AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started

Project Glasswing: AI Vulnerability Discovery & Exploit

In this Initial Access podcast episode, we break down what Anthropic’s Project Glasswing actually shows about AI-driven vulnerability discovery and where human expertise still matters.

In this special episode, we break down Anthropic’s Project Glasswing announcement and what it signals for the future of cybersecurity. At its core, Glasswing is a defensive initiative built around a new class of AI capability: models that can identify, exploit, and help remediate software vulnerabilities.

The conversation goes beyond the announcement to unpack what this actually means in practice: where the capability holds real weight, where it remains constrained, and how security leaders should be thinking about control, oversight, and risk as AI begins to meaningfully accelerate offensive security outcomes.

Key Takeaways

  • Glasswing reflects a real inflection point in offensive capability
    The discussion enforces that AI systems are now capable of performing meaningful vulnerability discovery and exploitation tasks. The significance isn’t just in finding bugs, but in doing so at scale and speed that begins to outpace traditional human-led approaches.
  • The core shift is compression of the attack lifecycle
    A major theme from the conversation is how AI reduces the time between discovery and exploitation. What historically required time, expertise, and iteration can now be accelerated, which has direct implications for how quickly defenders need to detect and respond.
  • This is as much about attacker enablement as defender tooling
    While Glasswing is positioned as a defensive effort, the underlying capability is inherently dual-use. The experts highlight that the same advancements enabling defenders will inevitably lower the barrier for attackers, making this a race to adapt rather than a one-sided advantage.
  • Control—not capability—is the real constraint today
    The limitation isn’t what the AI can do, but how safely it can be deployed. The discussion emphasizes that governance, access restriction, and controlled usage are currently the primary mechanisms preventing misuse—not a lack of technical capability.
  • Human-in-the-loop remains a necessary safeguard
    While the technology is advancing quickly, the experts stress that human oversight is still critical, particularly when validating findings, making remediation decisions, and preventing unintended consequences from automated actions. This is less about slowing AI down and more about ensuring reliability and accountability.
  • Security programs are not designed for this speed yet
    Existing security processes (patching cycles, validation workflows, detection models) are not built for a world where vulnerabilities can be discovered and operationalized at machine speed. This creates a growing gap between attacker capability and defender readiness.
  • Validation and testing models need to evolve
    The conversation highlights the need for more realistic testing approaches that account for AI-driven discovery and exploitation. Traditional assessments may not fully capture how these systems behave or how quickly weaknesses can be identified and chained together.
  • The long-term impact is an expanding and accelerating attack surface
    As AI continues to improve in code understanding and system analysis, the number of exploitable paths, and the speed at which they can be uncovered, will increase. This isn’t a single breakthrough moment, but the start of a compounding effect on both offense and defense.
Sean McMillan Headshot

About the speaker, Sean McMillan

Community Specialist

Sean McMillan serves as the Community Specialist at Bishop Fox, where he combines his expertise in digital media with a knack for community engagement. He's the creator and host of "Galactic War Report," a Star Wars gaming podcast that has accumulated over a million downloads and made its mark on-stage at Star Wars Celebration Chicago in 2019.

More by Sean McMillan
Zach moreno

About the speaker, Zach Moreno

AVP Consulting

Zach Moreno is AVP Consulting at Bishop Fox and focuses on application penetration testing (static and dynamic), vulnerability risk management, network penetration testing (external and internal), and dynamic application security testing. He has advised Fortune 500 brands and startups in industries such as healthcare, financial services, education, and technology.

More by Zach Moreno
Bfx25 yuri goryunov acceligence

About the speaker, Yuri Goryunov

Partner Chief Information Officer

Yuri is a Partner and Chief Information Officer at acceligence, an AI-powered management consulting firm focused on technology, cybersecurity, risk, and strategy. Yuri works with executives, boards, and investors to translate enterprise strategy into scalable technology, data, and AI capabilities, helping organizations modernize operating models and unlock new sources of value through technology-enabled transformation.

Yuri is a frequent contributor to executive discussions on enterprise technology strategy, digital transformation, and AI-enabled business models. He has authored thought leadership and presented at industry conferences and executive forums on topics including data interoperability, automation, customer engagement, analytics, and technology-enabled transformation.

Yuri earned a master of business administration from Carnegie Mellon University’s Tepper School of Business and a bachelor of arts in economics from Denison University.

More by Yuri Goryunov
Bfx25 welling matt web

About the speaker, Matthew B. Welling

Partner at Holland & Knight

Matthew B. Welling is an attorney at Holland & Knight and member of the Data Strategy, Security & Privacy Team and Energy Team. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters.

Matthew has advised numerous clients on appliance energy conservation standards before the U.S. Department of Energy (DOE), including multiple appeals to the Federal Energy Regulatory Commission (FERC) under the Energy Policy and Conservation Act (EPCA) and before the California Energy Commission (CEC).

More by Matthew B. Welling

Extend Your Knowledge

Check out these related resources.

Bishop Fox guide: 15 guardrails for shipping AI-generated code safely.
Guide

Secure AI-Assisted Development: 15 Guardrails for Shipping AI-Generated Code

Before releasing AI-developed software, use our recommended security guardrails checklist to learn how to constrain generated code, enforce security controls, and prevent silent risk from prompt to production.

Learn More
GigaOm Radar Report 2026 Attack Surface Management with security risk radar graphic and Bishop Fox branding.
Report

2026 GigaOm Radar for Attack Surface Management

Get an overview of the 2026 Attack Surface Management (ASM) market — along with the key features and business criteria met by the top solutions — and learn why Bishop Fox was named Leader and Fast Mover by the analysts at GigaOm.

Learn More
Red Team Vendors Evaluation Matrix resource graphic by Bishop Fox featuring a red teaming vendor evaluation worksheet.
Guide

Red Team Vendor Evaluation Worksheet

The Red Team Vendor Evaluation Matrix Worksheet is designed to help security leaders evaluate red team vendors thoughtfully before engagement using a structured, question-driven approach.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.