When an AI company tells the world its own model is too dangerous to release without a global defense coalition, it's time to rethink everything you know about vulnerability management.
Last week, Anthropic announced Project Glasswing, a coalition of AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, united around a single alarming insight: AI models have reached a level of capability where they can find and exploit software vulnerabilities better than virtually any human.
Their unreleased model, Claude Mythos Preview, autonomously discovered thousands of zero-day vulnerabilities, including a 27-year-old flaw in OpenBSD, a 16-year-old bug in FFmpeg that survived five million automated test runs, and a full exploit chain in the Linux kernel. Every major operating system. Every major browser. All found without human guidance.
This isn't a vendor pitch. This is an AI company telling the world: the offense-defense balance in cybersecurity just tipped, and we need a global coalition to keep up.
The question for every CISO, security architect, and engineering leader is simple: what does this mean for you, and what should you do about it right now?
The Old Model Is Broken
For decades, cybersecurity operated on a comforting assumption: finding and exploiting vulnerabilities required rare, specialized expertise. A skilled attacker might find a zero-day after months of research. Defenders had time, not unlimited time, but enough to run quarterly scans, schedule annual pentests, and process patches through change advisory boards.
That assumption is gone.
When AI models can autonomously discover critical vulnerabilities in minutes, flaws that evaded human review for decades, the entire tempo of cybersecurity changes. Mean Time to Exploit is approaching zero. And if your Mean Time to Patch is still measured in weeks or months, you're operating in a fundamentally different reality than your adversaries.
The window between a vulnerability being discovered and being exploited by an adversary has collapsed, what once took months now happens in minutes with AI.
The implication is stark: point-in-time security is over. Continuous, automated, policy-driven security is the only viable path forward.
What Companies Need to Do Now
Project Glasswing is designed for the tech giants who build the world's foundational software. But most enterprises aren't building operating systems or browsers, they're running them, alongside hundreds of applications, cloud services, containers, and embedded systems.
These organizations won't get a seat at the Glasswing table. But they face the same threat landscape. They need the same capabilities, continuous visibility, intelligent prioritization, automated remediation, at a scale and speed that matches the new reality.
1. Policy as Code: Define Your Security Posture Programmatically
If your security policies live in PDF documents and wiki pages, they can't keep pace with AI-speed threats. Policy as Code means encoding your security requirements, hardening baselines, compliance mandates, configuration standards, as executable, version-controlled policies that are continuously enforced across your entire infrastructure.
This is the foundation everything else builds on. You can't automate what you haven't codified. And when a new vulnerability disclosure drops, you need to be able to answer "are we affected?" and "are we compliant?" in seconds, not days.
At Mondoo, Policy as Code is the core of our platform. We provide hundreds of out-of-the-box security policies covering CIS benchmarks, SOC 2, ISO 27001, BSI IT-Grundschutz, and more, all expressed as code, all continuously evaluated, all version-controlled. When a new threat emerges, you update a policy and instantly know your exposure across every asset.
2. Continuous Assessment, Internal and External
Annual pentests and quarterly vulnerability scans were designed for a world where threats moved slowly. In the post-Glasswing world, assessment must be continuous across two dimensions:
Internal Attack Surface: Every server, container, Kubernetes cluster, cloud workload, and endpoint needs to be continuously scanned against your security policies. Not once a quarter. Not once a week. Continuously. Misconfigurations, unpatched software, drift from hardening baselines, all of it detected in real time.
External Attack Surface (EASM): Your adversaries see you from the outside first. Exposed services, forgotten subdomains, misconfigured cloud storage, certificate issues, shadow IT, all of these are entry points that AI-powered attackers will find faster than ever before. Continuous external attack surface management gives you the same outside-in view that an attacker has, before they exploit it.
Mondoo unifies both perspectives in a single platform. Our agents and agentless scanning cover internal infrastructure from bare metal to Kubernetes to multi-cloud, while our EASM capabilities continuously map and assess your external exposure. One platform, one policy framework, complete visibility.
