The Glasswing Effect

Introduction

On April 7, 2026, Anthropic dropped a bombshell: their new Claude Mythos Preview model autonomously discovered thousands of previously unknown high-severity vulnerabilities across every major operating system, web browser, and core software libraries. Some bugs had gone unnoticed for 16 to 27 years.

In response, they launched Project Glasswing; a controlled initiative to use this powerful AI to help defenders patch critical software before attackers can exploit it. Access is tightly restricted to a select group of partners. The message is clear: AI is about to flood the world with vulnerability intelligence at a scale humans alone can’t match.

For most penetration testing firms, this feels like a threat. For us at Exploit Security, it’s an opportunity especially when it comes to IoT, embedded systems, hardware, wireless, and physical security.

Here’s why.

The New Reality: AI Changes the Game (But Not Everything)

Claude Mythos excels at analysing massive codebases, spotting subtle logic flaws, and even chaining exploits in software. It can run autonomously for hours or days, surfacing issues that traditional scanners miss.

That’s fantastic news for defenders … in theory.

In practice, many organisations (especially those with connected devices, industrial systems, medical hardware, or smart infrastructure) are now staring at two big problems:

1. Discovery overload - Thousands of new findings, but which ones actually apply to your environment?

2. The AI blind spots - Mythos is incredibly strong on pure software, but it can’t plug in a JTAG debugger, analyse custom firmware binaries running on obscure microcontrollers, simulate physical tampering, or test how an attacker might combine a software flaw with a hardware interface or social engineering vector.

This is exactly where traditional “find the bugs” pentesting starts to commoditise and where specialised human-led testing becomes more valuable than ever.

Where Exploit Security Fits in the Mythos Era

At Exploit Security, we’ve always specialised in the messy, real-world edge cases that pure software AI struggles with:

• Embedded Systems & Firmware Assessment — Deep dives into custom hardware, bootloader analysis, and side-channel attacks.

• IoT Device Security - From consumer gadgets to industrial sensors, including wireless protocols, supply-chain risks, and over-the-air update weaknesses.

• Hardware Hacking & Physical Security - Tamper resistance, fault injection, and scenarios where an attacker has physical access.

• Hybrid Red Teaming - Combining software exploits with practical attack chains that cross digital and physical boundaries.

  
  

We’re not trying to compete with Mythos on raw vulnerability discovery volume. Instead, we’re building services that sit on top of AI-scale findings and turn them into actionable, business-relevant outcomes.

Our New Hybrid Service Offerings (Post-Mythos)

We’re evolving our menu to help clients navigate this new landscape:

• Mythos-Augmented Hybrid Red Team Engagements Use controlled AI discovery where it shines, then layer on our manual IoT/embedded/hardware expertise for complete attack simulation.

• AI-Discovery Validation & Business Risk Triage Got a flood of findings from Glasswing-style tools? We validate exploitability in your specific environment, prioritise based on real business impact, and map to Australian compliance needs (PCI DSS, APRA, etc.).

• Embedded & IoT Resilience Programs Continuous or quarterly testing that includes firmware review, hardware interface testing, and regression checks against both traditional and AI-generated attack techniques.

• Remediation Assurance & Retesting Verify that fixes actually hold up — including against evolving AI-assisted attack methods.

• Offensive AI & Agentic Testing Simulate how attackers might use frontier models against your AI-enabled devices or systems.

  
  

These services shift us from “one-off bug reports” to trusted long-term partners who help you stay ahead in an AI-accelerated threat landscape.

What Australian Organisations Should Do Now

1. Don’t panic about the volume - More findings don’t automatically mean more risk. They mean you need better triage.

2. Focus on your unique attack surface - If you run IoT fleets, embedded controllers, or hardware in sensitive environments, pure software AI scans won’t be enough.

3. Seek hybrid expertise - Look for CREST-approved teams that understand both cutting-edge AI tools and the physical realities of devices.

4. Plan for continuous validation - One annual pentest won’t cut it when new techniques emerge monthly.

Final Thoughts

Claude Mythos and Project Glasswing represent a genuine step change in cybersecurity capabilities. The organisations that win won’t be the ones with the fastest scanner they’ll be the ones who best combine AI power with human insight, creativity, and real-world context.

At Exploit Security, that’s exactly what we’ve been doing for years in the IoT and embedded space. We’re excited to help Australian businesses turn this AI-driven vulnerability wave into a genuine security advantage.

Ready to future-proof your connected devices? Schedule a meeting for a no-obligation chat about hybrid testing or IoT resilience programs.

We also run hands-on Exploit This CTF challenges focused on embedded and IoT hacking, a great way to build internal team skills in this new era.

Book a free 30-minute consultation.