Anthropic’s Glasswing spreads its wings

A major expansion of Anthropic’s Glasswing project is planning for a future where cybersecurity is managed largely by AI.

Anthropic made the announcement on June 2 in a blog post detailing the success of the pilot program, in which 50 partners were invited to test the cyberattacking abilities of Claude Mythos Preview, an LLM with the reported ability to quickly discover vulnerabilities.

The company said that it is “extending the partnership to approximately 150 new organizations,” all of which it said will have to pass a security check.

Included in the new slate are security firms and open-source providers, as well as the US government. It’s a good move on Anthropic’s part, said Jessica Ji, senior research analyst at Georgetown’s Center for Security and Emerging Technology. Ji added that while the barrier to entry in detecting issues has been significantly lowered, patching remediation remains a bottleneck.

“With a lot of these critical infrastructure providers especially, it is really, really difficult to patch and remediate vulnerabilities,” Ji told IT Brew. “There’s still a huge, open question on how much this will actually benefit organizations and people with fewer resources who are less well-positioned to kind of adapt to this kind of technology.”

Gunter Ollmann, CTO at Cobalt, told IT Brew in an email that the project has shown impressive early results, indicating strong potential for increased coworking on the security front between humans and AI.

“The real lesson isn’t that AI is replacing security experts, it’s that the combination of AI-driven analysis and human expertise is proving far more effective than either operating alone,” Ollmann wrote. “The organizations that benefit most from these advances will be the ones that can rapidly validate, prioritize, and remediate the issues being discovered before attackers find them first."

Nonetheless, questions remain. Assuming Glasswing’s expansion plays out successfully, Ji said, it will continue to provide a good model for developers interacting with AI on the security side. But she has concerns the project could disrupt traditional public–private partnerships for cybersecurity issues.

“Do we want OpenAI and Anthropic to be, essentially, in charge of these kinds of partnerships going forward?” Ji asked. “What does this mean for the cybersecurity ecosystem as a whole when you have AI companies being able to set the terms of the partnerships and invite people in?”