Security pros see Anthropic’s AI assistance as boost for bug fixers—mostly

Like a giant Citronella candle, AI research company Anthropic has a big idea for getting rid of lots of bugs.

In its April 7 announcement, the maker of the Claude family of large language models (LLMs) will allow a set of 40-plus companies supporting “critical software infrastructure”—Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks—to use its Claude Mythos Preview model to identify vulnerabilities in their code.

In a blog post preceding the announcement, Anthropic’s research team claimed that Mythos Preview found decades-old vulnerabilities, including “a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security.”

Some security professionals expressed guarded optimism about the initiative, dubbed Project Glasswing, citing its ability to identify software vulnerabilities faster than human researchers can.

“We’re deploying vulnerabilities faster than we could possibly ever deploy fixes for those vulnerabilities, so we’re always behind. This is a chance for us to get ahead,” Ed Skoudis, president of the SANS Technology Institute and founder and CEO of the penetration testing company Counter Hack, told IT Brew.

So. Many. Exploits. Exploit intelligence company VulnCheck tracked over 14,400 exploits in 2025 developed for 10,480 unique common vulnerabilities and exposures or “CVEs”—a 16.5% “YoY increase in same‑year CVE exploit coverage.”

In its announcement, Anthropic said Mythos Preview has already identified “thousands of high-severity vulnerabilities” across operating systems, web browsers, and other digital infrastructure, including a 16-year-old vulnerability in widely used video encoder and decoder FFmpeg and several vulnerabilities in the popular Linux kernel software that could “allow an attacker to escalate from ordinary user access to complete control of the machine.”

A report in Transformer, however, raised concerns that Mythos Preview has previously broken its own design rules.

But adversaries like AI, too. A cyberattacker with a powerful vulnerability finder is dangerous, of course. Nick Reese, adjunct assistant professor at NYU’s SPS Center for Global Affairs, sees the Project Glasswing as an enticing trove for threat actors.

“They are creating a database of incredibly valuable intelligence and military operational data that nation states and independent cyber actors alike are going to want to get their hands on,” Reese said. “And so my first reaction when reading this was, ‘Wow, that’s a big target.’”

Nigel Douglas, head of developer relations at cloud-native artifact management platform Cloudsmith, sees the LLM project helping major tech companies reduce the massive effort involved in finding software vulnerabilities, while also helping those users “downstream” who rely on the software components.

“If Glasswing does one thing, which is essentially finding flaws that could be exploited, it just makes dependencies ultimately safer, and we have greater trust in what we end up consuming as organizations,” Douglas said. (Douglas also noted the importance of tracking how many new codebase updates, or pull requests, “are ultimately solving problems.”)

Security research has been getting increasingly AI-ified. Security vendors today offer agentic, vulnerability management capabilities. Major LLM makers like OpenAI have developed automated security research capabilities like Aardvark.

Skoudis, who also said his pen-test team uses AI tools like local and frontier models to analyze source code, remains optimistic about Project Glasswing. He sees the effort as a chance to “drain the swamp of vulnerabilities before the attackers are able to go in with a follow-on model and find vulnerabilities,” he said. “Because they don’t exist anymore.”

“It’s an arms race, and they’re trying to tip the hand in favor of the defenders.”