Anthropic on Tuesday announced that it was adding 150 more companies to its Project Glasswing AI-based vulnerability hunting initiative, with a particular focus on critical infrastructure companies including those involved in “power, water, healthcare, communications and hardware.”
Analysts and security vendors agreed that the move is a positive step, noting that the more companies involved in bug identification, the better. But the bigger background issue is a practical one: the bottleneck problem.
If Project Glasswing, and similar projects from other major AI vendors, increase the stream of vulnerability identifications by 10 or more times, will vendors be able to triage and patch them in a timely manner? Vendors have historically been notoriously slow to patch known security issues. Microsoft, for example, recently argued with a security researcher who went public with holes because he felt that Microsoft was too slow in addressing them.
And even if those vendors can keep up, are enterprise SOCs going to be able to keep up with the avalanche of patches? And if extensive automation is deployed to generate those patches, will CISOs trust them enough to let them be deployed without manual verification? Trust is not a common CISO trait.
“What each partner has in common is that a successful attack on their codebase could be catastrophic. For most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security,” Anthropic said in its blog post announcing the new participants. “This expansion is the next step toward our long-term goals: for AI to make all software more secure, and for us to help the industry adjust to how AI could change many of the core assumptions of cybersecurity.”
Glasswing was announced on April 7 and was initially supported by AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Okta later confirmed that it was also involved.
The patch bottleneck
The bottleneck problem is a difficult one to solve, given that even the largest vendors can only cost-justify so many resources for patching security holes and distributing those patches.
“The biggest issue is adaptability: once a vulnerability or weakness is found, defenders have to validate it, prioritize it, and fix it before attackers can operationalize the same insight. And that validation step matters,” said Tom Findling, CEO of Conifers.ai. “While testing the tool ourselves, we saw a lot of false positives, which means organizations cannot simply treat every finding as immediately actionable. They need the ability to separate signal from noise quickly, then adapt their processes, engineering workflows, and patching pipelines around the real issues.”
“The most important metric for organizations to track may not just be how many vulnerabilities are found, but how long it takes them to adapt once a credible issue is identified. For some organizations, that adaptation cycle can still take months,” he added. “Reducing that time-to-adapt is what will determine whether AI-assisted vulnerability discovery actually improves defense or just increases the speed and volume of security noise.”
A remediation problem
Justin Greis, CEO of consulting firm Acceligence, agreed that the Glasswing expansion may simply demonstrate to CISOs how much the security hole problem is shifting, not shrinking.
“It’s no secret that cybersecurity has been treated as a vulnerability discovery problem. AI is proving that it was really a remediation problem all along. The industry already struggles to validate, prioritize, patch, test, and deploy fixes fast enough. It may even be worse if security teams own the vulnerability identification and the IT teams, or the business teams, own the patching itself,” Greis said. “If AI can identify vulnerabilities 10x or 100x faster than humans, the bottleneck simply moves downstream. Organizations may soon find themselves in the uncomfortable position of knowing about far more vulnerabilities than they can realistically address. AI is turning cybersecurity from a visibility problem into an execution problem.”
Greis added a frightening prediction: “AI could make organizations simultaneously more secure and more overwhelmed, if that’s possible. They’ll have unprecedented visibility into their risk, but they’ll also discover just how large that risk really is.”
Trust required
Grace Trinidad, research director for AI security at IDC, said the bottleneck problem at the enterprise needs to be addressed via extensive automation. But given the lack of trust by cybersecurity staff, vendors must have a rigorous method for producing a numerical confidence score for every patch.
“Having a confidence score accompanying these patches is a new concept. There must be an ability of the enterprise to identify, triage and address the vulnerabilities that are specific to their environment,” Trinidad said. “We are learning a skillset that we are not ready for: How do we trust automated technologies? Given that we are having to move at this speed, that trust is going to get broken. Confidence scoring is a discipline that needs transparency. Don’t make the confidence [explanation] so complicated that you can’t explain it to a human being.”
Trinidad also noted that the Anthropic announcement pointed out that each of the 150 new participants, in Anthropic’s phrasing, “will need to meet our security requirements before they gain access.”
Trinidad said the security requirement claim doesn’t build confidence, because “nobody knows what those security requirements are.”
One possible solution is for security vendors to use high-trust third parties so that they are not seen as ‘grading their own homework’. Enterprise software vendor Workday is using a similar third-party approach, relying on trusted services that use public standards such as Mitre ATLAS to validate the security and compliance of AI agents using its platform. Workday’s approach deals with security checks and not reliability scores, but the idea could potentially be tweaked.
Expansion creates security concerns
Carmi Levy, an independent technology analyst, was more skeptical about what Glasswing will ultimately be able to accomplish by adding 150 more participants.
“The entire point of Project Glasswing was to allow Anthropic to work closely with a small, fully vetted group of vendors to develop stronger defenses against the cybersecurity risks posed by what was, and is, an entirely new LLM class that would otherwise pose unacceptable risks to existing protective technologies and protocols,” Levy said. “Expanding access into the hundreds may very well bring in more minds to build better defensive measures, but it simultaneously introduces significant concerns around potential leaks. And this from a company that has already reported two leaks involving this same model.”
Levy added, “in an ideal world, Anthropic would announce alongside this major expansion a parallel effort to tighten internal security protocols to ensure the code doesn’t fall into the wrong hands. Bringing in a much larger cohort of researchers signals to potential attackers that they will soon have a larger pool of potential targets, and fails to allay fears of future breaches.”