In a nutshell: AI-powered vulnerability detection risks overwhelming organizations with more security gaps than they can validate and remediate.
Anthropic onboards 150 additional organizations into Project Glasswing, its AI-powered vulnerability detection program focusing on power, water, healthcare, communications, and hardware. However, the initiative reveals a fundamental problem: vendor patch capacity becomes the critical bottleneck.
Anthropic announced on Tuesday the expansion of Project Glasswing, which uses AI technology for automated vulnerability discovery. The 150 new partner organizations focus on critical infrastructure sectors: power generation, water management, healthcare, telecommunications, and hardware manufacturing. Anthropic estimates that a successful attack on the codebase of these partners would have immediate consequences for more than 100 million people and could endanger global and national security.
Project Glasswing was launched on April 7 and is supported by AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Okta confirmed its participation later as well. Experts generally view the expansion positively — more organizations participating in vulnerability identification means better results in theory. Yet a larger structural problem comes into focus: the patch bottleneck.
When AI tools like Glasswing increase the number of identified vulnerabilities by 10 to 100 times, can software vendors realistically validate, prioritize, and patch them on time? Tom Findling, CEO of Conifers.ai, warns of high false-positive rates: organizations cannot treat every vulnerability found by AI as immediately remediable. They must distinguish between genuine threats and false alarms — a step that can take weeks to months. Particularly problematic: even large enterprises can only allocate limited resources for rapid patch development and distribution.
Justin Greis, CEO of consulting firm Acceligence, sees the core of the problem differently: the industry has long treated cybersecurity as a vulnerability-discovery problem when it is actually a remediation problem. Finding vulnerabilities has become easy with modern AI — validating, fixing, testing, and deploying them quickly, however, remains time-consuming and slow. It becomes particularly critical when security teams identify gaps while IT or business teams are responsible for patches: in such scenarios, coordination delays can lead to critical security windows.
For CISOs, there is also a trust question: will automatically generated patches be acceptable without manual validation? Trust is typically not the default setting for security leaders. The central metric for organizations will thus not be the number of vulnerabilities found, but rather the time between identification and operational remediation.
Source: www.csoonline.com · Published June 3, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.