Project Glasswing partner confronting shift in speed, scale of AI cyber threats
AI systems that can find vulnerabilities and write exploits faster than humans are forcing companies and government agencies to rethink cyber defense around machine-speed response, CrowdStrike executive Drew Bagley says.
The concern is no longer theoretical. Anthropic says its unreleased Claude Mythos model has identified thousands of high-severity vulnerabilities, including flaws in every major operating system and web browser, and has developed related exploits in many cases. Anthropic launched Project Glasswing to put those capabilities to work defensively with a group of major technology and security partners, including CrowdStrike.
Bagley, CrowdStrike’s chief privacy officer, says Mythos and Glasswing point to a larger shift in cybersecurity as AI compresses the time between vulnerability discovery, exploit development and the pressure to patch.
“We’re now in an era in which AI has been proven to be able to find vulnerabilities and write exploits at scale much quicker than humans can,” Bagley said in a conversation with Frank Cilluffo on the McCrary Institute’s Cyber Focus podcast.
The issue, Bagley says, is not limited to one model or one company. “We should think about this as an opportunity to think through this problem set now and assume that this is going to be just a widespread capability pretty soon,” Bagley said, including through open-source models and smaller, more specialized systems trained for cyber tasks.
CrowdStrike was asked to participate in Glasswing with Anthropic and in OpenAI’s program, Bagley said, because cybersecurity expertise is needed to evaluate model safety and operational impact. He says CrowdStrike has also launched Project QuiltWorks, the company’s own effort to bring together CrowdStrike technology, frontier AI models and systems integrators to help customers discover vulnerabilities faster and operationalize patching.
That operational piece matters because vulnerability management was already difficult before AI accelerated discovery. Bagley points to existing systems such as CISA’s Known Exploited Vulnerabilities catalog and says the task now is to update vulnerability sharing and prioritization infrastructure for scale, rather than start from scratch.
AI could also change how organizations understand the risk of known vulnerabilities. Bagley says defenders have traditionally prioritized remotely exploitable vulnerabilities over flaws requiring local access. But AI may make it easier to chain multiple weaknesses together into what he calls an “exploit stack,” turning vulnerabilities that once appeared lower priority into part of a practical attack path.
That problem is especially acute in critical infrastructure and OT environments, where legacy systems may still rely on a degree of obscurity and may not be easy – or even possible – to patch. Bagley says some operators are still running hardware that may be decades old, including systems never intended to be connected to the internet. As AI makes it easier to find and combine vulnerabilities, weaknesses that once seemed latent may become newly exploitable.
For Bagley, the lesson is broader than Glasswing, QuiltWorks or any single AI model. Cybersecurity programs need to assume attackers and defenders will both move faster, and that human-speed processes will struggle unless organizations redesign around continuous discovery, automated response and human oversight.
“How do you do cybersecurity in an era of machine speed?” Bagley says. “That really is AI-powered cybersecurity.”
For more on this and other important cyber topics, check out the full catalog of Cyber Focus podcasts