Project Glasswing: An Initial Update

TL;DR

Project Glasswing, launched last month, reports that AI models have identified over ten thousand high- or critical-severity vulnerabilities across vital software systems. Early results suggest significant improvements in vulnerability detection but also reveal ongoing challenges in verification and patching.

Project Glasswing, a collaborative cybersecurity initiative launched last month, reports that its AI models have identified more than ten thousand high- or critical-severity vulnerabilities across key software systems, marking a significant advance in proactive security measures.

Since its launch, Project Glasswing, involving approximately 50 partners, has used the Claude Mythos Preview model to scan critical and open-source software, uncovering over 10,000 vulnerabilities. Notably, Cloudflare identified 2,000 bugs, including 400 high- or critical-severity issues, with a false positive rate better than human testers. External evaluations by the UK’s AI Security Institute and Mozilla support the model’s effectiveness, with Mythos Preview solving complex cyberattack simulations and detecting over ten times more vulnerabilities than previous models.

Early data also indicates that patched software is being updated more rapidly. For example, recent releases from Palo Alto Networks, Microsoft, and Oracle show a surge in patch deployment, reflecting increased responsiveness to vulnerabilities found by AI tools. Mythos Preview has also been instrumental in real-world security, helping a partner bank prevent a $1.5 million fraudulent transfer by detecting email spoofing threats.

In open-source software, Mythos Preview has scanned over 1,000 projects, finding more than 6,200 high- or critical-severity vulnerabilities. Of these, around 1,587 have been validated by independent firms, with approximately 1,094 confirmed as high- or critical-severity, indicating the model’s high true-positive rate and the potential for thousands of additional vulnerabilities to be surfaced in the future.

Why It Matters

This development represents a major step forward in cybersecurity, demonstrating that AI can significantly accelerate vulnerability detection and patching processes, thereby reducing systemic risks to internet infrastructure and critical services. The ability to identify vulnerabilities at scale could reshape how organizations defend against increasingly capable AI-powered cyber threats.

However, the challenge remains in verifying, disclosing, and patching the large volume of vulnerabilities efficiently, as well as managing the risks associated with AI-generated findings before patches are deployed. The early success of Mythos Preview suggests a new paradigm for proactive cybersecurity, but also underscores the need for careful handling of vulnerabilities to prevent exploitation.

Python Scripting for Cybersecurity: Linux Edition — Volume 4: Automation, Hardening, and Vulnerability Management with Hands-On Python Projects

Python Scripting for Cybersecurity: Linux Edition — Volume 4: Automation, Hardening, and Vulnerability Management with Hands-On Python Projects

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background

Prior to Project Glasswing, vulnerability discovery relied heavily on manual testing and delayed disclosure processes, often lagging behind the rapid pace of AI development. The initiative builds on recent trends of AI-enhanced security tools and the increasing sophistication of cyber threats. The launch follows months of research and testing, with external benchmarks confirming Mythos Preview’s superior performance over previous models.

Historically, software vendors have disclosed vulnerabilities 90 days after discovery, but AI’s rapid detection capabilities challenge this timeline, raising questions about balancing security with responsible disclosure.

“Our early results demonstrate that AI models like Mythos Preview can uncover vulnerabilities at an unprecedented scale, but the real challenge is in verifying, disclosing, and patching these issues efficiently.”

— A spokesperson for Project Glasswing

“We found 2,000 bugs, including 400 critical ones, with a false positive rate better than human testers, showing Mythos Preview’s potential for enterprise security.”

— A representative from Cloudflare

Cute-Patch It Works on My Machine Meme Embroidered Iron on sew on Patch Funny Emblem Programmer Humor

Cute-Patch It Works on My Machine Meme Embroidered Iron on sew on Patch Funny Emblem Programmer Humor

Size: 3 inches tall

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What Remains Unclear

It remains unclear how quickly patches can be deployed at scale for all vulnerabilities identified by Mythos Preview, and whether the model will maintain high accuracy across all types of software. Additionally, the long-term implications of AI-driven vulnerability discovery on cyber threat landscapes are still evolving.

Investigating Email Crimes: A Comprehensive Guide to Uncovering and Preventing Email Fraud (Cyber Crime Forensics Investigator | By Vijay Gupta Book 13)

Investigating Email Crimes: A Comprehensive Guide to Uncovering and Preventing Email Fraud (Cyber Crime Forensics Investigator | By Vijay Gupta Book 13)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What’s Next

Project Glasswing plans to continue scanning open-source projects and critical software, refining Mythos Preview’s capabilities. Future steps include broader deployment of the model, more detailed vulnerability disclosures once patches are widely released, and ongoing evaluation of the model’s performance in live environments.

Create a Free Vulnerabilities scanners on ALMALINUX 9.2: With Nessus and GreenBone softwares including alls NVTs, CVE + CPE + CERT +OVAL Definitions and compliance policies, port lists

Create a Free Vulnerabilities scanners on ALMALINUX 9.2: With Nessus and GreenBone softwares including alls NVTs, CVE + CPE + CERT +OVAL Definitions and compliance policies, port lists

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How reliable are the vulnerabilities detected by Mythos Preview?

Initial assessments show a high true-positive rate, with over 90% of validated vulnerabilities confirmed as high- or critical-severity, but ongoing verification is essential before full deployment.

Will the vulnerabilities found be disclosed publicly?

Disclosures follow the industry standard of 90 days after discovery, but the rapid detection may accelerate the patching process before public disclosure.

What impact does this have on cybersecurity practices?

The ability to identify vulnerabilities at scale could significantly improve proactive defense strategies, but it also raises challenges related to managing the volume of findings and ensuring timely patching.

Are open-source projects safe from AI-detected vulnerabilities?

While Mythos Preview has identified many vulnerabilities in open-source software, ongoing efforts are needed to verify and patch these issues to improve overall security.

Source: Hacker News

You May Also Like

The Regulatory Vacuum.

Google discloses a zero-day exploited by criminals, but U.S. policy frameworks remain absent, creating a regulatory vacuum with significant risks.

Understanding the Cyber Kill Chain: From Recon to Exfiltration

Protect your organization by understanding the cyber kill chain stages and how to disrupt attackers’ plans before they cause harm.

Browser Isolation: The Unsung Hero Against Drive‑By Downloads

Gaining insight into browser isolation reveals a powerful, often overlooked defense against drive-by downloads that could transform your web security approach.

Cyber Hygiene for Kids: Teaching Safety Before the First Smartphone

Learning key cyber hygiene tips for kids before their first smartphone can empower parents to foster safe online habits, and here’s how to start.