Project Glasswing: How AI-Driven Vulnerability Discovery Is Reshaping Cybersecurity for Defenders

On April 7, 2026, Anthropic announced Project Glasswing, a landmark cross-industry cybersecurity initiative that unites some of the world’s most influential technology companies in an urgent effort to secure the software that underpins critical infrastructure. Microsoft is a founding launch partner, and the initiative signals a pivotal shift in how the industry approaches vulnerability discovery, remediation, and defensive cybersecurity at scale.

This post breaks down what Project Glasswing means, how Microsoft is contributing, and why government IT leaders should pay close attention.

What Is Project Glasswing?

Project Glasswing brings together Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in a collaborative effort to find and fix the most dangerous software vulnerabilities before adversaries can exploit them.

At the center of the initiative is Claude Mythos Preview, an unreleased frontier AI model from Anthropic that has demonstrated breakthrough capabilities in identifying and exploiting software vulnerabilities. The model has already autonomously discovered thousands of high-severity zero-day vulnerabilities, including:

A 27-year-old bug in OpenBSD, a system widely used to run firewalls and critical infrastructure
A 16-year-old flaw in FFmpeg, a media library used by countless applications, in a line of code that automated testing tools had executed five million times without catching the problem
Chained exploits in the Linux kernel that allowed escalation from ordinary user access to complete control of a machine

These are not theoretical findings. Each vulnerability has been responsibly disclosed and patched. The model’s performance on industry benchmarks is equally striking: 93.9% on SWE-bench Verified, 83.1% on CyberGym, and 77.8% on SWE-bench Pro.

Anthropic is committing up to $100 million in usage credits for Mythos Preview and $4 million in direct donations to open-source security organizations including the Linux Foundation and Apache Software Foundation. Access has also been extended to over 40 additional organizations that build or maintain critical software infrastructure.

Microsoft’s Role: Founding Partner and Active Contributor

Microsoft is deeply involved in Project Glasswing on multiple fronts. Igor Tsyganskiy, EVP of Cybersecurity and Microsoft Research, stated:

“As we enter a phase where cybersecurity is no longer bound by purely human capacity, the opportunity to use AI responsibly to improve security and reduce risk at scale is unprecedented… When tested against CTI-REALM, our open-source security benchmark, Claude Mythos Preview showed substantial improvements compared to previous models. We look forward to partnering with Anthropic and the broader industry to improve security outcomes for all.”

MSRC Is Evolving with AI

The Microsoft Security Response Center (MSRC) published a detailed companion blog post by Tom Gallagher, VP Engineering, describing how MSRC is adapting its processes for an era of AI-led vulnerability discovery. Key developments include:

Discovery at scale: AI can find more issues, more quickly, and across a broader surface area than previous methods. Models are now approaching the capability of experienced human security researchers.
Automated validation and remediation: MSRC is introducing automation to validate vulnerability severity and support remediation at AI speed, while keeping human developers in the loop.
Agentic red teaming: Microsoft is embedding AI vulnerability discovery directly into software development processes so issues are identified as code is written and shipped.
Continuous improvement through SFI: Insights from AI-assisted discovery flow back through Microsoft’s Secure Future Initiative (SFI), strengthening security by design, by default, and in operations.

CTI-REALM: Microsoft’s Open-Source Security Benchmark

Microsoft evaluated Claude Mythos Preview using CTI-REALM, an open-source benchmark developed by Microsoft to evaluate AI agents on real-world detection engineering tasks. Unlike traditional cybersecurity benchmarks that test theoretical knowledge, CTI-REALM measures whether an AI agent can operationalize threat intelligence into working detection rules validated against real attack telemetry.

The benchmark spans Linux endpoints, Azure Kubernetes Service (AKS), and Azure cloud infrastructure. Claude Mythos Preview showed substantial improvements over prior models in these rigorous, end-to-end evaluations. The CTI-REALM paper and tooling are open-source, reflecting Microsoft’s commitment to industry transparency.

Microsoft Foundry: Secure Access for Partners

Microsoft is making Claude Mythos Preview available through Microsoft Foundry (formerly Azure AI Studio) for Project Glasswing participants. This means that approved organizations can leverage the model within Foundry’s unified platform for building, deploying, and governing AI systems, benefiting from Azure’s enterprise-grade security, compliance, and governance controls.

