A few days ago, I called a friend. He is a CISO at one of the largest financial services enterprises in the country. Not someone who trades in drama. Twenty-plus years defending systems that move billions of dollars. I asked him what I should be telling business leaders right now about cyber risk.
His answer stopped me.
“Focus on Project Glasswing from Anthropic. It will change everything from a vulnerability management perspective. Cybersecurity is done at this point unless we make major adjustments.”
Here is what he is talking about.
On April 7, Anthropic revealed that its newest AI model can autonomously find and exploit software vulnerabilities across every major operating system and every major web browser. In a few weeks, it identified thousands of flaws that had been missed by every human reviewer and every automated security tool for years. One flaw was 27 years old, sitting inside one of the most security-hardened systems on the planet. Another was 17 years old and would give an attacker complete control of a server from anywhere on the internet.
The model did not just find them. It built working exploits. On its own. Without human guidance.
How different is this from what came before? When tested against the same set of vulnerabilities, the previous best AI model succeeded in writing a working exploit twice out of several hundred attempts. This new model succeeded 181 times.
Anthropic looked at what they had built and made a decision that almost never happens in the tech industry. They decided it was too dangerous to release publicly. Instead, they restricted access to a coalition of the largest technology and financial companies in the world: Microsoft, Apple, Google, Amazon, JPMorganChase, CrowdStrike, and a handful of others. Those companies can use it to find and fix vulnerabilities in their own systems.
Which raises the question every business leader should be asking. What about everyone else?
If your business runs software built by vendors outside that group, your exposure just changed. If your IT provider or MSP is not tracking this shift, they are already behind. If you are preparing for a transaction, a recapitalization, or any event that puts your business under a microscope in the next 36 months, diligence teams will eventually ask whether your cyber posture accounts for AI-driven threats. If you cannot answer that, it becomes a lever for valuation.
Here is what this means in practical terms.
The speed at which vulnerabilities can be found and exploited changed permanently on April 7. Your current patching and remediation processes were designed for a world where new flaws were discovered at human speed. That world is gone. And the capabilities that made this possible were not specifically engineered. They emerged as AI got better at reading and reasoning about code. Which means other models, including ones that will not be restricted, will develop the same abilities. It is a question of when, not if.
AI did not create these vulnerabilities. They were always there, buried in code that billions of people depend on. AI removed the barrier that kept them hidden, for defenders and attackers alike, at a pace nobody was prepared for.
The question is not whether your business will be affected. It is whether you will adjust before or after it that matters.
Cyber risk is not about what you think or feel. It is about what you can prove.
And the timeline to prove it just got a lot shorter.
Mike Fitzpatrick
Founder and CEO, NCX Group
Distinguished Fellow, Ponemon Institute
P.S. If you are not sure whether your security team has heard of Project Glasswing, that is the first conversation to have. Not about the technology. About whether the people protecting your business are seeing what is coming. I wrote a longer version of this with the full breakdown and a set of questions for leadership on our site. It is there if you want it.
Repost from LinkedIn – https://www.linkedin.com/pulse/day-rules-changed-mike-fitzpatrick-ewh8c/
