery. That is a structural gap no company has seriously addressed - because until now, finding the problems was the hard part.
The finding is solved while the fixing becomes the market.
Bottom line
Anthropic didn't run a bug-finding exercise. They stress-tested the entire operating model of cybersecurity and found the real weakness - not in the software, but in the paradigm built to fix it.
The future of this industry gets decided in the next 18-24 months. Not by the models, which will keep improving regardless. But by whether the infrastructure, the enterprise stack, and the startup ecosystem evolve fast enough to absorb what those models produce.
Resets are uncomfortable. They're also when the most important companies get built.
Alon Cinamon is a Principal at Viola Ventures.
