.png)
On April 7, Anthropic announced Project Glasswing. Twelve companies came together: Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation.
The partnership itself signals something worth paying attention to. These are competitors. Companies that spend billions fighting for market share decided to work together on one thing: securing critical software before the window closes.
On the surface, it's technical. Anthropic’s Mythos model found thousands of zero-day flaws in operating systems, web browsers, and foundational infrastructure. Vulnerabilities that survived decades of expert review.
Underneath the technical detail is the real signal: the cybersecurity industry just acknowledged something it has been avoiding. Reactive security doesn't work anymore.
The timeline compression
For decades, cybersecurity moved slowly. A vulnerability would sit dormant in software for years. Eventually someone found it, either a defender or an attacker. If defenders got there first, they could patch it. Timelines stretched across months. The system had rhythm and predictability.
That predictability died.
Claude Mythos Preview can find vulnerabilities that thousands of automated tests missed and expert human eyes overlooked. More importantly, the same AI capability that lets defenders find these flaws can be weaponised by attackers. The compressed timeline isn't theoretical. It's real and it's happening now.
What took months through specialised expertise now happens in minutes. As these AI capabilities spread, the barrier to entry for launching sophisticated attacks drops sharply. Bad actors don't need deep expertise anymore.
The window between vulnerability discovery and exploitation is collapsing.
Why this matters as an industry signal
Twelve fierce competitors don't align casually. It happens when they see a shared threat that matters more than competitive advantage.
These companies realised that security isn't a moat anymore. It's a prerequisite. If critical infrastructure gets compromised, all boats sink. So Apple and Microsoft started sharing vulnerability findings. The Linux Foundation gave open source maintainers access to the same AI tools. Anthropic committed 100 million dollars in model credits and 4 million in donations to security organisations.
This is what collective action looks like when it matters. It says the foundation has shifted. The baseline of security for critical software just moved permanently.
Organisations that aren't in Glasswing will feel the effects anyway. The software your systems depend on will become measurably more secure. That's the upside.
The downside: threat landscapes accelerate in parallel. The tools and techniques that defenders are using will proliferate. The asymmetry between attackers and defenders will sharpen. Organisations that built security practices on the assumption they have time to respond won't have it.
What actually changes
A security posture that was sufficient last year may not be sufficient this year. Not because threats are unpredictable or random, but because the pace of threat evolution is now faster than the pace most organisations can adapt.
The old framework doesn't hold anymore. The framework that said: wait for a threat to emerge, investigate, patch, deploy. That takes time. Lots of time. Organisations simply don't have that luxury now.
The new reality requires a different kind of thinking. Not "Are we protected?" but "Are we moving as fast as our threat landscape is moving?"
For mid-market organisations and professional services firms, this hits harder. You have the complexity of larger enterprises but fewer resources. You need a security approach that's grounded in reality, not perfection. One that balances vigilance with constraints.
The difference between knowing and understanding
Most organisations understand that cybersecurity matters. They maintain security practices, update systems, run audits. Few understand that the pace of change itself has become the primary challenge.
The companies in Glasswing understand the difference. They're already mapping critical dependencies. They're asking harder questions about software they rely on. They're building practices that assume the threat landscape will be unrecognisable 18 months from now.
If your organisation is thinking about security roadmaps and wondering whether you're keeping pace with this shift, it's worth having that conversation with people who see these patterns clearly.
At VITD, we work with Australian organisations at the intersection of technology and business risk. We've seen these shifts before. We understand what it means when the industry collectively moves like this. And we know the questions that matter when organisations need to evolve faster than they have before.
This is the kind of moment where expertise actually counts. Not expertise in any single technology, but expertise in translating what's happening in the broader industry into workable decisions for the organisations we work with.
If this resonates and you'd find it useful to talk through what Glasswing signals for your organisation, get in touch. We'll be direct with you about what the real challenges are and where you actually stand.
.png)
%20(15)%20(1).png)
%20(30%20x%2015%20cm)%20(1).png)
