Skip to content

Project Glasswing is impressive. But what about the rest?

Anthropic's Project Glasswing is a serious step forward for technical security. But it covers one third of the attack surface. Here's what it leaves out, and why that matters.

Swarm Intelligence banner with redacted text

Anthropic’s Project Glasswing is a serious undertaking: frontier AI models trained to find and exploit software vulnerabilities before adversaries do, with $100 million in model credits directed at open-source infrastructure, operating systems, and web browsers.

If it delivers as described, it’ll close zero-days at a scale no previous program has attempted. That deserves genuine recognition, but it also deserves a harder question.

One third of the surface

Offensive security must operate across three domains: technical, physical, and human.

  1. Technical covers software vulnerabilities, network weaknesses, and code-level exposures.
  2. Physical covers premises, hardware, and physical access controls.
  3. Human covers social engineering, phishing, and the behavioral vulnerabilities that no software patch can address.

Despite its huge promise, Glasswing only covers the first domain.

Where kill chains actually start

Cyber attacks don’t always begin with a zero-day. They often begin with a person – usually someone with good intentions ready to be exploited.

In a recent engagement with XK9M4VR2QNBZ, our teams used AI tools and LinkedIn reconnaissance to identify high-value impersonation targets. We built lookalike domains with valid mail records.

We drafted correspondence using AI, and then we waited.

The target’s support team worked the request for months: when we said we couldn’t log in, a file-sharing link arrived with the requested data. No credentials were stolen, and no software was exploited. Just a genuine email from a trusted source, and a support team that eventually stopped asking questions.

“We trusted the domain. We trusted the authority. We never thought to verify the human.”

— Security Lead, client organization

It’s not an isolated pattern. ShinyHunters, an APT tracked by Unit 42 and Google Threat Intelligence, made voice phishing their primary initial access method in 2026. Operators call targets posing as IT support, direct them to credential-harvesting sites, and capture credentials and MFA tokens in real time before the call ends. By the time the call is over, the attacker has an authenticated session.

The physical layer

Physical access is the third domain: also untouched by any code-scanning initiative, however sophisticated and promising it may be.

In another recent engagement with A7QK QK A7QZN3KW8C, a global financial institution, our team entered their flagship city-center office, accessed IT equipment, and prepared to remove hardware. Staff walked past. Nobody challenged the team. The organization had endpoint detection deployed. They’d successfully navigated their regulatory testing..

Their technical controls weren’t the problem.

The strategic question

As AI narrows the technical attack surface, the logic of attacker economics suggests rotation toward surfaces that remain undefended. If zero-days become harder and more expensive to operationalize because infrastructure patches faster, investing in social engineering or physical access becomes comparatively more attractive.

The attack surface doesn’t shrink because one domain is better defended. On current evidence, the threat redistributes.

The recent Handala and MuddyWater operation that wiped 200,000 Stryker devices in March 2026 relied on a single compromised admin credential. The management console did the rest. 200,000 endpoints wiped across 79 countries in under five hours. No malware deployed. No exploit chain executed

What a complete picture requires

Testing the technical layer is necessary. Glasswing is doing consequential work on it. But a security posture that evaluates only technical controls will miss the entry points that most attackers use first.

Human attack surface testing means simulating the creativity, perseverance and adaptability that leads to calls, emails, impersonation, and the authority bias that eventually leads to credentials being handed over willingly.

These aren’t edge cases. They are the reality of the modern cyber kill chain.

The threat of cyber attack is constant. So are we. Schedule a call to discuss how to outpace cyber threats.

Sources

  • Anthropic: Project Glasswing announcement
  • Unit 42 / Google Threat Intelligence: ShinyHunters voice phishing and SaaS exploitation, 2026
  • Krebs on Security / Tenable: Handala MDM wiper, Stryker, March 2026
  • CovertSwarm: Swarm Brief 2602 (Handala and MuddyWater)
  • CovertSwarm: Stories from the Swarm 002, 003