Project Glasswing Found Thousands of Zero-Days. Closing It Requires More Than a Faster Patch Cycle.
A few weeks ago, a Blue Mantis client asked a question that stayed with us: “If AI can now find a zero-day in hours, how long before attackers use the same capability, and what does that mean for how we run security?” It was a good question. It deserved a direct answer. This post is that answer, written jointly, because the problem sits at the intersection of two disciplines that rarely write together: security operations and AI architecture.
We arrive at this topic from different directions. One of us has spent years in the CISO chair, managing incident response, presenting breach scenarios to boards, and making risk decisions with incomplete information. The other has spent years designing AI systems and asking hard questions about what happens when those systems are exposed to adversarial inputs. The conclusion we’ve each reached, independently, is the same: the threat model has structurally changed, and most organizations’ response posture has not.
This is not alarmism. It is a description of a gap that is now quantifiable, sourced, and closing in the wrong direction.
Project Glasswing Proved It: The Cost of Finding Your Next Vulnerability Just Dropped to $2,000
On April 7, 2026, Anthropic published findings from internal testing of its new model, Claude Mythos Preview. The results were not incremental. According to Anthropic’s own assessment, Mythos Preview autonomously identified thousands of zero-day vulnerabilities (previously unknown flaws) across every major operating system and every major web browser, many of them critical, without human steering at any point in the process.
The time and cost benchmarks attached to those findings are the detail that should change how every security leader thinks about their current posture. Help Net Security reported that one complete exploit chain, from a CVE identifier and a git commit hash to a working privilege escalation, was completed in under a day at a cost under $2,000. Historically, that same work took skilled researchers days to weeks.
A 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems in existence, was found across roughly 1,000 scaffold runs at a total cost under $20,000. A 16-year-old flaw in FFmpeg, introduced in a 2003 commit, had survived every fuzzer and human reviewer who had examined that code since. Both are now documented. The exploit paths are known. (The Register, April 2026)
And here is the number that should end any lingering debate about whether patch cycles are an adequate response strategy: Anthropic confirmed that fewer than 1% of the potential vulnerabilities Mythos has uncovered have been fully patched. The discovery engine has outrun the remediation process by a factor that makes quarterly patch cycles functionally irrelevant.
The question I hear from boards is still “are we patching fast enough?” The question they should be asking is “do we know what an AI model would find in our stack tonight, and could we respond before someone else found it first?”
Jay Martin, Chief Information Security Officer, Blue Mantis
The Organizations on the Glasswing List Have Intelligence You Do Not. That Gap Is the Risk.
Anthropic chose not to release Mythos Preview to the public. Instead, they launched Project Glasswing, a controlled initiative to direct these capabilities toward defense. The participant roster is instructive: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Approximately 40 additional organizations received access, subsidized by up to $100M in usage credits.
That list tells you something important about where we are. The organizations best positioned to defend against AI-assisted attacks are the ones that already have the deepest security investment, the largest teams, and direct access to frontier model capabilities. The gap between those organizations and everyone else (mid-market enterprises, regional businesses, public sector entities) is not a technology gap. It is an intelligence asymmetry. Defenders downstream of that list are operating without pre-release insight into how frontier models behave when directed adversarially.
Nation-state actors and organized criminal groups are not waiting for whitepapers. They are studying reasoning patterns, orchestration flows, and decision logic. CrowdStrike’s contribution to the Glasswing initiative was framed directly: “The window between a vulnerability being discovered and being exploited by an adversary has collapsed. What once took months now happens in minutes with AI.”
That asymmetry is not only a security posture problem. It is an organizational design problem. And that is where the conversation has to change.
Your Vulnerability Playbook Was Built for a Threat That No Longer Exists
From an AI architecture perspective, the structural failure in most organizations’ current security posture is not a resource problem. It is a model problem. The frameworks most security teams operate under were designed for a world where vulnerabilities are documented, exploits are reproducible, and the time between discovery and weaponization is measured in weeks.
That world no longer exists for the attack categories Mythos-class models enable. OWASP recognized this shift by publishing two separate top-10 lists: one for LLM vulnerabilities, and a second, released in December 2025, specifically for agentic applications, introducing 10 risk categories including Agent Goal Hijack and Rogue Agents. The agentic list exists because the attack surface now includes the model itself: prompt injection, model extraction, memory poisoning, and agentic workflows are first-class attack vectors that most organizations have no detection capability for.
The operational consequence was documented in real production environments. Lakera’s Q4 2025 analysis found that indirect prompt injection attacks, where malicious instructions arrive through documents, retrieved content, or tool outputs rather than direct user input, succeeded with fewer attempts than direct attacks. Existing filters, designed for direct injection, were structurally blind to the indirect vector.
