|

Anthropic’s Project Glasswing Exposes a Massive Remediation Gap: AI Can Find Decades-Old Bugs—But Who Fixes Them?

ByInnoVirtuoso

What happens when an AI can spot more software flaws in a week than your team can patch in a quarter? Anthropic’s Project Glasswing just answered that question—then raised a scarier one. Their AI model, Mythos, reportedly unearthed decades-old vulnerabilities across major software stacks. The catch? Fewer than 1% were patched.

If that stat made your stomach drop, you’re not alone. The announcement, covered by The Hacker News, signals a turning point: AI now hunts for vulnerabilities at machine speed, while defenders are still fixing at calendar speed. Even worse, coordinated campaigns have shown that attackers can chain LLMs to autonomously scout, generate exploits, and pivot across targets—compromising thousands of organizations in days.

So yes, AI can find the bugs. But who is going to fix them—and how?

In this post, we’ll unpack what Project Glasswing means for your security strategy, why the remediation bottleneck is the new battleground, and how to realign threat intelligence, automation, and engineering workflows to close the gap before attackers do.

Quick recap: What Project Glasswing and Mythos just changed

  • Mythos scanned widely used software stacks and uncovered long-standing flaws that had eluded human review for years.
  • Anthropic delayed public release, instead giving early access to platform giants like Apple, Microsoft, Google, and Amazon so they could prioritize patches before adversaries got a head start.
  • The headline number—under 1% patched—exposed a brutal truth: discovery without remediation isn’t defense.
  • It’s not an isolated phenomenon. We’ve already seen AI-assisted vulnerability hunting outperform humans in controlled settings, from tools that surfaced most OpenSSL CVEs in test suites to AI-driven bounty hunters leading platforms like HackerOne.

The big picture: Discovery is solved faster than remediation can keep up. That flips cybersecurity’s center of gravity from “find” to “fix.”

Machine speed vs. calendar speed: The new asymmetry

Attackers now operate at machine speed. LLMs can: – Parse codebases and change logs to flag pre-patch/exploit conditions – Generate PoCs and mutate them to bypass simplistic defenses – Automate recon, exploit attempts, and lateral movement with minimal human oversight

Meanwhile, defenders are still stuck at calendar speed: – Risk triage meetings weekly – Vendor patch Tuesdays monthly – Maintenance windows quarterly – Approvals that hop through three teams and a CAB

Median time from disclosure to exploitation has plummeted from weeks to days—and often hours—across many classes of vulnerabilities. When an AI like Mythos can surface thousands of high-fidelity findings at once, your backlog balloons, and your mean time to remediate (MTTR) stretches beyond safe limits.

This is the new imbalance. And the solution isn’t to discover less—it’s to fix faster, safer, and with more context.

Why fewer than 1% were patched: Seven bottlenecks you can actually fix

Let’s be honest: teams aren’t lazy. They’re overloaded. Here’s why.

1) Too many findings, too little context
– Alerts read “critical” without proof of exploitability in your environment.
– Teams drown in CVEs across containers, endpoints, cloud services, and SaaS.

2) Ownership ambiguity
– Who owns remediation across app, infra, identity, and vendor-managed layers?
– Cloud/service sprawl blurs lines between platform, product, and security.

3) Risk-blind prioritization
– Static severity (e.g., CVSS base scores) ignores active exploitation and your business context.
– Findings lack mapping to known exploited vulnerabilities (KEVs) or attack paths.

4) Change risk and testing debt
– Patches break things. Without staging/canaries/feature flags, teams hesitate.
– Legacy systems and brittle integrations slow everything to a crawl.

5) Vendor and supply-chain constraints
– Third-party patches arrive late or require major version upgrades.
– SBOMs are absent or stale, so you can’t even tell where you’re exposed.

6) Identity and misconfiguration overshadow software bugs
– In modern breaches, identity abuse and cloud misconfig are often the first pivot.
– Fixing code flaws won’t save you if your IAM is wide open.

7) Siloed tooling and process
– Scanner outputs don’t sync to ticketing, SIEM/XDR, or SOAR.
– Each team has its own view of risk—and its own backlog.

The punchline: These are solvable with process, automation, and culture. Here’s how.

A practical playbook to close the remediation gap

1) Prioritize with risk, not volume

Shift from “scan-and-dump” to “triage-and-act.”

  • Map AI-discovered findings to real-world exploitation:
  • Cross-reference with CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
  • Use exploit likelihood models like EPSS.
  • Track public exploit code and telemetry from your own detections.
  • Add business context:
  • Asset criticality (crown jewels, internet exposure, production data).
  • Blast radius (privileged identity, lateral movement potential).
  • Compliance/regulatory impact.
  • Score and SLAs:
  • P1: KEV + internet-exposed + high-value asset → fix or mitigate within 24–72 hours.
  • P2: Exploitable path in your environment → 7 days.
  • P3: Low-likelihood/low-impact → 30+ days, bundle into maintenance cycles.

