What Project Glasswing Is—and Why It Matters Now
Project Glasswing is Anthropic’s collaborative cybersecurity initiative that uses advanced AI models to scan software for vulnerabilities before deployment, aiming to protect critical infrastructure systems and large-scale enterprise environments from emerging AI‑enabled cyber threats. In its latest expansion, Anthropic has grown Glasswing from about 50 initial partners to roughly 150 organisations across more than 15 countries, marking a fast increase in AI‑driven software vulnerability detection. These partners span power, water, healthcare, communications, and hardware, where a single breach can affect tens or hundreds of millions of people. Central to the program is Claude Mythos Preview, a specialised model for AI code scanning that can inspect large, complex codebases. Early participants reported discovering over 10,000 high‑severity flaws in critical infrastructure software, suggesting that even long‑standing systems still contain hidden weaknesses that standard testing and traditional enterprise cybersecurity methods have missed.
How Mythos AI Changes Software Vulnerability Detection
Claude Mythos Preview is designed for large‑scale software vulnerability detection, including weaknesses in operational technology that runs power grids, industrial equipment, pipelines, and data centres. Anthropic reports that Mythos Preview has found vulnerabilities that survived decades of human review and millions of automated tests, and that it can also build sophisticated exploits for those flaws. This dual capability is why access is limited to vetted Glasswing partners rather than released as a general tool. Dragos, an industrial cybersecurity company, has joined Glasswing to test its own products and understand how frontier AI performs against software that supports operational technology environments. This AI code scanning step is shifting security work left, towards development and pre‑deployment stages, so that critical infrastructure security depends less on reactive patching and more on early detection of defects before they are exposed to attackers.
IBM, Red Hat, and the $5B Project Lightwell Clearinghouse
IBM and Red Hat have joined Project Glasswing while launching Project Lightwell, a USD 5 billion (approx. RM23.15 billion) effort focused on open source security across the full software lifecycle. Lightwell adds a trusted clearinghouse that ingests vulnerability data from real‑world deployments, validates issues with AI‑assisted testing, and delivers production‑ready patches through subscription services. This open source security clearinghouse brings AI‑assisted engineering and more than 20,000 engineers to bear on patch development, dependency hardening, and release engineering. According to IBM, its teams already work with more than 62,000 open source packages and maintain deep expertise in over 10,000 of them, from Linux and Java to Kubernetes, Kafka, Ansible, and Terraform. By tying Glasswing’s AI code scanning to Lightwell’s patch pipeline, enterprises gain a path from detection to remediation that fits into existing software supply chains.
A New Partnership Model For Enterprise Cybersecurity
Project Glasswing’s expansion highlights a partnership model where hyperscale vendors, critical infrastructure operators, security firms, and open source foundations share an AI‑enabled view of risk. Participants include major platform companies, financial institutions, and industrial security vendors who are aligning on common workflows for reporting, triage, and patching. Glasswing concentrates on finding weaknesses in critical infrastructure software, while Project Lightwell standardises how vulnerabilities in open source components are reported downstream and disclosed upstream to maintainers. This reduces fragmentation in how enterprises handle software vulnerabilities spread across thousands of dependencies. The program also sets expectations about who should access Mythos‑class capabilities and under what safeguards. As other AI firms prepare comparable models within 6–12 months, enterprises will have to weigh speed and openness against the risk of putting offensive‑grade tools in unvetted hands.
Implications: Proactive Critical Infrastructure Security in the AI Era
Glasswing’s growth to 150 partners signals that proactive critical infrastructure security is becoming a mainstream requirement rather than a niche concern. Early results—nearly 3,900 high‑ or critical‑severity flaws identified in open source software and more than 10,000 high‑severity issues in critical infrastructure environments—show how much risk was hidden in code supporting essential services. As AI systems improve at both discovery and exploitation, defenders are racing to adopt AI code scanning and coordinated vulnerability management before attackers do the same. The combination of Mythos AI for deep analysis and Lightwell’s clearinghouse for open source security gives enterprises a template: use frontier models to probe core software, then push fixes through managed supply chains. The emerging question for enterprise cybersecurity is not whether to use AI, but how to embed these tools responsibly without increasing the overall attack surface.
