{“lastseen”:”2026-04-23T11:43:58″,”description”:”\\n\\nLast week, Anthropic announced Project Glasswing, an AI model so effective at discovering software vulnerabilities that they took the extraordinary step of postponing its public release. Instead, the company has given access to Apple, Microsoft, Google, Amazon, and a coalition of others to **find and patch bugs before adversaries can**.\\n\\nMythos Preview, the model that led to Project Glasswing, **found vulnerabilities across every major operating system and browser.** Some of these bugs had survived decades of human audits, aggressive fuzzing, and open-source scrutiny. One had been **sitting for 27 years** in OpenBSD, generally considered to be one of the world\u2019s most secure operating systems.\\n\\nIt’s tempting to file this under \\”**AI lab says their AI is too dangerous,** \\” the same playbook OpenAI ran with GPT-2. \\n\\nNot so fast; there’s a material difference this time. \\n\\nMythos didn’t just find individual CVEs. \\n\\n * It **chained four independent bugs into an exploit sequence** that bypassed both the browser renderer and the OS sandboxing\\n * It performed local privilege escalation in Linux through race conditions\\n * It built a 20-gadget ROP chain targeting FreeBSD’s NFS server, distributed across packets.\\n\\n\\n\\nClaude Opus 4.6, Anthropic’s previous frontier model, failed at autonomous exploit development almost entirely.**Mythos hit a 72.4% success rate in the Firefox JS shell**.\\n\\nThis isn’t theoretical, nor some new three-to-five-year prediction. This is about to be a real-world engineering reality.\\n\\n## **Why Project Glasswing Exposes the Real Cybersecurity Gap**\\n\\nHere’s the number that should keep security leaders awake at night: **fewer than 1% of the vulnerabilities found by Mythos were patched**.\\n\\nLet that sink in for a moment. \\n\\nThe most powerful vulnerability discovery engine ever built ran against the world’s most critical software, and the ecosystem couldn’t absorb the output. \\n\\nGlasswing solved the finding problem. \\n\\nNobody solved the problem of fixing.\\n\\n### **Why Defenders Can’t Keep Up: Calendar Speed vs. Machine Speed**\\n\\nThis is the structural issue the cybersecurity industry has been circling for years. AI just made it impossible to ignore. \\n\\nDefenders operate on **calendar speed**. They: \\n\\n * Gather intelligence \\n * Build a campaign\\n * Simulate the threats \\n * Mitigate \\n * Repeat\\n\\n\\n\\nThat cycle takes about **four days on a good day**. Attackers, especially those now leveraging LLMs at every stage of their operation, are **moving at machine speed**. \\n\\nFor an up-to-the-minute take, David B. Cross, CISO at Atlassian, will be speaking at the Autonomous Validation Summit on May 12 about what this looks like from the inside, why periodic testing can’t keep pace with adversaries that operate autonomously, and what defenders should be doing instead.\\n\\n### **AI-Powered Attacks Are Already Autonomous**\\n\\nEarlier this year, a threat actor deployed **a custom MCP server hosting an LLM as part of their attack chain** against FortiGate appliances. \\n\\nThe AI handled everything: \\n\\n * Automated backdoor creation\\n * Internal infrastructure mapping fed directly to the model\\n * Autonomous vulnerability assessment, and \\n * AI-prioritized execution of offensive tools for domain admin access. \\n\\n\\n\\nThe result? **2,516 organizations across 106 countries were compromised** in parallel. The entire chain, from initial access through credential dumping to data exfiltration, was autonomous. The only human involvement was reviewing the results afterward.\\n\\n### **AI-based Vulnerability Discovery Is Outpacing Remediation**\\n\\nThe gap between attacker speed and defender speed isn’t new. \\n\\n**What’s new is that a small but worrisome gap just became a canyon.**\\n\\n * Autonomous systems like AISLE discovered 13 out of 14 OpenSSL CVEs in recent coordinated releases, bugs that had survived years of human review. \\n * XBOW became the top-ranked hacker on HackerOne in 2025, surpassing all human participants.\\n * The median time from disclosure to weaponized exploit dropped from 771 days in 2018 to single-digit hours by 2024.\\n * By 2025, the majority of exploits will be weaponized _before_ being publicly disclosed.\\n\\n\\n\\n**Now add Mythos-class discovery to this picture.**\\n\\nYou don’t get a safer world automatically. You get a **tsunami of legitimate findings that still require human verification** , organizational process, business continuity considerations, and patch cycles that haven’t fundamentally changed in a decade.\\n\\n## **How to Build a Mythos-Ready Security Program**\\n\\nThe instinct after Glasswing is to ask: \\”How do we find more bugs?\\” \\n\\nThat’s actually the wrong question.\\n\\nThe right one is: \\”When thousands of exploitable vulnerabilities land on your desk tomorrow morning, **can your program actually process them?** \\”\\n\\nFor most organizations, the honest answer is no. And the reason isn’t a lack of tools or talent; it’s a structural **dependency on periodic** , **human-initiated processes** that were designed for a world where vulnerabilities trickled in, not one where they arrived in a tsunami.\\n\\nWe can’t fix every vulnerability. We can’t apply every hardening option. \\n\\n****\\n\\n\\u003e **That’s not defeatism** , that\u2019s the pragmatic starting point for any security program that actually works. The question that matters isn’t \\”is this CVE critical?\\” but \\”**is this vulnerability exploitable in my environment, right now, given what I have deployed?** \\”\\n\\nA Mythos-ready security program needs three fundamental pieces.\\n\\n### **First: Signal-Driven Validation Over Scheduled Testing**\\n\\nWhen a new threat emerges, when an asset changes, or when a configuration drifts, defenses need to be **tested against that specific change in that moment.