What This Means for Cyber Defense

Project Glasswing arrives at a critical inflection point. As Anthropic notes, AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. The window between a vulnerability being discovered and being exploited has collapsed from months to minutes.

The initiative’s 90-day deliverables include partner recommendations on:

Vulnerability disclosure processes for an AI-augmented world
Patching automation to accelerate remediation cycles
Secure development lifecycle practices informed by AI-driven discovery
Supply-chain security improvements for open-source and commercial software

CrowdStrike’s George Kurtz captured the urgency: “The window between a vulnerability being discovered and being exploited by an adversary has collapsed… That is not a reason to slow down; it’s a reason to move together, faster.”

Why This Matters for Government

Government organizations are among the most targeted entities in the cybersecurity landscape, and state and local agencies face unique challenges that make Project Glasswing’s developments especially relevant.

The Threat Landscape Is Accelerating

State-sponsored cyber actors from China, Iran, North Korea, and Russia have repeatedly targeted government systems, critical infrastructure, and public services. The global financial cost of cybercrime is estimated at approximately $500 billion annually. Government agencies that rely on widely used open-source components (Linux, OpenBSD, FFmpeg, and similar) are directly benefiting from Project Glasswing’s proactive discovery and patching of vulnerabilities in these foundational systems.

Secure by Design Aligns with Federal Mandates

CISA’s Secure by Design principles emphasize that technology providers must build security into products from the start, rather than shifting the burden to consumers and end users. Microsoft’s Secure Future Initiative and its integration of AI-led vulnerability discovery directly align with these principles. For government IT leaders evaluating vendor security posture, Microsoft’s transparent participation in Project Glasswing, its open-source CTI-REALM benchmark, and the MSRC’s published approach to AI-augmented remediation provide concrete evidence of commitment to proactive security.

Implications for Government Security Operations

Here is what government IT leaders should consider:

Patch management urgency increases: As AI accelerates the pace of vulnerability discovery on both the offensive and defensive sides, the window for applying patches shrinks. Agencies should evaluate their current patching cadence and automation capabilities. The days of monthly patch cycles may no longer be sufficient.
Supply-chain scrutiny matters more than ever: Government software stacks depend heavily on open-source components. Project Glasswing’s focus on scanning and securing open-source infrastructure, backed by $4 million in direct funding to the Linux Foundation and Apache Software Foundation, directly benefits any agency running Linux-based servers, containerized workloads, or applications that depend on common libraries.
AI-augmented security tools are arriving: Microsoft has signaled that insights from AI-led vulnerability discovery will flow into its security and developer toolsets. Government agencies already using Microsoft Defender for Cloud or GitHub Advanced Security should watch for capabilities that leverage these advances.
Vendor evaluation should include AI security maturity: When evaluating cloud and platform providers, government procurement teams should ask how vendors are incorporating AI into their security development lifecycle, vulnerability response processes, and detection engineering. Microsoft’s CTI-REALM benchmark and published MSRC processes provide a model for the kind of transparency agencies should expect.
Prepare for faster disclosure timelines: Project Glasswing partners will produce recommendations on vulnerability disclosure within 90 days. These recommendations may influence industry norms and potentially regulatory expectations around how quickly vulnerabilities are reported and patched.

Azure Government Considerations

Government agencies operating in Azure Government should note that Microsoft Foundry capabilities and model availability may differ between Azure commercial and Azure Government regions. As Project Glasswing is currently a research preview initiative, direct access to Claude Mythos Preview through Foundry is limited to approved participants. However, the security improvements, patched vulnerabilities, and updated development practices that emerge from this initiative will benefit all Microsoft customers, including those in government cloud environments, as they are integrated into Microsoft’s products and services through the Secure Future Initiative.

Looking Ahead

Project Glasswing represents a fundamental shift in how the technology industry approaches cybersecurity. The fact that an AI model can autonomously discover vulnerabilities that survived decades of human review and millions of automated tests underscores both the opportunity and the urgency. Microsoft’s deep involvement, from MSRC process evolution to Foundry hosting to open-source benchmarking, positions the company as a leader in responsible AI-driven security.

For government IT leaders, the message is clear: the cybersecurity landscape is changing faster than ever, and organizations that proactively adopt AI-augmented security practices will be best positioned to protect critical services and citizen data.