 (3).png)
5 hours ago
1
ARTICLE AD BOX
Summary
Anthropic’s Project Glasswing aims to use advanced AI to detect hard-to-find software vulnerabilities. Backed by Big Tech, the initiative may reshape how software is secured and could eventually disrupt cybersecurity firms and IT services models.
On Tuesday, Anthropic announced Project Glasswing, a multi-company coalition that includes some of the world’s largest enterprises. The goal: using AI to find cybersecurity vulnerabilities that human engineers find hard to spot. In the face of a global shortage of skilled cybersecurity professionals and a rising volume of cyberattacks on countries and companies alike, Project Glasswing can be pivotal for the future of the internet. Mint explains how.
What makes Project Glasswing by Anthropic relevant?
Anthropic cofounder and chief executive Dario Amodei said the company created a cybersecurity coalition after observing how capable its new ‘frontier’ artificial intelligence model, Claude Mythos, is. Anthropic tested the latter to discover thousands of critical software flaws, technically known as ‘zero-day vulnerabilities’, within an unspecified period of time.
A ‘zero-day’ vulnerability means a glitch in a software’s code that no one has discovered to date. In the cybersecurity world, such a glitch is the hardest to detect and often requires the most skilled cybersecurity engineers.
Anthropic noted that cyber attackers worldwide thrive on such flaws and can bring down large enterprises and even governments. Two of the most notable such instances include June 2010’s ‘Stuxnet’, which targeted Iran’s nuclear research facilities, and 2017’s WannaCry and NotPetya cyberattacks, which exploited a zero-day exploit tool used by the US government’s National Security Agency (NSA).
Is it a cybersecurity application for all?
No. Project Glasswing, at its core, is an AI model that can find gaps in the most commonly used software, and write the code for making software patches for the same.
Think of this as a layer of research that finds undiscovered security flaws and vulnerabilities in software such as Apple’s, Microsoft’s and Google’s iOS, Windows and Android operating systems. So far, this research has largely been conducted by human-led cybersecurity discovery teams at companies such as Cisco, CrowdStrike, Fortinet, and Palo Alto Networks.
Cybersecurity applications use this foundational research data to update their repository of software patches and knowledge of vulnerabilities in software systems, and thus enable user-facing services that build on tools like Claude Mythos that find core vulnerabilities.
Which parties are backing the initiative?
Initial corporate partners include 11 companies, including Amazon, Apple, Google, JPMorgan Chase, Microsoft, and Nvidia. The company is committed to offering $100 million in usage revenue initially, after which use of its Claude Mythos model will be on a paid basis.
The project will eventually be opened for more cybersecurity firms, and results will be shared on open-source forums. Anthropic is also working with the US government to demonstrate the cyber offensive and defensive capabilities, the company said.
How will it address the shortage of cybersecurity engineers?
At its most skilled level, cybersecurity is incredibly complex, requires highly sophisticated knowledge of software, including legacy systems that have been in use among the world’s largest enterprises for decades now. The levels of complexity are such that not many engineers are capable enough to function at the highest levels.
At the same time, the world’s most notorious cyber criminal groups, such as North Korea’s Lazarus, and Russia’s DarkSide and Fancy Bear, have established themselves as highly skilled at finding flaws in software that no one else in the world can—and exploit them.
With digital transformation modernizing systems across enterprises, public sector organizations and government agencies alike, such software flaws put nations and critical power and energy systems at risk—such as 2020’s Solarwinds attack on US government infrastructure, and the Mumbai power outage in India from the same year.
Most cybersecurity projections have claimed that the influx of sophisticated AI tools will exacerbate such attacks in future, and Anthropic claims that Project Glasswing will help take on this itself. Given its sophisticated capabilities, Claude Mythos in Glasswing has been projected as a platform that can automate cyber security discovery, something that experts also agreed upon.
Aditya Varma, leader for public sector security, India and Saarc at Cisco, said for cybersecurity companies, “the significance lies in the shift from AI as analyst assistance to AI as governed security research and remediation infrastructure.”
“Value creation from AI in cyber security is likely to move upstream—from alert triage and workflow automation, toward exploitability-aware discovery, patch acceleration, secure software engineering and proof-based prioritization. A Glasswing-like platform is commercially attractive because it can help managed security providers reduce noise, validate exploitability, improve remediation speed and generate differentiated evidence for customers,” he added.
Does it hold any significance for India?
Prima facie, Project Glasswing does not necessarily involve or target India, and is largely centred in the US. However, market observers believe that the project is likely to have an eventual impact. On Thursday, an investor note by brokerage firm Motilal Oswal said that Glasswing can change the way enterprise software is set up, and eventually impact India’s already-battered IT services firms.
The note further highlighted that Glasswing can address a core issue that companies across India face, which include large stacks of code and IT assets “built over 15-30 years,” as well as multiple layers in the system, sporadic and human-driven security checks that are still mostly done in the interest of compliance and not active monitoring.
“This creates gaps: Many vulnerabilities remain undetected for years, testing is fragmented across tools and teams, and security work is often reactive after breach,” it said.
Will it spell doom for the average cybersecurity company?
Firms that rely on core cybersecurity research, such as the US quartet mentioned above, could well be impacted.
After Anthropic's announcement late Tuesday, cybersecurity stocks in the US showed considerable impact through Wednesday. Shares of Palo Alto Networks dropped 2% by midday on Wednesday, and have largely remained flat since then.
CrowdStrike’s shares dropped 6% on Wednesday, while Fortinet’s shares declined 3.5%. Cisco Systems' shares, after dropping 2%, at the start of trading in the US yesterday, recovered to trade higher.
About the Author
Shouvik Das
Shouvik has been tracking the rise and shifts of India’s technology ecosystem for over a decade, across print, broadcast and web-first platforms. He's been a tinkerer of machines and PCs since childhood, a habit he was thrilled to convert into his profession. This has led him to fascinating experiences of technologies around the world, which is what keeps him hooked to his job.<br><br>Shouvik likes to believe that he is one of the few technology journalists in India who can also code. He has also been writing about the rise of AI well before it became a household name, and has met some of the most fascinating people over the years through his work.<br><br>Shouvik writes about AI, Big Tech, data centres, electronics, semiconductors, cybersecurity, gaming, cryptocurrencies, and consumer technologies. He is most fond of the stories he has written during his time here at Mint, for which he also writes 'Transformer', a weekly technology newsletter, and hosts 'Techcetra', a weekly technology podcast.<br><br>Outside of work, Shouvik spends most of his time with Pixel, whom he believes is the world's best dog. He is also an avid reader, a toy collector, a gamer and a frequent traveller.
English (US) ·