Software security has always worked a bit like medicine does.
Doctors look for problems, diagnose what’s wrong and prescribe treatments before things get worse. Software operates much the same way. Engineers discover bugs, developers issue patches and companies hope fixes arrive before attackers find the same weaknesses.
It’s not perfect. But underneath this messy process one thing has always remained the same.
Everyone was operating at human speed.
That gave software teams time to find problems and fix mistakes before they turned into disasters.
This basic system survived the rise of the internet, smartphones and cloud computing.
But it’s beginning to look like AI just broke it.
Project Glasswing
Anthropic just issued a new Project Glasswing update.
And it’s a doozy.
As a reminder, Project Glasswing is Anthropic’s effort to use AI to automatically search software for hidden security flaws before hackers can exploit them.
To do that, Anthropic used its new Mythos AI to scan more than 1,000 open-source software projects, mostly tools and code libraries that help power websites, cloud platforms and large parts of the modern internet.
And Mythos found a LOT of potential weaknesses.
According to Anthropic, the system identified more than 23,000 possible software vulnerabilities. More than 6,200 were considered “high” or “critical” severity, meaning they could potentially allow attackers to steal data, crash systems or gain unauthorized access to software.
That’s already a huge number. But another statistic is perhaps more telling.
Because one of the biggest problems with AI security tools is that they often produce false alarms. They can flag harmless code as dangerous, which wastes enormous amounts of time for developers trying to sort through the results.
But Anthropic says that of the high- and critical-severity findings reviewed so far, more than 90% turned out to be legitimate vulnerabilities.
That suggests Mythos isn’t just generating noise. It’s finding real problems at a scale humans would struggle to keep up with.
Software security has always been a race.
Attackers search for weaknesses they can exploit, while developers and security teams rush to find and fix those same flaws first. The side that moves faster usually wins.
But it mostly worked because humans are slow to discover software vulnerabilities.
Finding serious software flaws requires rare expertise, patience and time. You need people who understand code well enough to spot mistakes other people missed. That makes vulnerability research valuable, but also limited.
AI changes the equation.
That’s because it gives both defenders and attackers a way to search for weaknesses faster, across more code, with fewer human bottlenecks.
This doesn’t mean every teenager with a chatbot can suddenly become an elite hacker. But it does mean the old scarcity is starting to disappear.
And we’re already seeing it happen.
Google recently said it disrupted a criminal group that used AI to help discover and weaponize a previously unknown software vulnerability before a planned mass exploitation event.
John Hultquist, chief analyst at Google’s Threat Intelligence Group, noted: “The era of AI-driven vulnerability and exploitation is already here.”
But we’ve known it’s been coming for a while.
For years, cybersecurity experts warned that AI could eventually help attackers find and exploit hidden weaknesses. Now one of the world’s largest technology companies is acknowledging that the time has arrived.
And the numbers suggest this problem is getting worse.
Verizon’s 2026 Data Breach Investigations Report found that software vulnerabilities were responsible for 31% of data breaches, making them the most common way attackers break into systems today.
Image: Verizon’s 2026 Data Breach Investigations Report
It means attackers are no longer just tricking people into handing over passwords. They’re increasingly breaking directly through weak spots in software.
And if AI makes those weak spots easier to find, then the entire security model has to change.
That’s the conclusion the recent Project Glasswing update is pointing to.
The old pattern of companies releasing software, security researchers discovering weaknesses, developers creating fixes and users downloading updates is still the norm today.
You don’t need to look any further than Microsoft’s monthly Patch Tuesday updates to see it in action.
But that system was built for a world where humans set the pace.
AI is making that pace obsolete.
In fact, Anthropic says some developers already asked for more time to fix the vulnerabilities Mythos uncovered. Not just because they wanted to verify its findings, but because it found too many legitimate problems too quickly.
That shows you why things need to change.
The difficult part of cybersecurity used to be discovering hidden vulnerabilities. Now AI is starting to make it the easy part.
Which means the next big challenge will be to fix everything AI uncovers before the wrong people can exploit it.
Here’s My Take
The world runs on software now.
Banks, hospitals, utilities, defense contractors, airlines, factories and cloud platforms all depend on code that is constantly changing.
But that code is never perfect. And the more software we build, the more hidden weaknesses we create.
AI is enabling programmers to write software faster than ever. But it’s also allowing hackers to find vulnerabilities just as quickly.
Fortunately, parts of the tech world are already preparing for this future.
Earlier this year, DARPA held its AI Cyber Challenge, where autonomous AI systems competed to discover and patch software vulnerabilities with minimal human involvement.
That suggests the next generation of cybersecurity will look less like monthly software updates…
And more like a constantly active immune system.
Regards,
Ian KingChief Strategist, Banyan Hill Publishing
Editor’s Note: We’d love to hear from you!
If you want to share your thoughts or suggestions about the Daily Disruptor, or if there are any specific topics you’d like us to cover, just send an email to [email protected].
Don’t worry, we won’t reveal your full name in the event we publish a response. So feel free to comment away!
