Project Glasswing: Effective AI/LLM Vulnerability Discovery Methodology
Generated: 2026-05-30 · API: Gemini 2.5 Flash · Modes: Summary
Project Glasswing: Effective AI/LLM Vulnerability Discovery Methodology
Clip title: First findings from Project Glasswing Author / channel: IBM Technology URL: https://www.youtube.com/watch?v=ftUlJzuzdU4
Summary
This “Security Intelligence” podcast episode, hosted by Matt Kosinski, features panelists Kimmie Farrington (Security Detection Engineer), Dustin Heywood aka EvilMog (Executive Managing Hacker), and Curtis Pitts (Lead CISO Trust), discussing current cybersecurity news and enduring challenges. The main topics include lessons learned from Anthropic’s Glasswing project, a significant CISA GitHub repository leak, and a reflection on the 28th anniversary of L0pht Heavy Industries’ congressional testimony.
The first segment focuses on “Lessons from Glasswing,” a project leveraging Anthropic’s large language model (LLM) “Mythos” for AI-driven vulnerability discovery. Cloudflare, one of the participants, published its findings, highlighting that Mythos excels at proof generation and constructing exploit chains by linking smaller vulnerabilities. However, a key takeaway was that simply pointing the LLM at a repository and asking it to find vulnerabilities proved ineffective. Instead, a “harness” approach, which breaks down the process into discrete steps and orchestrates specialized agents, was found to be most successful. Panelists noted that this layered, targeted methodology isn’t new to cybersecurity but rather a reapplication of tried-and-true principles to a new technology, demonstrating that purpose-built models are more effective than broad, unfocused queries. The project is expanding with new participants like IBM, and relaxed confidentiality agreements promise more shared insights in the future.
The discussion then shifted to a major CISA GitHub repository leak, where a contractor inadvertently exposed sensitive data, including cloud keys, tokens, and plaintext passwords, for months. While there’s no evidence of misuse by malicious actors, the incident underscores critical governance and cyber hygiene failures. Panelists emphasized that such a breach highlights multiple breakdowns in process, not just a single individual’s mistake. The presence of easily guessed passwords (e.g., “platformname2024!”) further exposed poor basic security practices. The consensus was that this event is a significant “supply chain problem,” as compromised credentials or source code for core platforms like GitHub could have far-reaching implications, giving attackers deep insight into how systems operate and enabling more sophisticated, undetected intrusions across many organizations.
Finally, the podcast commemorated the 28th anniversary of L0pht Heavy Industries’ testimony to Congress in 1998, where they warned about pervasive cyber threats like weak authentication, unencrypted protocols, and fragile, unaccountable infrastructure. Space Rogue, one of the original hackers, reflected that while technology has evolved, many fundamental security problems remain largely unchanged. This led to a broader discussion about whether the cybersecurity industry is caught in an “eternal cycle” of solving old problems only to create new ones with each technological advancement. The panelists agreed that a persistent gap exists between what security experts understand and what decision-makers act upon, often due to a focus on speed-to-market over security. Closing this gap requires better communication, translating security needs into business terms, fostering a culture of continuous training (especially for junior staff), and reinforcing basic cyber hygiene across all users and systems, including AI agents.
Video Description & Links
Description
Explore the podcast → https://ibm.biz/~WrcSAwFY6
While Anthropic has restricted Mythos access to its Project Glasswing partners, it has always maintained that lessons from Glasswing would be shared with the broader cybersecurity community. Now, those lessons are starting to roll out.
This week, on Security Intelligence, panelists Dustin “EvilMog” Heywood, Kimmie Farrington and Curtis Pitts discuss Cloudflare’s recent write-up on its adventures with Mythos so far. We discuss what separates Mythos from other AI vulnerability hunters, Cloudflare’s agentic harness and whether “speed” is the wrong way to think about AI cybersecurity tools.
Then: A CISA contractor accidentally exposed a repo full of cloud keys, passwords, tokens and other credentials to the public web on GitHub. It’s a case study in identity and access management mistakes and supply chain vulnerabilities—and there’s a lot to learn from ti.
Finally, we look back on L0pht Day, 1998, when a group of Boston-area hackers warned Congress about the fundamentally inadequate security measures of the early internet. Have we made any progress since then? Maybe not as much as you think.
All that and more, on Security Intelligence.
AI news moves fast. Sign up for a monthly newsletter for AI updates from IBM → https://ibm.biz/~bT2KuAaCH #mythos glasswing cybersecurity
Tags
IBM, IBM Cloud