A Statement on Project Glasswing

On April 7, Claude Mythos Preview, a frontier AI model from Anthropic that has not been released to the public, found a vulnerability in OpenBSD that had been sitting there for 27 years. In minutes. Not a research team working for months. Not a fuzzer running for years. A model, pointed at the code, that found what everyone else missed.

Then it found a 16-year-old flaw in FFmpeg, in a line of code that automated testing tools had executed 5 million times without catching. Then chained Linux kernel exploits that give an attacker complete control of a system. Then thousands more zero-days across every major operating system and every major browser.

This was Project Glasswing. Anthropic gave twelve of the largest technology companies on earth, including AWS, Apple, CrowdStrike, Google, Microsoft, and Palo Alto Networks, access to Claude Mythos Preview. Its job was to find vulnerabilities in the software the world runs on.

It did, and the implications for every organization that depends on software are severe.

This Is Not a Drill

Let me be direct about what just happened. A single AI model, running for a few weeks, found thousands of critical vulnerabilities in the most heavily audited software on the planet: OpenBSD, the Linux kernel, FFmpeg, every major browser. These are projects with dedicated security teams, decades of code review, and millions of dollars in fuzzing infrastructure, and all of it was insufficient.

Mythos scored 83.1% on the CyberGym vulnerability reproduction benchmark, compared to 66.6% for Claude Opus 4.6. Anthropic says the model surpasses "all but the most elite human researchers" at finding and exploiting software vulnerabilities, and based on the results, that is not marketing language but an accurate description of what this model can do.

If the most scrutinized code in the world has this many undiscovered vulnerabilities, the total vulnerability surface across all software, every enterprise application, every SaaS tool, every open-source dependency buried in every stack, is orders of magnitude larger than anyone in this industry estimated. We have been operating on fundamentally wrong assumptions about how secure our infrastructure actually is.

And here is the number that should keep every security leader awake tonight: fewer than 1% of what Mythos found has been patched. Discovery just went to AI speed while remediation remains at human speed, and that is not a gap but a chasm that every organization on earth is standing on the edge of.

What Happens When Threat Actors Get This

Mythos Preview is restricted today to twelve partners with a verification program and responsible governance, and Anthropic structured this carefully. But we need to stop pretending that restricted access is a durable defense.

GPT-5.4 already has strong vulnerability-finding capabilities, and every major AI lab is scaling the same techniques: multi-step reasoning, deep code understanding, and environment interaction. Open-weight models are closing the gap, and the trajectory is not ambiguous. Offensive capabilities have always propagated faster than defensive ones, that has been true since the first exploit was shared on a forum, and AI accelerates that pattern dramatically. Within 12 to 18 months, the ability to point a model at any piece of software and find exploitable zero-days will be broadly accessible to researchers, companies, and threat actors alike.

Here is the part that I do not think enough people are processing. Until now, the ability to discover and exploit zero-day vulnerabilities at scale was reserved for a small number of sophisticated nation-state actors: intelligence agencies with massive budgets, dedicated exploit development teams, and years of institutional knowledge. That capability was rare, and because it was rare, it was used selectively, mostly for espionage.

AI just democratized it. When a frontier model can find exploitable zero-days in minutes, that capability is no longer limited to nation-states but extends to ransomware gangs, financially motivated criminals, extortion groups, and anyone who wants to cause destruction. These actors are not interested in quietly collecting intelligence. They are interested in locking systems, stealing data, extracting payments, and causing maximum damage, and the threat model just changed in a way most people have not fully absorbed.

Consider what happened with MOVEit: the CL0P ransomware group exploited one known vulnerability in a file transfer tool and compromised over 2,500 organizations across more than 30 countries, and that was one known vulnerability with a CVE. Now imagine a threat actor who does not need to wait for someone else to find the vulnerability but instead points a model at the software running in your environment and generates a zero-day in minutes, with no CVE, no signature, no patch, and no warning.

That is the world we are entering. Glasswing did not create it, but it revealed it, and the window to prepare is measured in months, not years.

The Security Industry Is Not Ready

The speed gap between offense and defense was already unsustainable before Glasswing. CrowdStrike's 2024 Global Threat Report measured the average breakout time at 62 minutes, down from 84 minutes the year before, with the fastest recorded at 2 minutes and 7 seconds. Palo Alto Networks Unit 42 found that attackers exfiltrated data within a single day in 45% of their incident response cases. That was the old world, the world where attackers exploited known vulnerabilities.

In the new world, attackers generate their own vulnerabilities, the volume of exploitable entry points multiplies, and the starting point for every attack gets faster. The entire defensive model most organizations rely on, the one built around patching known vulnerabilities, applying known signatures, and blocking known threats, becomes structurally inadequate because you cannot patch a vulnerability that does not exist in any database, you cannot write a signature for an exploit nobody has seen, and you cannot block what you do not know about.