Your north star: Reduce “hours of critical exposure,” not just “number of findings closed.”

2) Automate the boring, standardize the hard

Your team can’t outwork machine speed, but you can out-automate it.

  • SOAR playbooks for common classes:
  • Auto-create tickets with enriched context (asset owner, exposure, KEV/EPSS, ATT&CK technique).
  • Execute pre-approved actions for low-risk fixes (e.g., update a container base image).
  • Quarantine or isolate endpoints with confirmed high-risk exposure via EDR/XDR.
  • SIEM/XDR integration:
  • Correlate vulnerability signals with real-time detections to elevate hot issues.
  • Build detections for mass, automated probing patterns to flag active targeting.
  • Patch orchestration:
  • Standardize OS/app patch cycles and use rolling updates where possible.
  • For Linux, automate via package managers; for Windows, WSUS/SCCM/Intune pipelines.
  • For containers, rebuild from patched base images and redeploy automatically.

3) Make production-safe patching your default

Speed without safety breeds outages—and slower patching next time. Borrow from modern SRE practice.

  • Canary releases and blue/green deployments
  • Feature flags to disable risky code paths quickly
  • Staging environments that mirror prod data flows (with scrubbed data)
  • Automated integration and regression testing on every patch
  • Rollback-as-a-service: one-click reversion if telemetry trends go red

This reduces the perceived and real risk of fixing fast.

4) Treat identity and cloud config as first-class vulns

A lot of “exploits” today don’t need a buffer overflow—they need a broad IAM role or misconfigured bucket.

  • Identity basics:
  • Phishing-resistant MFA (FIDO2/WebAuthn) for all admins and high-value users.
  • Just-in-time access and least privilege through PAM/JEA.
  • Conditional access and continuous access evaluation.
  • Cloud posture:
  • CSPM/CIEM to enforce guardrails on public exposure, default creds, weak policies.
  • Block risky patterns in IaC with policy-as-code before they hit prod.
  • Egress controls and microsegmentation to blunt lateral movement.

5) Put AI on defense—inside SecOps and AppSec

Fight AI with AI, responsibly.

  • Use LLM copilots to:
  • Summarize long scanner outputs into actionable tickets.
  • Convert natural-language findings into infrastructure tickets with owners and SLAs.
  • Generate remediation diffs and config snippets for common issues.
  • Draft detection logic templates for SIEM/XDR that engineers can harden.
  • Guardrails:
  • No direct code commits from AI without human review.
  • Redact secrets and sensitive design info from prompts.
  • Log and review AI suggestions for accuracy and bias.

6) Pre-wire your incident response for machine speed

When compromise windows are measured in hours, you can’t improvise.

  • Pre-approved responder actions per severity (isolate host, kill process, rotate creds).
  • Role-based access so IR can act without waiting on tickets.
  • Golden playbooks for top attack paths aligned to MITRE ATT&CK.
  • Automated comms: Slack/Teams channels spun up with context; templated exec updates.

7) Modernize software supply chain hygiene

If Mythos can see it, your attackers can too—especially in dependencies.

  • SBOMs everywhere, always:
  • Standardize on CycloneDX or SPDX.
  • Track where vulnerable components actually run in prod.
  • VEX to reduce noise:
  • Use Vulnerability Exploitability eXchange (VEX) or equivalent to declare non-exploitable components in your context.
  • Signed artifacts and provenance:
  • Adopt SLSA levels and Sigstore for build integrity.
  • Align development with NIST’s SSDF so security is a feature, not a fire drill.

8) Measure what moves risk

Track a handful of metrics relentlessly:

  • Median Time to Remediate (MTTR) by severity
  • Percent of KEV-aligned findings fixed within SLA
  • Hours of exposure for internet-facing critical assets
  • Patch failure/rollback rate (trend down via safer deployment)
  • Coverage: percent of prod assets with current SBOM and vulnerability scans
  • Identity blast radius: number of standing admin roles, orphaned secrets, stale keys

Dashboards should be visible to engineering and execs, not just security.

Simulate LLM-driven adversaries—safely and legally

You don’t have to guess how AI-native attackers behave. You can simulate them in a controlled, ethical way.

  • Purple team exercises that emulate automated recon, credential stuffing, and opportunistic exploitation—without weaponizing novel 0-days.
  • Breach-and-attack simulation tools tuned to speed and scale patterns, not exploit creation.
  • Honeytokens, deception tech, and canary endpoints to detect automated pivots quickly.
  • Rate-limiting, bot management, and anomaly-based WAF rules to blunt mass, low-signal probes.

Keep it safe: – Only test in environments you own and with leadership approval. – Avoid step-by-step exploit generation or distribution of PoCs outside responsible channels. – Capture learnings in detections, guardrails, and playbooks.

Governance and responsible disclosure matter more than ever

Anthropic’s decision to share Mythos findings with major vendors before a broad release reflects a growing norm: AI-accelerated discovery requires AI-accelerated responsibility.

