Mitch DollinThe Vulnerability Flood is Coming. The Question is: Do You Know What You Have?

On April 7th, Anthropic launched Project Glasswing. If you haven't read about it yet, here's the short version. They built an AI model called Claude Mythos Preview that can find and exploit software vulnerabilities at a scale and speed that exceed those of virtually any existing tool, publicly available AI model, or human researcher. It has already identified thousands of high-severity zero-day vulnerabilities across every major operating system and every major web browser.

Twelve of the biggest names in tech signed on as founding coalition members: AWS, Apple, Microsoft, Google, CrowdStrike, Palo Alto Networks, Cisco, Broadcom, NVIDIA, JPMorgan Chase, and the Linux Foundation. Anthropic committed $100 million in model usage credits.

This is an operational shift in how the industry discovers, discloses, and remediates vulnerabilities. It changes the calculus for every security team that has to deal with what comes next.

What's Actually Happening

Mythos Preview found a 27-year-old remote crash flaw in OpenBSD, a16-year-old vulnerability in FFmpeg that automated testing missed after five million attempts, and Linux kernel vulnerabilities that chain together to enable privilege escalation.

Many of these would affect production systems in your environment, and as of right now, fewer than 1% of the thousands of discovered vulnerabilities have been fully patched by maintainers.

Anthropic gave coalition members 90 days to patch before findings go public on initial vulnerabilities. That clock puts us at a public report in early July 2026, followed by what multiple analysts are describing as months of high-volume patch releases across operating systems, browsers, and critical libraries.

Forrester published a piece titled "Project Glasswing Shows That AI Will Break The Vulnerability Management Playbook. IANS Research warned organizations to prepare for "near-immediate weaponization" as similar AI capabilities inevitably spread to adversaries.

The Real Problem Isn't Discovery. It's Readiness.

AI can find flaws faster and on a greater scale than we ever could manually, and the vulnerabilities it finds will likely be close to exploitable out of the box. But finding vulnerabilities was never the bottleneck for most organizations. Acting on them was. And that gap is about to get dramatically worse.

If Mythos and similar models lead to a sustained spike in CVEs across the platforms your organization depends on, with more easily exploitable vulnerabilities, your patching pipeline will be under more pressure than ever.

And here's the part nobody is talking about enough: you can't patch what you can't see.

The Visibility Question Gets Louder

This is the part of the Glasswing conversation that matters most to the people running security operations. The analysts are already saying it. You can't defend assets you don't even know exist. Multiple industry voices are converging on the same conclusion: in a post-Glasswing world, real-time visibility across your full environment is no longer optional.

Let me put it in practical terms. A critical vulnerability is disclosed. Your patching team needs to act fast, but they can only act on what they see in the console, which shows only hosts where the agent is installed, the agent continues to function, and it has the correct configuration to do so. This is not something that agent- or scan-based tools can tell you on their own.

To act effectively, the team will need to be able to answer these questions about the patching tool's accuracy immediately:

Which of those devices has your patch management tool installed and running?

Are your compensating controls (EDR, network segmentation, etc.) in place on the devices you can't patch immediately?

Are there devices accessing corporate data that your security tools don't even know about?

If you can't answer those questions in minutes, not days, the accelerated vulnerability cycle that Glasswing just kicked off will expose gaps you didn't know you had.

What Doesn't Change (and Why That Matters)

We've been having some version of this conversation for years at ThreatAware. The AI angle gives it new urgency, but the core truth hasn't moved:

All tools have gaps. All agents can break.

That was true before Glasswing. What Glasswing changes is the consequence of those gaps. When vulnerability discovery was slower and more manual, a 15% gap in patching tool deployment was a risk you could manage with compensating controls. When AI-driven discovery compresses the time between a flaw being found and an exploit being weaponized, that 15% gap becomes the attack surface someone will find first.

Attack vectors haven't changed. Phishing, credential abuse, unpatched systems, misconfigured tools. These are still the doors attackers walk through. AI just helps them find and exploit those doors faster than ever before. The cost of a missed basic has gone up significantly.

Where This Goes from Here

Glasswing is going to reshape the security conversation for the rest of 2026 and beyond. But smart organizations are not going to wait for that change to occur and will instead prepare now.

If you're a security leader reading this, here's what I'd be thinking about right now:

• Can your team answer right now how many active endpoints are in your environment and what's deployed on each one?
• Can you validate the health of your security tools in real time across all endpoints?
• Where are the devices in your estate where multiple controls have silently failed, creating stacked risk that a sophisticated attacker could chain together?
• Are you able to correlate user and device risk to identify the most critical gaps, such as users with high phishing risk scores accessing machines with compromised EDR?

If you can answer those questions confidently, you're in better shape than most. If you can't, the clock is ticking. The fundamentals of cybersecurity haven't changed. Visibility, hygiene, and knowing your environment remain the foundation on which everything else is built. What's changed is how much it costs to get them wrong.

About ThreatAware

ThreatAware is a cyber asset management platform that identifies all active endpoints that touch corporate data and tells you where your security tools have gaps in deployment, functionality, and configuration. Agentless by design, live in under an hour. Learn more at ThreatAware.