Project Glasswing: Why AI Powered Vulnerability Discovery Changes the Game for Cyber Security

A Watershed Moment for Defenders

Today is an inflection point for cyber security with Anthropic’s announcement of Project Glasswing marking one of the most significant developments in cyber security this year. At the heart of the initiative is Claude Mythos Preview, a frontier AI model that has already identified thousands of previously unknown zero-day vulnerabilities across every major operating system and web browser. The oldest bug it surfaced had been sitting quietly in OpenBSD for 27 years.

The coalition behind the project reads like a who’s who of the technology industry: Apple, Microsoft, Google, AWS, CrowdStrike, Palo Alto Networks, Cisco, Broadcom, NVIDIA, JPMorganChase, and the Linux Foundation. These are organisations that have built entire security empires on proprietary AI and threat intelligence, and they are now publicly acknowledging the need for a collaborative, model driven approach to finding what their own tools have missed.

It is an inflection point for cyber security.

What Project Glasswing Means in Practice

Project Glasswing uses Claude Mythos Preview to systematically hunt for vulnerabilities across critical infrastructure before adversaries can find them. The model operates agentically, reading source code, forming hypotheses about potential flaws, running live tests to confirm or reject those hypotheses, and producing detailed bug reports with proof-of-concept exploits and reproduction steps.

The results so far have been striking. Thousands of zero-day vulnerabilities, many of them critical, have been discovered in software that had already undergone extensive human led security review. That tells us something important: even well-resourced security programmes have blind spots, and AI driven analysis is now capable of seeing what human reviewers have not.

Why This Matters for the Organisations HOOP Cyber Works With

At HOOP Cyber, we work with organisations across sectors to strengthen their cyber security posture, from strategy and governance through to technical assurance and threat intelligence. Project Glasswing reinforces a message we have been delivering to our clients for some time: the threat landscape is shifting faster than traditional security approaches can keep pace with, and AI is now central to both sides of the equation.

For the organisations we support, the implications of Glasswing are threefold. First, the volume and severity of newly disclosed vulnerabilities is about to increase significantly. Patching cycles, vulnerability management programmes, and risk assessment processes will need to adapt accordingly. Second, the sophistication of AI augmented attacks will continue to grow. The same capabilities that allow Mythos Preview to find and fix vulnerabilities at scale could, in the wrong hands, be used to exploit them. Anthropic themselves have been candid about this, warning that frontier AI capabilities are likely to advance substantially in the coming months. Third, and perhaps most critically, this development highlights the importance of foundational cyber hygiene. AI powered vulnerability discovery is only as effective as the visibility and asset management that underpins it.

The Visibility Gap: You Cannot Patch What You Cannot See

This is where Project Glasswing becomes particularly relevant for the organisations HOOP Cyber serves. The enterprises most at risk from what comes next are not necessarily those without mature security operations centres or enterprise patching pipelines. They are the organisations running operational technology networks where firmware has not been updated since the equipment was installed. Clinical environments where a connected infusion pump or imaging system sits outside every mobile device management policy ever written. Industrial floors where the programmable logic controller communicating with a SCADA system was never designed with a security model at all, because when it was built, nobody imagined it would one day be networked.

For those environments, the question was never just whether we can find the vulnerability. It has always been whether the asset register or security architecture even knows the device exists. You cannot patch what you cannot see. You cannot segment what you have not inventoried. You cannot respond to a compromise in an asset that is not visible.

How HOOP Cyber Is Helping Clients Prepare

At HOOP Cyber, we help organisations build the foundations that make initiatives like Glasswing actionable. That means working with our clients to achieve continuous, real-time visibility across IT, OT and IoT environments. It means ensuring asset registers are accurate and current, that network diagrams reflect reality rather than aspiration, and that vulnerability management processes are mature enough to act on the intelligence that AI powered discovery will generate.

Project Glasswing is genuinely impressive, and the early results are real. But AI powered vulnerability discovery at scale only closes the gap if defenders already know where to look. Our role at HOOP Cyber is to make sure they do.

Looking Ahead

The window of advantage that Glasswing provides is measured in months, not years. Anthropic have been transparent about this. As frontier AI capabilities proliferate, the organisations that will be best positioned are those that have already invested in the fundamentals: asset visibility, robust vulnerability management, and a security architecture that is designed for the reality of their environments rather than the idealised version of them.

HOOP Cyber stands ready to help organisations navigate this new chapter. If you would like to discuss what Project Glasswing means for your organisation and how to prepare, get in touch with our team via