zeblade

Insights

The Buffer Is Gone

For thirty years, vulnerability management ran on a buffer.

A researcher found a bug. It took weeks or months for someone to write a working exploit. Your team triaged, scheduled a patch window, tested, deployed, and validated. The process was slow, but it worked — because the other side was slow, too.

That buffer is gone.

In May 2026, Anthropic published an update on Project Glasswing, a collaborative initiative to use their unreleased frontier model, Claude Mythos Preview, to find and fix vulnerabilities in systemically important software. The numbers are worth sitting with: in roughly one month, Anthropic and approximately 50 partner organizations identified more than 10,000 high- or critical-severity vulnerabilities across the world’s most critical codebases. Cloudflare found 2,000 bugs in their own code, 400 of which were high or critical in severity. Mozilla found and fixed 271 vulnerabilities in Firefox — ten times what they’d found using the previous frontier model. Among the discoveries: a 27-year-old remote denial-of-service vulnerability in OpenBSD, a 17-year-old remote code execution vulnerability in FreeBSD (CVE-2026-4747) that grants root access to any unauthenticated attacker on the internet, a 16-year-old FFmpeg vulnerability, and a critical flaw in wolfSSL (CVE-2026-5194) — a cryptography library used by billions of devices — that allows an attacker to forge certificates.

More than 99% of what Mythos found was still unpatched at the time of the update.

This is the defensive side of the equation. The organizations with the resources to participate in Glasswing — AWS, Microsoft, Cisco, CrowdStrike, Google, Palo Alto Networks — are racing to fix what AI found before AI finds it for the other side.

But the other side isn’t waiting.

The attack surface is already being automated

Three months before the Glasswing update, AWS published a threat intelligence report on a campaign that compromised over 600 Fortinet FortiGate firewalls across 55+ countries between January and February 2026. The attacker was described as a Russian-speaking, financially motivated threat actor with “limited technical capabilities.”

That assessment is the important part.

No zero-day exploits were used. No sophisticated vulnerability research was required. The attacker scanned for exposed management interfaces, tried default and weak credentials without MFA, and gained access to hundreds of enterprise firewalls. What made this campaign different from the thousands of brute-force campaigns before it was the automation layer: the attacker used commercial generative AI services — including custom MCP (Model Context Protocol) servers that fed reconnaissance data into language models — to generate structured attack plans, classify compromised networks, identify lateral movement targets, and prioritize exploitation paths. A custom tool called ARXON ingested stolen FortiGate configurations, Active Directory maps, and credential dumps, passed them through DeepSeek and Claude, and produced step-by-step attack plans for each victim network.

A single attacker, or a very small team, with low-to-medium technical skill, compromised enterprise security appliances across 55 countries in five weeks. Independent researchers later catalogued the exposed server and found 1,400+ files across 139 subdirectories: CVE exploit code, Nuclei scanning templates, Veeam credential extraction tools, BloodHound collection data, and AI-generated vulnerability assessments.

The volume and variety of custom tooling on that server would normally indicate a well-resourced development team. Instead, it was one person with an AI subscription.

Two sides of the same capability

Glasswing and the FortiGate campaign are two expressions of the same underlying reality: AI has fundamentally compressed the vulnerability lifecycle.

On the defensive side, Mythos Preview found a 27-year-old bug in OpenBSD that the entire security research community missed. It wrote 181 working exploits against Firefox where the previous frontier model managed 2. It autonomously discovered and exploited a FreeBSD RCE — no human involved after the initial prompt. Anthropic’s own assessment is blunt: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.

On the offensive side, a low-skill threat actor used off-the-shelf AI to turn stolen credentials into structured attack campaigns at industrial scale. The FortiGate campaign didn’t require vulnerability research. It required exposed management ports, weak passwords, and an AI assistant willing to generate attack plans from reconnaissance data.

The gap between these two stories isn’t capability — it’s access. Mythos Preview is gated behind Project Glasswing and restricted to vetted partners. The commercial AI tools the FortiGate attacker used are available to anyone with a credit card. When Anthropic says it expects models with similar capabilities to Mythos to become broadly available in the near future, they’re describing a world where the offensive side of this equation scales to anyone who can write a prompt.

What this means for mid-market security teams

If you’re running security for a healthcare organization with 50 to 300 employees, here’s the part that matters: the recommendations from both AWS and Anthropic sound remarkably like things your auditor has been telling you for years.

Patch management for perimeter devices. Credential hygiene. Multi-factor authentication. Network segmentation. Detection and response for post-exploitation indicators. Comprehensive logging. These aren’t revolutionary. They’re the fundamentals. The difference is that the consequence of getting them wrong has changed. The buffer that gave you weeks to patch a critical vulnerability after disclosure is being compressed to hours. The brute-force attempts against your exposed management interfaces are being orchestrated by AI that can classify your network, plan its lateral movement, and prioritize its targets — all before your SOC analyst has finished their morning coffee.