  • Participate in coordinated disclosure with vendors and CERTs.
  • Maintain a responsive PSIRT; align scoring with CVSS and enrich with KEV/EPSS.
  • Share context, not just counts, with partners and customers.
  • Use CWEs from MITRE to fix classes of bugs, not just instances.
  • If you run a bug bounty, be explicit about AI tool use and safe boundaries.

What CISOs should do this quarter

  • Stand up an “AI Remediation War Room” that meets weekly:
  • Inputs: AI-discovered and scanner findings; KEV/EPSS; business criticality.
  • Outputs: a single prioritized backlog with owners and SLAs.
  • Publish 24/72/7-day SLAs for P1/P2/P3 and measure compliance.
  • Enable canary deploys and feature flags for top 5 critical services.
  • Mandate phishing-resistant MFA for all admin and developer accounts.
  • Turn on auto-patching for OS/browser/endpoint agents where business-safe.
  • Integrate vuln intel into SIEM/XDR to elevate actively targeted assets.
  • Generate SBOMs for top-tier applications and connect them to your vuln DB.
  • Run one LLM-aware purple team exercise focused on speed, not novelty.
  • Automate ticket enrichment with AI (owner, exposure, business impact).
  • Present a board-level metric: “Critical exposure hours reduced by X% month over month.”

Common pitfalls to avoid

  • Chasing 100% patch rates across everything equally. Focus where adversaries are pointing today.
  • Treating identity and misconfigurations as “someone else’s problem.” They’re the fastest path in.
  • Shipping patches without safety rails, then rolling back so often that teams lose confidence.
  • Buying new tools without integrating them into workflows. Integration is half the win.
  • Blocking AI outright in security teams. Govern it; don’t ignore it.

Resources to deepen your program

The takeaway

Project Glasswing proves what many suspected: AI can find software flaws at a scale and speed that outstrips human capacity. But discovery isn’t defense. The side that wins is the one that can remediate and mitigate faster than attackers can weaponize.

That means risk-driven prioritization, automation-first workflows, production-safe patching, identity and cloud hardening, and AI-augmented SecOps—measured by exposure hours and SLA compliance, not vanity counts. If you invest there, you turn a flood of AI findings from a liability into a strategic advantage.

AI will keep finding the bugs. Your job is to make sure they get fixed—before someone else “fixes” them for you.

FAQ

Q: What is Project Glasswing, and who is Mythos?
A: Project Glasswing is an Anthropic initiative focused on AI-driven vulnerability discovery. Mythos is the AI model reportedly used to scan major software stacks and identify long-standing flaws. According to The Hacker News, initial access was given to major vendors to accelerate fixes before public release.

Q: Why were fewer than 1% of discovered vulnerabilities patched?
A: Scale and context. Organizations received a high volume of findings with limited exploitability detail, ran into ownership ambiguity, feared breaking production without safety rails, and waited on vendors. Legacy systems, supply-chain complexity, and siloed tools compounded delays.

Q: How should we prioritize AI-discovered CVEs and findings?
A: Combine threat intel and business context. Start with CISA KEV, EPSS likelihood, exploit code availability, internet exposure, asset criticality, and lateral movement potential. Use clear SLAs (e.g., 24–72 hours for P1) and track “hours of critical exposure.”

Q: Does this mean traditional vulnerability scanning is obsolete?
A: No. It means scanning is necessary but insufficient. You need richer context, faster remediation, supply-chain hygiene (SBOMs, VEX), and tight integration with SIEM/XDR and SOAR to turn findings into action.

Q: How can smaller teams keep up without massive budgets?
A: Focus on leverage: – Auto-patch endpoints/browsers/agent software. – Use managed detection and response (MDR) with strong integration. – Prioritize only KEV-aligned, internet-exposed, and high-value assets first. – Adopt canary deploys/feature flags to reduce patch risk. – Leverage open frameworks (SSDF, SLSA) and cloud-native guardrails.

Q: Should we block AI tools in security to avoid risk?
A: Don’t block—govern. Use AI to enrich tickets, summarize alerts, and draft fixes, but require human review, redact sensitive inputs, and log outputs. AI can drastically cut triage time when used responsibly.

Q: How do we simulate LLM-driven attackers without crossing legal/ethical lines?
A: Run purple team exercises in owned environments with leadership approval, focus on speed patterns over novel exploit creation, use deception tech and canaries, and convert findings into detections and guardrails.

Q: What metrics should we report to leadership?
A: MTTR by severity, SLA compliance for KEV-aligned issues, hours of exposure on internet-facing critical assets, rollback rate (trending down), SBOM coverage, and identity blast radius (admin roles, stale keys). These directly reflect reduced risk.

Q: Will AI replace human security engineers?
A: No. AI accelerates pattern discovery and triage, but humans still make contextual risk decisions, design safe change processes, and lead incident response. The winning model is human-led, AI-augmented defense.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!