This is not an incremental change that existing tools can absorb with a few AI features bolted on but a fundamental shift in how attacks work that demands an equally fundamental shift in how defense works. CISOs who are still building their strategy around prevention are building on a foundation that is cracking, and security vendors still selling incremental improvements to legacy architectures are selling solutions to yesterday's problem. The industry needs to confront this honestly and move fast.

The Five Pillars and Why One of Them Really Matters Now

I have been saying this for two years, at RSA, at CactusCon, in private roundtables with CISOs, and in conversations with security leaders at Fortune 500 companies and mid-market firms alike: the prevention-first model is running out of road, and the organizations that do not shift their weight to detection and response will be the ones that get breached. Most people heard it as a forward-looking argument. Glasswing turned it into a documented fact.

Cybersecurity fundamentally breaks down into five pillars: Visibility, knowing what you have; Protection, hardening it; Detection and Response, catching and stopping threats; Business Continuity and Disaster Recovery, surviving the worst case; and Governance, Risk, and Compliance, meeting your obligations.

The industry has spent decades and billions of dollars on pillar two, Protection, and that made sense when threats were known and attackers moved at human speed. It does not make sense in a world where AI generates unknown threats on demand and attacks execute in minutes.

It comes down to how quickly you can detect and how effectively you can respond. When the vulnerability does not exist in any database until the moment the threat actor's model finds it, protection is not the answer, detection and response is, and it is the only answer.

“Protection doesn't work when the vulnerability doesn't exist yet. It comes down to how quickly can we detect and how effectively can we respond.”

The entire weight of cybersecurity defense shifts to pillar three, not as a strategic preference but as a matter of survival.

A Call for a Defense Coalition

Project Glasswing is valuable and necessary work, and using frontier AI to find and fix vulnerabilities in critical software infrastructure is exactly the kind of coordinated effort the industry needs. Anthropic and the twelve Glasswing partners deserve recognition for this.

But Glasswing addresses one side of the equation: vulnerability discovery and remediation, finding the holes and patching them before someone walks through. That matters, but it is not enough, because the patch rate is under 1% and the threat actors are not waiting.

The other side of the equation, the side that has no coalition, no coordinated effort, and no equivalent of Glasswing, is what happens when the attack is already happening, when the zero-day is being exploited right now, when the threat actor is already inside and the only question is whether your defense can detect it and shut it down before the damage is done.

The industry needs a defense coalition with the same scale, urgency, and rigor as Glasswing, focused specifically on autonomous detection and response. Not a marketing alliance or a logo wall, but a real, coordinated effort to ensure that the defensive side of cybersecurity evolves at the same speed as the offensive side. Glasswing is the coalition for finding vulnerabilities; we need an equivalent coalition for defending against their exploitation, and the window to build it is closing.

Why Alaris Exists

This is exactly the problem we built Alaris to solve, not after Glasswing but before it. Two years ago, when I started talking about the five pillars and the shift to detection and response, the question I kept getting was "but when?" When will AI-driven offense actually be real, and when will prevention stop being enough? Glasswing just answered that question, and the answer is now.

We saw this coming because the trajectory was clear to anyone paying attention: AI would transform offense before it transformed defense, and the organizations left running human-speed workflows would be the ones that got breached. That conviction is why Alaris exists.

Alaris is the first Autonomous Security Operations platform, one system that covers all seven stages of the security operations lifecycle: detection engineering, alert triage, investigation, threat hunting, containment and response, remediation, and reporting, all operating autonomously, at machine speed, on a unified architecture.

When a threat actor exploits a zero-day that did not exist in any database three minutes ago, Alaris does not wait for a human to connect five tools but instead detects the anomalous behavior, investigates the scope, correlates across the full environment, contains the threat, and produces an audit trail, all in minutes, autonomously. That is what detection and response looks like when it actually matches the speed of the attack.

We did not build this because it was an interesting technical challenge but because the alternative, asking humans to manually defend against AI-speed attacks by swiveling between browser tabs, is no longer viable, and Glasswing made that undeniable. Alaris is ready to lead the defense coalition effort because we have the platform, the architecture, and the conviction that this is the most important problem in cybersecurity right now, but this is bigger than any one company, and we are calling on security leaders, technology companies, research institutions, and government agencies to join us.

About Alaris Security

Alaris Security is building the first Autonomous Security Operations platform: one system covering all seven stages of security operations with full autonomy. The Alaris Enterprise Platform unifies security data through a proprietary security graph and automates detection, triage, investigation, threat hunting, containment, remediation, and reporting using advanced AI agents. Headquartered in San Francisco with offices in Berlin and Dubai, Alaris serves enterprise and defense organizations worldwide.