The FortiGate campaign exploited exactly one class of vulnerability: weak credentials on exposed interfaces without MFA. Every compromised device could have been protected by enforcing basic access controls. AWS’s own mitigation guidance reads like a security awareness training module: don’t expose management interfaces, enforce MFA, rotate credentials, segment your network.

But here’s the uncomfortable question for mid-market organizations: do you know which of your vendors have exposed management interfaces? Do you know if your third-party partners are enforcing MFA on their VPN gateways? Do you have a vendor risk program that validates external security posture, or do you rely on annual questionnaires filled out by the vendor’s sales team?

Because the FortiGate attacker wasn’t targeting your organization specifically. The campaign was opportunistic — automated scanning for vulnerable appliances, targeting whatever responded. Your vendor’s exposed FortiGate firewall in their branch office is now your supply chain risk.

The compliance gap

Here’s where the AI vulnerability management shift meets the compliance reality for healthcare organizations.

HIPAA requires risk assessment. NIST CSF 2.0 maps out the functions: Govern, Identify, Protect, Detect, Respond, Recover. SOC 2 expects continuous monitoring of controls. ISO 27001 requires systematic management of information security risks.

None of these frameworks were written for a world where AI can find a 27-year-old kernel vulnerability and write a working exploit in the time it takes to schedule a patch window. The frameworks aren’t wrong — the controls they describe are exactly the fundamentals that would have prevented the FortiGate campaign. But the velocity at which those controls need to be validated, the frequency at which vendor risk needs to be reassessed, and the speed at which policy needs to adapt to emerging threats — all of that has changed.

And the tools most organizations use to manage compliance haven’t kept up. Annual vendor questionnaires don’t catch an exposed FortiGate management interface. Static policy documents that haven’t been reviewed in 18 months don’t reflect the AI-driven threat landscape. Self-assessed maturity scores don’t reveal whether your controls are actually implemented or just documented.

What defenders need

The organizations that are best positioned for the AI-driven security era share a few characteristics:

Their compliance program is computed, not self-assessed. Risk tiers are calculated from data attributes, not selected from a dropdown. Policy quality is scored against measurable dimensions — enforceability, framework alignment, consistency — not rubber-stamped by the policy owner. Maturity levels are derived from control state and evidence freshness, not from someone’s optimistic estimate during a quarterly review.

Their vendor risk includes external validation. They don’t just ask vendors if they have MFA enabled — they scan the vendor’s external posture for exposed management interfaces, misconfigured email authentication, weak TLS implementation, and open ports. The FortiGate campaign succeeded because someone’s management interface was accessible from the internet. That’s a finding an external scan would have caught.

Their policies are written for humans, not just auditors. The 69% of employees who admit to bypassing security guidance aren’t doing it because they’re malicious — they’re doing it because the policies are incomprehensible or impractical. When AI is generating phishing emails that bypass technical controls, the human layer is the last line of defense. Policies need to be written in language that workforce actually follows, not in legal jargon that satisfies a checkbox.

Their tooling is connected. Policy management, control mapping, risk assessment, vendor oversight, vulnerability tracking, and evidence collection all feed the same model of the organization. When a new CVE drops, you shouldn’t need to check three different systems to understand your exposure. When an auditor asks “show me how this control is implemented,” the answer shouldn’t be “let me check the spreadsheet.”

They train their people for the threats that exist now. AI-generated phishing emails don’t have the grammatical errors that traditional security awareness training teaches people to look for. Business email compromise attacks are more convincing when AI can match the writing style of the person being impersonated. Security awareness training needs to evolve as fast as the threats it’s preparing people for.

The window is closing

Anthropic is expanding Project Glasswing to 150+ organizations across 15+ countries, including healthcare, power, water, and communications infrastructure. They’ve released Claude Security in public beta for enterprise customers, along with scanning tools, threat model builders, and the skills that partners developed during the Glasswing preview. OpenAI has followed with GPT-5.5-Cyber. The defensive tooling is getting more capable — but so is the offensive tooling.

The FortiGate campaign showed what a single low-skill attacker can do today with commercially available AI. Project Glasswing showed what’s coming tomorrow: AI models that can autonomously discover and exploit vulnerabilities in every major operating system, every major browser, and cryptography libraries used by billions of devices. Models that find bugs that the entire security research community missed for 27 years.

The buffer that made traditional vulnerability management work isn’t coming back. The question for every security team — especially those at mid-market organizations who don’t have Glasswing access or a 50-person security operations center — is whether their security program is built for the velocity that’s coming.


Brian Nichols is the founder of Zeblade Security Group, a CISSP, and a Fractional CISO for healthcare organizations. Zeblade builds AI-powered compliance infrastructure — including policy quality scoring, external vendor risk scanning, and security awareness training — for mid-market healthcare teams managing real regulatory obligations with real operational constraints.

If you’d like to see how your policies score against Zeblade’s six-dimension Compass engine, request a free Compass Report. No sales pitch. Just data.


Sources

Share

← All insights

Get started

See how your defenses hold up at machine speed.

Tell us what you need tested. We'll come back with a tailored assessment plan, timeline, and a fixed price.

Request a pen test