3. Automated Remediation to Shorten Patch Cycles
Knowing about a vulnerability is necessary but not sufficient. If your remediation workflow involves opening a ticket, waiting for a change window, manually testing, and then deploying, you're losing the race against AI-speed exploitation.
Automated remediation means moving from "we found it" to "we fixed it" without the manual bottlenecks that turn days into weeks. This includes automated patch deployment, configuration remediation, and, critically, the ability to validate that a fix was actually applied and didn't introduce regressions.
The goal isn't to remove humans from the loop entirely. It's to remove the unnecessary friction that turns a two-hour fix into a two-week process. Humans should make decisions about risk tolerance and exceptions. Machines should handle the execution.
Mondoo's remediation workflows integrate directly into your existing toolchain, CI/CD pipelines, ticketing systems, orchestration platforms, so that fixes flow automatically from detection through deployment. When a critical vulnerability drops, your response is measured in hours, not sprints.
4. SBOM Transparency Across the Software Supply Chain
The FFmpeg example from Project Glasswing is a wake-up call for software supply chain security. A single library, embedded in countless products across the industry, carried a critical vulnerability for 16 years. How many of those products knew FFmpeg was even in their dependency tree?
Software Bill of Materials (SBOM) transparency means knowing exactly what's in your software, every library, every dependency, every transitive inclusion, and being able to map any new vulnerability disclosure to the specific assets in your environment that are affected.
This goes beyond traditional vulnerability scanning. It means understanding your software composition at a granular level, so when the next critical advisory drops for a widely-used library, you can answer three questions immediately: Are we using it? Where? And what's our remediation plan?
Mondoo provides deep SBOM visibility across your infrastructure, from container images to cloud workloads to traditional servers. When a new CVE hits a library buried three levels deep in your dependency tree, you know within minutes which assets are affected and can trigger remediation workflows automatically.
5. Context-Based Prioritization
Here's the uncomfortable truth about AI-driven vulnerability discovery: it's going to generate an overwhelming flood of findings. When models like Mythos Preview can find thousands of zero-days autonomously, the bottleneck isn't discovery anymore, it's deciding what to fix first.
Not all vulnerabilities are equal. A critical RCE in an internet-facing production system is existentially different from the same CVE in an isolated dev environment. Prioritization must account for exploitability, asset criticality, business context, exposure, and compensating controls.
Without intelligent prioritization, security teams drown. They burn out chasing low-risk findings while critical exposures go unpatched. Or worse, they deprioritize everything because the volume is too high to process, a form of learned helplessness that attackers exploit ruthlessly.
Mondoo's risk-based prioritization engine scores vulnerabilities in the context of your actual environment. It factors in asset criticality, network exposure, exploitability data, and policy compliance to surface what actually matters. Instead of a flat list of 10,000 CVEs, your team sees a prioritized queue of actionable risks ranked by real-world impact.
The Bigger Picture: Why This Moment Matters
Project Glasswing is significant not just for what it does, but for what it signals. When an AI company convenes the world's largest technology firms to address the offensive capabilities of its own model, it's an admission that the cybersecurity landscape is undergoing a phase change, not an incremental shift.
For security leaders, the takeaway is clear:
- Point-in-time security is obsolete. Continuous assessment is the new minimum.
- Manual workflows can't keep pace. Automation, from policy enforcement to remediation, is no longer optional.
- Visibility is existential. You can't defend what you can't see, internally or externally.
- Prioritization is survival. Volume will overwhelm teams that lack context-driven triage.
- Supply chain transparency is non-negotiable. The next critical vulnerability might be buried in a dependency you don't even know you have.
These aren't future requirements. They're current ones. The models that can find these vulnerabilities exist today. The question is whether your security posture is built for the world we're already living in.
How Mondoo Helps
Mondoo's Agentic Managed Vulnerability Service was built for exactly this moment. We bring together Policy as Code, continuous internal and external assessment, automated remediation, SBOM transparency, and context-based prioritization in a single, unified platform.
We help enterprises move from reactive, periodic security to continuous, automated, policy-driven defense, because that's what the AI era demands.
Ready to see how Mondoo can help you prepare for the post-Glasswing world? Request an assessment and see what continuous, policy-driven security looks like in practice.
