Donald

Full-stack developer

ProjectsBlogContact
AI DailyMay 25, 20262 min read

AI Daily - 2026-05-25: Claude turns AppSec into a triage problem

Anthropic's latest Glasswing update shows AI vulnerability discovery is scaling faster than human verification, shifting the bottleneck for security teams.

AnthropicSecurityModels

Why it matters

What changed On May 22, 2026 , Anthropic published alongside a live .

What changed

On May 22, 2026, Anthropic published Project Glasswing: An initial update alongside a live coordinated vulnerability disclosure dashboard. Together, they show how Anthropic is turning Claude Mythos Preview from a strong security model into a repeatable vulnerability-discovery workflow.

A few numbers make the shift clear:

  • Anthropic says its roughly 50 Project Glasswing partners have already found more than 10,000 high- or critical-severity vulnerabilities across critical software.
  • For open source alone, Anthropic says Mythos Preview has scanned more than 1,000 projects and surfaced 23,019 findings.
  • The public dashboard says 1,596 vulnerabilities have already been disclosed across 281 open-source projects, with 97 patched so far.

Why this feels different

The interesting part is not just model capability. Anthropic is packaging a product workflow around it.

In the Glasswing update, Anthropic says it is making several supporting tools available to qualifying security teams on request:

  • Claude skills for repeated security work
  • a harness that maps a codebase, spins up scanning subagents, triages findings, and writes reports
  • a threat model builder to prioritize where scanning should focus

That matters because it turns AI security work from a one-off demo into an operational pipeline.

Why it matters for builders

For developers and small teams, the main lesson is that security bottlenecks are moving.

Before, finding serious bugs was often the hard part. In Anthropic's framing, the harder problem is now verification, disclosure, patching, and rollout. If that pattern holds, teams that adopt AI-assisted security work will still need strong human ownership around:

  • triage queues
  • patch turnaround time
  • dependency update discipline
  • clear review paths for AI-generated reports

In practical terms, AI is making vulnerability discovery cheaper and faster. That is good news for defenders, but it also means basic hygiene matters more: shorter patch cycles, better dependency inventory, and fewer unowned surfaces in production.

Bottom line

The useful signal from Glasswing is not only that Claude can find more bugs. It is that AI-assisted AppSec is becoming an operations problem. The teams that benefit most will be the ones that can absorb and act on findings quickly, not just generate them.

Sources