Glasswing Found 10,000 Vulnerabilities. Here’s What Wasn’t in the Queue.

Anthropic published its first Glasswing update last week. The numbers are worth taking seriously.

‍

In 30 days, roughly 50 partner organizations found more than 10,000 high and critical vulnerabilities across the most systemically important software on the internet. The true-positive rate on validated findings was 90.6 percent. Mozilla found 271 Firefox vulnerabilities in a single engagement, ten times their previous record. Cloudflare found 2,000 bugs across their critical-path systems with a false positive rate their team rated better than human testers. Mythos Preview constructed an exploit against wolfSSL that could have allowed an attacker to forge certificates for any bank or email provider on the internet.

‍

These are not incremental improvements. This is a step-change in what security teams can accomplish at scale.

‍

I said in my original post that Glasswing was a genuine contribution. Nothing in the update changes that read. The numbers make it stronger. What the update also reveals is a new problem, and it connects directly to what the security leaders I speak with are wrestling with every week.

‍

The bottleneck moved

Glasswing surfaced a tension in its first month that nobody fully anticipated: the constraint has shifted from finding to patching.

Open-source maintainers are overwhelmed. Some have asked Anthropic to slow down disclosures. A high or critical vulnerability found by Mythos Preview takes two weeks on average to patch. The model can now find vulnerabilities faster than the ecosystem can fix them.

That’s a real coordination problem. Anthropic describes it honestly in the update, noting a steep drop-off at each phase of their disclosure process. Finding has become fast. Triage, disclosure, and patching are slow. The bottleneck sits between discovery and remediation.

The lesson is worth generalizing: you can only work the queue for what’s been found. What hasn’t been surfaced doesn’t get fixed. And right now, at the SaaS identity layer, most organizations haven’t started finding.

‍

The security leaders who are done playing catch up

The CISOs who are ahead of this aren’t waiting for a breach to find out what’s in their environment.

What we see across our customer base is a split. On one side: security teams who discover their AI agent footprint only after something goes wrong. When one company did its first inventory scan, it found 3 to 5 times more agents than anyone had estimated. Another told us they were only using Copilot. When we scanned their environment, number one actual usage was Claude. Number two was OpenAI. Copilot was third. The organizations that know what’s in their environment are the exception, not the rule.

On the other side: a Director of Application Cybersecurity we work with put it this way: “I’m done playing catch-up. It is almost like every single one of the SaaS applications is going to have AI agents. So rather than find out after the fact that someone built AI agents there, I’d rather just have visibility from day one.” That posture is the shift. It’s treating SaaS identity governance as a first-class security discipline, not an incident response reflex.

As Cyera’s team noted, AI visibility without identity context is just a list. Knowing an agent exists tells you almost nothing. Knowing what it’s authorized to access, what it’s actually doing, and whether that behavior makes sense given who provisioned it is the actual question. The security leaders who are ahead are already answering it.

‍

What happened at Vercel

While Glasswing’s first 10,000 findings were being triaged and routed to maintainers, a breach happened at Vercel. Through an AI tool.

A third-party AI service called Context.ai had been authorized via OAuth to access a Vercel employee’s Google Workspace account. An attacker compromised Context.ai, inherited that authorization, and used it to reach Vercel’s internal systems and environment variables. Mandiant is investigating the full scope.

The attack required no vulnerability in the traditional sense. No code flaw. No patch that should have been applied. The tool was working as designed. The permissions were legitimately granted. The connection did exactly what OAuth connections do.

This is the attack surface that a patching queue cannot reach.

‍

The queue that doesn’t exist yet

The Glasswing update describes the steep drop-off between finding and patching as the defining challenge of this moment in cybersecurity. That’s accurate for the infrastructure layer. At the SaaS identity layer, most organizations are at an earlier stage: the inventory hasn’t been built, so the queue hasn’t started.

The AI tools connected to enterprise environments via OAuth grew through individual user authorization, not security review. Copilot inside Microsoft 365. Gemini connected to Google Workspace. Einstein inside Salesforce. Agentic platforms like 7ai connecting to enterprise workflows. Each one carries the permissions of the person who authorized it. Each one can access, act on, and in some cases trigger automations across the systems it’s connected to.

The security teams who are ahead have built that inventory and are working it actively. They know what’s connected. They have behavioral baselines. When something changes, they see it. That’s the SaaS identity layer equivalent of what Glasswing’s partners are doing at the code layer. The teams that aren’t there yet are at step zero: they don’t know what’s running in their environment.

At Reco, when the Context.ai IOC became available, customers could query their full OAuth inventory against the compromised client ID in minutes. They knew instantly whether they were exposed. They could revoke access, scope down permissions, and document the response. That’s what it looks like to have a queue and work it.

‍

A note on Anthropic’s own admission

The Glasswing update includes a sentence worth sitting with: no company, including Anthropic, has yet developed safeguards strong enough to prevent Mythos-class models from being misused and potentially causing severe harm. That’s why Mythos is still gated.

The honest extension of that statement is this: the safeguard problem doesn’t stop at the model layer. A Claude or Gemini or GPT-4 operating inside enterprise SaaS with a valid OAuth token is already past the point where model-level safeguards apply. What governs it at that point is identity: what it’s authorized to do, whether its behavior matches that authorization, and whether anyone is watching.

Anthropic is building infrastructure to govern what Mythos-class models can do when pointed at software. That’s necessary work. The governance question at the SaaS identity layer is different, and it’s equally urgent. The security leaders who are ahead are treating it that way.

The patching queue is full. That’s a good problem. It means Glasswing found 10,000 things worth fixing. The SaaS identity layer needs the same discipline. For the security teams that have started, the queue exists and the work is running. For the rest, it starts the moment someone asks what’s actually connected to their environment.

‍