Project Glasswing and the Soft Underbelly Problem
Anthropic just announced Project Glasswing, a coalition of major tech and security companies built around a new unreleased model called Claude Mythos Preview. The short version: the model has been finding zero-days in every major operating system and browser, including bugs that survived decades of human review and millions of automated tests.
If you haven't read the announcement yet, it's worth ten minutes.
Models like Mythos will eat a big chunk of routine bug bounty work. They are fast, thorough, and good at finding the same classes of issues most researchers find. The top 1% is different. Look at PortSwigger's Top 10 Web Hacking Techniques of 2025: unicode normalization to bypass WAFs, cross-origin leaks through Chrome's connection pool prioritisation, turning ORM search filters into a broad exploitation method. That kind of lateral thinking is still hard to automate.
But the announcement barely touches the part that matters most.
You don't need creativity when you have reach
The economics of cybersecurity have always been roughly: the value of what you're protecting determines what you spend on defence. Banks spend more than bakeries. Critical infrastructure gets hardened.
Attackers follow the same logic. Go after the big targets, that's where the money is. Problem is, big targets tend to have big security teams.
So attackers go sideways, into third parties.
Everyone in security knows your vendor's vendor can be the weakest link. The hard part was exploiting that path at scale.
Mapping is painful. Figuring out how a target's third-party ecosystem connects to core infrastructure takes tedious recon: which SaaS tools they use, which open-source libraries are buried in the stack, which obscure regional provider handles DNS or email filtering.
These are not household names. When you're doing recon on a Fortune 500, you usually start with primary domains, public apps, and APIs. The internal managed file transfer vendor or compliance tool with read access to production data often does not show up in basic subdomain enumeration.
Even after you find a soft target, you still need to understand the trust relationship to the real target. That used to be hours of manual work for an uncertain payoff.
That friction acted like accidental security-through-obscurity.
AI agents don't get bored
This is where Glasswing is understated.
A model does not need novel attack vectors. It just needs to operate in the world as it is, where organizations miss obvious patches because vulnerable systems sit outside normal visibility.
From an attacker's perspective, the main app gets pentests, bug bounty attention, and regular patching. Sitting next to it is the:
- Obscure internal tool that hasn't been updated since 2019 but has network access to production databases
- Regional SaaS provider that handles some niche compliance function and stores API keys to your core systems
- Open-source library maintained by one person, buried six levels deep in your dependency tree
- Legacy integration that nobody fully understands but nobody dares turn off because "something might break"
These systems underpin sensitive infrastructure. They are not hidden, just painful to find and tedious to traverse. A human attacker might need days or weeks to map the relationships and work through them.
An AI agent just follows the graph. Systematically, at scale, without getting distracted or frustrated. No creative genius required.
The uncomfortable bit
Glasswing is scanning Linux, Chrome, Windows, and OpenBSD. That's the right place to start. Those codebases are maintained and heavily audited.
Meanwhile, there is a long tail of software nobody audits. Stuff that is "not important enough" for a security review but still ends up as a dependency of half the internet.
For many of these systems, the real barrier was never sophistication. It was effort. And effort just got cheap.
TIP
The premium on creative exploitation goes down. The premium on mapping and systematic traversal goes up. That shifts who is exposed.
When an agent can map your third-party ecosystem, identify which provider runs a known-vulnerable framework version, resolve the trust path to production, and chain it together, you do not need a zero-day. You need an old CVE nobody patched because the system was off everyone's radar.
So what do you actually do about this
What counts as an attractive target has changed. Obscure systems used to be safe-ish because discovery and exploitation costs were high relative to payoff. That assumption is gone.
I've seen this exact pattern in real environments: teams lock down their crown-jewel apps while legacy integrations and vendor tooling keep broad access quietly in the background. That mismatch is where trouble starts.
Three practical moves help:
Build and maintain a real dependency and trust graph
Track third-party services, transitive dependencies, data flows, and permissions. If you cannot answer "what can reach production data?" quickly, you have a visibility gap.Prioritize patching by trust-path risk, not asset prestige
The internal service nobody cares about can be higher risk than a flagship app if it sits on a privileged path.Test attack paths through suppliers, not just direct perimeter exposure
Vendor questionnaires are table stakes. You also need technical validation of how supplier compromise could move into your environment.
Full circle
Glasswing is good work, and the industry needs it.
The harder question is what happens when these same capabilities point at the parts of the internet nobody watches: boring systems connected by boring paths to things that matter.
Picture an agent that maps your third-party ecosystem, finds the one vendor still running a 2021 build of Apache Struts, and pivots through their access into your environment. Nobody needed to be clever. The path was just tedious enough that no human bothered.
Bug bounty researchers will still find creative chains models miss. That is not going away. But the game around them changed.
The boring stuff is the dangerous stuff now.