Skip to content

Project Glasswing is impressive. But what about the rest?

Anthropic's Project Glasswing is a serious step forward for technical security. But it covers one third of the attack surface. Here's what it leaves out, and why that matters.

Swarm Intelligence banner with redacted text

Anthropic’s Project Glasswing is a serious undertaking. Eleven technology companies. Frontier AI trained to find and exploit software vulnerabilities before adversaries do. $100 million in model credits directed at open-source infrastructure, operating systems, and web browsers.

If it delivers as described, it’ll close zero-days at a scale no previous program has attempted. That deserves genuine recognition.

It also deserves a harder question.

One third of the surface

Offensive security must operate across three domains: technical, physical, and human. Technical covers software vulnerabilities, network weaknesses, and code-level exposures. Physical covers premises, hardware, and physical access controls. Human covers social engineering, phishing, and the behavioral vulnerabilities that no software patch can address.

Despite its promise, Glasswing covers the first domain. It doesn’t cover the rest.

Where kill chains actually start

Most attacks don’t begin with a zero-day. They begin with a person. Usually someone with good intentions ready to be exploited.

In a recent engagement with XK9M4VR2QNBZ, Swarm operators used AI tools and LinkedIn reconnaissance to identify high-value impersonation targets. We built lookalike domains with valid mail records. We drafted correspondence using AI. Then we waited.

Read the full story

The target’s support team worked the request for months. When we said we couldn’t log in, a file-sharing link arrived with the requested data. No credentials were stolen. No software was exploited. Just genuine email, from a trusted source, and a support team that just stopped asking questions.

“We trusted the domain. We trusted the authority. We never thought to verify the human. That’s exactly what attackers count on.”

— Security Lead, client organization

It’s not an isolated pattern. ShinyHunters, tracked by Unit 42 and Google Threat Intelligence, made voice phishing their primary initial access method in 2026. Operators call targets posing as IT support, direct them to credential-harvesting sites, and capture credentials and MFA tokens in real time before the call ends. By the time the call is over, the attacker has an authenticated session. Not an exploit. A phone call.

The physical layer

Physical access is the third domain: also untouched by any code-scanning initiative, however sophisticated.

In another recent engagement with A7QK QK A7QZN3KW8C, a global financial institution, our team entered their flagship city-center office, accessed IT equipment, and prepared to remove hardware. Staff walked past. Nobody challenged the team. The organization had endpoint detection deployed. They underwent regulated security testing on a defined cycle.

Their technical controls weren’t the problem. The door was.

Read the full story

The rotation problem

Here’s the strategic question that follows from Glasswing’s success.

As AI defensively narrows the technical attack surface, the logic of attacker economics suggests rotation toward surfaces that remain undefended. If zero-days become harder and more expensive to operationalize because infrastructure patches faster, investing in social engineering or physical access becomes comparatively more attractive.

The attack surface doesn’t shrink because one domain is better defended. On current evidence, the threat redistributes.

This isn’t theoretical. The recent Handala and MuddyWater operation that wiped 200,000 Stryker devices in March 2026 didn’t rely on a zero-day. It relied on a single compromised admin credential. One account. The management console did the rest. 200,000 endpoints wiped across 79 countries in under five hours. No malware deployed. No exploit chain executed.

Glasswing wouldn’t have changed that outcome. No code-scanning initiative would.

What a complete picture requires

Testing the technical layer is necessary. Glasswing is doing consequential work on it. But a security posture that evaluates only technical controls will miss the entry points that most attackers use first.

Human attack surface testing means simulating the calls, the emails, the impersonation, and the authority bias that lead to credentials being handed over willingly. Physical security testing means finding out whether your staff will hold the door, accept a stranger’s presence in the server room, or challenge someone removing hardware.

These aren’t edge cases. They’re the kill chain.

The threat of cyber attack is constant. So are we. Schedule a call to discuss how to outpace cyber threats.

Sources

  • Anthropic: Project Glasswing announcement
  • Unit 42 / Google Threat Intelligence: ShinyHunters voice phishing and SaaS exploitation, 2026
  • Krebs on Security / Tenable: Handala MDM wiper, Stryker, March 2026
  • CovertSwarm: Swarm Brief 2602 (Handala and MuddyWater)
  • CovertSwarm: Stories from the Swarm 002, 003