Aethyr Research

Glasswing Expands to Critical Infrastructure. The Threat Model Just Became National.

by Aethyr Research
cybersecurityvulnerabilityanthropicsovereign-aicritical-infrastructuredefensepost-quantumaios

Two weeks ago, Anthropic published the initial results from Project Glasswing: working with roughly 50 partners, Claude Mythos Preview discovered more than 10,000 high- or critical-severity vulnerabilities in a single month. We wrote at the time that the headline number wasn't the real story — the asymmetry between machine-speed discovery and human-speed patching was.

Today Anthropic announced an expansion of the program. The numbers got bigger. But more importantly, the targets changed.

Glasswing is scaling from approximately 50 partners to roughly 150 new organizations, spanning more than 15 countries, and reaching into industries that were previously underrepresented: power, water, healthcare, communications, and hardware.

This is no longer a story about software bugs. It's a story about critical infrastructure.

Why This Expansion Is Different

The first wave of Glasswing partners were largely software vendors — companies whose codebases are relied on globally, including by governments. The findings were alarming enough on their own: 6,202 high- or critical-severity vulnerabilities across 1,000 open-source projects, validated at over 90% by independent firms.

The expansion changes the stakes. Anthropic's own framing is the part to sit with:

Most partners face scenarios where a successful attack could affect over 100 million people.

Power. Water. Hospitals. Telecom. Hardware. These are not applications that leak data when they break. They are the systems that keep cities running, keep patients alive, and keep nations connected. A certificate forgery bug in a web app is a breach. The same class of bug in a grid controller, a water treatment SCADA system, or a hospital network is a public safety event.

AI-grade vulnerability discovery has now been pointed directly at the software layer underneath physical infrastructure. The good news is that defenders are looking first. The sobering news is that the capability won't stay confined to defenders.

"Cheap, Fast AI With Cyber Capabilities Is Around the Corner"

That phrase, paraphrased from Anthropic's own reasoning, is the entire justification for Glasswing. The program exists because the window in which only responsible actors hold these capabilities is closing. Anthropic is explicit that the goal is to get defenders ahead before other developers release comparable models without comparable safeguards.

The expansion reflects two strategic shifts worth naming:

  1. From detection to deployment. The early program proved AI can find vulnerabilities at scale. The next phase emphasizes disclosure, patching, and getting fixes deployed — because, as the initial results showed, discovery was never the bottleneck. The patch queue is.

  2. From private preview to public defense. Anthropic signaled it will release Claude Security more broadly and put tools in the hands of trusted teams. Defensive capability is being deliberately democratized.

Both shifts are the right call. Both also confirm the strategic reality we've been building Aethyr around: you cannot defend critical infrastructure by assuming the software underneath it is clean. Glasswing has now measured, across two waves, exactly how unclean it is.

What Critical Infrastructure Operators Should Take From This

If you operate or supply infrastructure in one of these sectors, the expansion is a direct signal. Three things follow from it.

The vulnerability surface under your physical systems is larger than your audits show. Human review found a fraction of what exists. AI-assisted discovery just revealed the real number in adjacent industries — and there is no reason to believe your stack is the exception. Embedded TLS libraries, industrial protocol parsers, firmware update channels, and anything that ingests untrusted input are the places to start.

Patch velocity is now a safety control, not an IT metric. A two-week critical-patch cycle is already untenable for software companies. For a water utility or a hospital network, it is a window an adversary with the same discovery tools can drive through. Automate testing, staging, and rollback. Staff the verification work that can't be automated. Treat patch latency the way you treat any other safety-critical response time.

Architecture has to assume compromise. This is the through-line of everything Glasswing has demonstrated. You cannot patch your way to safety when discovery is essentially free and your dependency tree is thousands of undiscovered bugs deep. The defensible posture is containment: cryptographic isolation between systems, least-privilege at every boundary, and verifiable identity on every actor and message.

Where Aethyr Fits

We build for exactly this threat model. Aethyr's architecture starts from the assumption that the network is hostile and the software is compromised — and makes the system survive anyway.

  • Per-agent, self-certifying identity — so a forged certificate in some embedded library doesn't let an attacker impersonate an actor in the mesh. Trust is bound to the message, not to a CA whose underlying code contains the next CVE.
  • Post-quantum by default — because the traffic critical infrastructure generates today is being harvested for later decryption. ML-KEM and ML-DSA are standardized; the migration cost is finite, and waiting is the expensive option.
  • Verification at the edge — the device is the trust boundary, not the network. Offline-verifiable identity removes the online attack surface that grid and SCADA environments can least afford.
  • Sovereign deployment — no telemetry phoning home, no dependence on a SaaS control plane an adversary can target. Critical infrastructure should not have to choose between modern AI and operational sovereignty.

Glasswing is finding the bugs. That work is essential, and we're glad responsible actors are doing it first. But finding bugs faster doesn't fix the underlying problem — it measures it. The organizations that come through this transition intact will be the ones that stopped depending on the absence of vulnerabilities and started building infrastructure that contains them.

The Window Is Still Closing

The first Glasswing update told us how many vulnerabilities are out there. This expansion tells us where they live: under the power grid, the water system, the hospital network, the communications backbone. It also tells us the clock is real — Anthropic is racing to arm defenders before the same capability arrives without safeguards.

The bugs were always there. Now we're counting them in the systems that 100 million people depend on. The only question that matters is whether the infrastructure underneath them was built for a world where they get found.

It can be. That's what we're building.