Topics:
Let’s inject some nuance into the upheaval over Project Glasswing.
There’s no denying that autonomous vulnerability discovery and exploit development at this scale is a true inflection point for cybersecurity. Throughout Anthropic’s report on Project Glasswing and the private Claude Mythos preview, there is evidence that this advancement in artificial intelligence has uncovered an unprecedented volume of vulnerabilities—some decades old in ubiquitous software libraries and applications.
However, much of the focus has been on the offensive side of this equation. Tens of thousands of words have been written about attackers leveraging these autonomous capabilities to introduce a vulnerability apocalypse of sorts. The nuance that isn’t being articulated enough, however, is that Project Glasswing is largely a defensive effort that does more to level the playing field between threat actors and defenders than we may realize.
To sophisticated nation-state threat actors, automation is not new. Plug-and-play exploit frameworks have been the norm for more than a decade. And machine learning-assisted vulnerability discovery—not at a Glasswing scale, mind you—has been part of the attacker toolkit for some time. The AI behind Glasswing is a huge advantage for enterprise security; CISOs and their teams will have access to these autonomous capabilities before—or at least at the same time—as attackers.
The closed, private availability of Claude Mythos is limited to cybersecurity companies, technology and cloud companies, and some private institutions. The nuance we may be missing here is a shared goal of vulnerability discovery before adversaries operationalize the same techniques.
It’s important to remember that there are tens of thousands of new CVEs in a given year; more than 48,000 CVEs were added to the National Vulnerability Database in 2025, more than in any other year. Attackers operate on economic models much like legitimate businesses, and I promise you that none would value developing, even autonomously, exploits and attacks for 48,000 CVEs in a given year.
CISOs must continue to focus on foundational security practices. Where cyber-physical systems are concerned, asset management and inventory is step one. Visibility into exposed assets is particularly important, and requires an overall exposure management approach to security. Enterprises are compromised when vulnerabilities combine with poor asset visibility, slow remediation processes, weak segmentation, inconsistent patch governance, or inadequate threat detection. Glasswing or any AI-influenced vulnerability discovery initiative does not eliminate the need to prioritize overall exposures.
My advice to CISOs: Don’t panic. And don’t be slack. Your vulnerability remediation and mitigation strategy should not change with the emergence of Project Glasswing. AI has not rendered your existing efforts obsolete.
Instead, absolutely prepare for an increase in CVEs in the coming 12 months. The participants in the Claude Mythos preview are some of the biggest technology providers in the world—Microsoft, Apple, Cisco, Amazon, Google, Nvidia, and many others in this realm. They will continue to identify and patch vulnerabilities across their software stacks, and advisories are going to flow in rapidly, forcing your teams to understand how these flaws impact your environments, in particular how these newly found vulnerabilities may be chained together in complex exploits.
Understand which systems, if compromised, immediately impact your business, and prioritize those systems for remediation. For some companies, vulnerability backlogs routinely number in the tens or hundreds of thousands. Adding AI-accelerated discovery to immature vulnerability management programs could overwhelm operations teams unless CISOs rethink prioritization models now.
Understand which assets are exposed and bring context to the conversation that not every vulnerability carries equal operational risk. CISOs need programs capable of correlating vulnerabilities with exploitability, internet exposure, business criticality, identity privilege paths, and compensating controls. Organizations still relying on CVSS scores alone will fall behind quickly.
Exposure validation will be accelerated in short order as well. Monthly or quarterly patching cycles may not line up with AI-accelerated discovery. That does not mean patch everything immediately; it means building more adaptive risk acceptance and remediation workflows tied to actual exposure.
Finally, Glasswing’s biggest impact is likely going to affect the software supply chain. Open source software libraries—many of which are sadly under-supported—were among the most significant vulnerability discoveries in the Project Glasswing report. These can be deeply embedded dependencies and legacy code paths that pose significant risks. CISOs should expect increased scrutiny from regulators, insurers, and boards regarding third-party software governance.
Project Glasswing and Claude Mythos represent an important transition point in cybersecurity. But they do not invalidate modern enterprise defense strategies. They accelerate the timeline, increase operational pressure, and reward organizations with mature asset visibility, prioritization, remediation, and detection capabilities.
AI will ultimately greatly benefit defenders and critical infrastructure providers who can harness its speed and ability to scale to improve asset protection and overall resilience.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.
