Anthropic’s recently announced “Project Glasswing” has sent ripples through the cybersecurity world. The initiative provides a select group of major organizations, including Amazon, Apple, Microsoft and Cisco access to the Mythosmodel.

The stated goal is to proactively identify and patch vulnerabilities before they can be exploited by malicious actors. The capabilities of the Mythos model are undeniably impressive – it has reportedly been used to autonomously discover thousands of significant vulnerabilities.

Project Glasswing though, serves to highlight a stark reality: our traditional approach to security is being fundamentally outpaced.

Running Faster to Stand Still

For years, the cybersecurity industry has been locked in a sprint race of vulnerability discovery and patching. We are constantly in a reactive mode, running to plug holes before they are exploited. While vulnerability management and patching are, and will remain, crucial components of any security program, they are not enough.

Project Glasswing, by automating the discovery of vulnerabilities, threatens to accelerate this treadmill to an unsustainable pace.

If we are already struggling to keep up with the current volume of vulnerabilities, how can we possibly hope to keep the pace?

When, Not If

Instead of focusing solely on individual vulnerabilities, we must shift our perspective to a more holistic view of our systems and the potential paths an attacker could take. The core of this approach is the assumption that a vulnerability will be exploited. With this mindset, the focus changes from simply patching a hole to understanding and mitigating the potential impact of an exploit.

Consider a scenario: Mythos discovers a high-severity browser vulnerability in a standard corporate deployment.

Vulnerability Focus: The vulnerability management team races to patch the flaw. If they succeed before an exploit is released, the organisation is safe, but only temporarily. The “treadmill” forces them into an endless race against time, where success is simply maintaining the status quo, and failure means a breach. This reactive approach treats all vulnerabilities equally and relies entirely on speed.

Attack Path Focus: You have already mapped the paths from every common component, including the corporate browser, to your critical assets. You recognize that even if an attacker exploited the browser vulnerability, the lateral movement required to reach the customer database (your critical asset) is controlled by micro-segmentation, strong identity access and management principles, or a zero-trust network policy. Your defence posture doesn’t rely solely on patching a single flaw; it relies on preventing the exploit from achieving its ultimate objective.

This scenario shows the difference: a focus on patching alone means an organisation’s defence breaks the moment one vulnerability is missed or delayed. A focus on attack paths means an organisation is resilient even in the face of exploited vulnerabilities, which, given the potential scale of AI-discovered flaws, is now inevitable.

Through The Glasswing

Looking beyond Anthropic, Cybersecurity expert Bruce Schneier called Glasswing a PR play, and discussed a company named Aisle, who were able to replicate the core findings using older, public models.

OpenAI is concurrently accelerating the defensive capability curve with the scaling of its Trusted Access for Cyber (TAC) program and the introduction of GPT-5.4-Cyber, a model purposely fine-tuned for increased cyber-permissiveness and advanced defensive workflows, including binary reverse engineering capabilities.

The UK government’s AI Security Institute (AISI) has also published an independent evaluation of Mythos’s cyberattack capabilities.

AISI’s findings show that while Mythos isn’t significantly different from other frontier models in tests of individual cybersecurity tasks, it sets itself apart through its ability to effectively chain these tasks into the multistep series of attacks necessary to fully infiltrate some systems.

This capability is precisely why the focus must shift to attack paths. An autonomous attacker capable of chaining dozens of steps renders a defence focused on patching a single flaw instantly obsolete; only a defence that maps and breaks the attack chain across multiple layers can stop it.

The skepticism and competition, however, only strengthens the argument: the race already started before Mythos.

Changing Pace

Project Glasswing & Mythos are a clear indication of the direction in which AI is taking cybersecurity. While the offensive capabilities of such technology are a cause for concern, they also present an opportunity to revolutionise our defensive strategies.

The key is to move beyond our reactive, vulnerability-focused approach and embrace a more proactive, multi-layered security posture. By assuming that vulnerabilities will be exploited and focusing on protecting our critical resources, we can build more resilient systems that are better equipped to withstand the next generation of cyber threats.

The shift heralded by technologies like Project Glasswing isn’t a future problem; it’s a present-day imperative. Continuing to rely solely on keeping up with the treadmill is no longer a viable strategy.

Now is the time to ask: what can be compromised when a vulnerability is exploited?

How We Can Help

At Telana, we specialise in helping businesses navigate this evolving landscape. Our expertise in cyber security include attack path analysis and modern, multi-layered defence strategies to help you build a more resilient security posture. We can work with you to identify and protect your most critical resources, ensuring your business is prepared for the next generation of cyber threats.

Reach out to schedule a security strategy consultation and learn how to turn the focus from chasing vulnerabilities to securing what matters most.

Written by Jack Lee, Cloud & IAM Security Principle, Telana – originally posted on Linkedin here.