Code exposure compounds this. When agent code is exposed, attackers receive a working blueprint for how the system reasons, what it trusts, and where it can be redirected. This is not analogous to leaking traditional software source code, which still requires significant reverse engineering to exploit at scale. AI systems expose patterns of reasoning, prioritization, and action. Far easier to study, simulate, and attack.
“Most organizations are treating AI security as a new chapter in the same playbook. It isn’t. The threat model has changed in kind, not just in degree. When the model’s behavior is the attack surface, patching a CVE is not an answer to the question being asked.”
– Trey Bayne, Senior Solution Architect, Blue Mantis
A Small Team Running Quarterly Cycles Cannot Hold This. Here Is What Can.
The organizational implication of everything above is direct: a small generalist security team running quarterly vulnerability cycles is structurally unable to defend against adversaries operating with AI-assisted discovery and exploitation capability. The gap is not addressable by buying more tools or adding headcount to an existing model. It requires a different construct.
Industry leaders are already acting on this. The Glasswing consortium is one example: enterprises pooling adversarial access and defensive research across organizational boundaries because the threat has outpaced what any single team can hold. The organizational response Blue Mantis recommends for mid-market and enterprise clients reflects the same logic: a dedicated AI security cell (or “Tiger team”), not a committee.
What that looks like in practice: cross-disciplinary experts spanning ML safety, red-team exploit development, SRE, and legal/compliance, and IT operating on continuous cycles, not quarterly ones, with direct escalation paths to executive leadership. The table below maps the strategic tradeoffs across three posture options.
The cost profile on the dedicated team option is real, and we are not going to minimize it. Higher fixed investment is a genuine constraint for mid-market organizations. But the hidden risk column in the status quo option is what requires honest conversation. The cost of operating downstream of an intelligence asymmetry does not appear in headcount budgets until it appears in incident response costs, regulatory exposure, and reputational damage.
“I’ve sat with clients who have strong patch hygiene, solid compliance posture, and real exposure they don’t know about. Their visibility ends where the model layer begins. That’s the gap we’re helping them close, and it’s a governance conversation before it’s a technology conversation.”
Jay Martin, Chief Information Security Officer, Blue Mantis
You Have 90 Days to Close the Gap Before It Closes Your Options
Readiness in this environment does not require solving everything at once. It requires making deliberate decisions about where your organization sits on the intelligence asymmetry spectrum, and closing the most consequential gaps first. Here is where to start:
1. Inventory your critical assets and map them to business impact. Not a compliance inventory. A risk-weighted map of your internet-facing systems, AI integrations, agent workflows, and code exposure. The question you are answering is: if a Mythos-class model were directed at our stack tonight, where is our highest risks and concerns?
2. Establish continuous discovery, not periodic scanning. Automated fuzzing, AI-assisted scanning, and significantly shortened patch SLAs for high-severity findings. Anthropic’s own data shows that fewer than 1% of discovered vulnerabilities are currently patched. The volume problem is real and quarterly cycles cannot absorb it.
3. Stand up an AI security cell. Start with 3–6 people or vetted partners focused specifically on red-teaming, model-risk assessment, and rapid remediation playbooks. This is not a renamed SOC team. It is a different discipline, requiring different expertise, with a different operating tempo.
4. Engage your peers and, where relevant, government. Information-sharing consortia exist precisely because the intelligence asymmetry problem is collective, not individual. Project Glasswing’s structure: coordinated access to frontier defensive capabilities under strict governance, is the model. Similar coalition structures are forming across industries. Organizations that engage early accumulate the pre-release insight that reactive defenders never get.
5. Reframe the board conversation. Security investment is no longer a compliance cost. It is a strategic capability decision. The organizations best positioned in the Glasswing ecosystem are not the ones with the best patch hygiene. They are the ones with the deepest adversarial insight. That distinction is the right frame for a board-level discussion about where to invest next.
The Distinction That Will Matter
Project Glasswing and Mythos Preview demonstrate something important: defensive-first AI development is possible. Organizations can choose intentionality, pressure-testing, and restraint without abandoning the capability. That is a reason for measured optimism, not complacency.
Not every vendor, not every lab, and not every market participant will make the same choices. Competitive pressure and geopolitical reality push in the opposite direction. Which means the responsibility for readiness falls on security and technology leaders who understand the stakes and who are willing to have honest conversations about organizational posture before an incident forces the conversation.
The organizations that will navigate this environment well are not the ones waiting for the next indicator of compromise. They are the ones already asking: what would a capable adversary find in our environment tonight, and are we building toward the foresight to answer that question before they do?
If your security posture still relies on post-incident learning, or if you’re not sure where the model layer begins and your visibility ends, let’s have that conversation now. Blue Mantis works with mid-market and enterprise clients across every stage of AI security readiness. Reach out to schedule a no-obligation assessment.