** Not during the next quarterly pentest. Not when someone can find an open calendar slot. \\n\\nThe entire concept of \\”scheduled validation\\” assumes a stable threat landscape, and today, that **assumption is dead on arrival**.\\n\\n### **Second: Environment-Specific Context Over Generic CVSS Scores**\\n\\nGlasswing will produce an avalanche of CVEs. \\n\\nYet most vulnerability management programs are still prioritized by CVSS scores. This context-free metric tells you how bad a bug _could be in theory_ , not whether _it’s exploitable in your specific infrastructure_ , given your controls and business risk.\\n\\nWhen the volume of findings suddenly goes from **hundreds to thousands** , context-free prioritization won’t just slow you down; **it\u2019ll break your process entirely**.\\n\\n### **Third: Closed-Loop Remediation Without a Manual Handoff**\\n\\nThe current model can\u2019t survive in a world where adversaries exploit CVEs within hours of disclosure. You know the drill:\\n\\n * Scanner finds a bug\\n * Analyst triages it\\n * The ticket goes to a different team\\n * Someone patches it weeks later\\n * Nobody re-validates\\n\\n\\n\\nThat chain of manual handoffs is exactly where the system disintegrates. If the cycle from finding to fix to re-validation can’t run without humans shuttling tickets between queues, it clearly isn\u2019t running anywhere near machine speed.\\n\\nThis isn’t about buying more tools. It’s about defenders leveraging their **one asymmetric advantage** : you know your organization\u2019s topology, **attackers don’t**. \\n\\nThat’s a significant advantage, **but only if you can act on it at machine speed.**\\n\\n## **How Autonomous Exposure Validation Closes the Gap \u2014 and Where Picus Comes in**\\n\\nThis is the part where I\u2019m going to be really transparent about who’s writing this. \\n\\nAt Picus Security, we build a platform for **Autonomous Exposure Validation**. So, full disclosure, I have a perspective here that comes with an inherent bias. Take it accordingly.\\n\\nWhat Glasswing crystallized for us, and for a lot of the CISOs we’ve been speaking with, is that the**validation step** within any **exposure management program** just became the most critical bottleneck. \\n\\n * Finding vulnerabilities is about to get radically easier and more efficient \\n * Patching them is going to remain painfully slow.\\n\\n\\n\\nThe only lever you can pull in between is **knowing which ones actually matter** to your environment. That’s validation.\\n\\n### **From Four Days to Three Minutes: How Agentic Workflows Change the Cycle**\\n\\nWe built Picus Swarm, the AI team powering autonomous, real-time validation, to compress the traditional four-day cycle into minutes. \\n\\nIt’s a set of AI agents that work together to do what used to require handoffs between four separate teams: \\n\\n * A **researcher agent** ingests and vets threat intelligence. \\n * A **red teamer agent** maps it against your environment to generate a safety-checked attacker playbook. \\n * A **simulator agent** executes across your actual endpoints and cloud, gathering telemetry and proof data. \\n * A**coordinator agent** bridges findings to remediation, opening tickets, triggering SOAR playbooks, pushing indicators of attack to your EDR, and re-validating after fixes land.\\n\\n\\n\\nEvery action is traceable and auditable, andevery agent operates within guardrails you define.\\n\\nThe whole chain, from a new CISA alert to validated, remediation-ready findings, runs in about three minutes. \\n\\n\\u003e When a **Mythos-class model drops thousands of findings** on your organization, you need something that can immediately tell you **which of these are exploitable in your environment.** Which controls would hold, which would fail, and what’s the vendor-specific fix? \\n\\n## **The Uncomfortable Truth**\\n\\nProject Glasswing is going to be measured by one metric: how many vulnerabilities get patched before they get exploited. Not how many are found, not how impressive the exploit chains are, but whether the ecosystem can digest what AI is about to produce.\\n\\nVisibility alone has never been enough, 83% of cybersecurity programs still show no measurable results. What\u2019s changing the equation is **closing the gap between seeing and proving:** knowing whether a potential vulnerability **would actually compromise your environment.**\\n\\nThat’s validation.\\n\\nAnd in a post-Glasswing world, it’s the only thing standing between a flood of discoveries and a flood of breaches.\\n\\n\\n\\n_We’re hosting the Autonomous Validation Summit on May 12 \\u0026 14 with Frost \\u0026 Sullivan, featuring practitioners from Kraft Heinz and Glow Financial Services, along with our CTO, Volkan Erturk. Together, we\u2019ll be taking a deeper dive into this specific problem. _\\n\\n_\\u003e \\u003e Register here._\\n\\n_Note: This article was written byS\u0131la \u00d6zeren Hac\u0131o\u011flu, Security Research Engineer at Picus Security._\\n\\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-04-23T11:30:00″,”modified”:”2026-04-23T11:30:00″,”type”:”thn”,”title”:”Project Glasswing Proved AI Can Find the Bugs. Who’s Going to Fix Them?”,”source”:””,”references”:””,”id”:”THN:CD2A05D756D4965113B73FC71DADB28E”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/04\/project-glasswing-proved-ai-can-find.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-23T11:43:58″,”description”:”\\n\\nLast week, Anthropic announced Project Glasswing, an AI model so effective at discovering software vulnerabilities that they took the extraordinary step of postponing its public…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-48929","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n