Forrester says Anthropic AI could break patch playbook

Forrester has published a blog examining what Anthropic's Project Glasswing could mean for software vulnerability management. The analyst firm argues that the initiative signals a shift in how organisations identify and address software flaws.

The blog focuses on Project Glasswing, which Anthropic launched with 11 technology and cybersecurity companies after claiming that its Claude Mythos Preview model can uncover previously unknown software vulnerabilities at unusual speed. Forrester argues that AI-led vulnerability discovery is advancing faster than the security operations and patching processes built to handle it.

That view reflects a broader concern in cybersecurity: discovery is becoming increasingly automated, while remediation remains tied to slower internal processes. Security teams still need to assess exposure, test fixes, manage change controls, and deploy patches across complex estates that often include legacy systems and regulated environments.

This creates a widening gap between what defenders can find and what they can secure. As AI systems surface flaws continuously, rather than in volumes that fit established monthly or quarterly patch routines, backlogs may grow.

Patch pressure

Long-standing patch cycles and remediation timelines may no longer be realistic if AI tools can discover vulnerabilities at machine speed. Conventional approaches assume a manageable flow of new issues, but continuous discovery would strain workflows that depend on human review, operational testing, and governance checks.

The same dynamic could also shorten the time available to respond once software fixes become available. Forrester argues that attackers will have access to similar AI techniques, enabling them to inspect patches, infer what has changed, and identify routes to exploitation more quickly after a vendor releases an update.

That could change the balance between vulnerability disclosure and operational response. The period between a flaw becoming known and a working exploit appearing has long been a central measure of cyber risk, and Forrester believes AI may narrow that window further.

Disclosure strain

The report also points to pressure on the disclosure system itself. The Common Vulnerabilities and Exposures, or CVE, framework is already under strain, and a sharp rise in discovered flaws could push the industry toward more restricted, partner-led models for finding and fixing vulnerabilities instead of broad public disclosure.

Such a shift would have consequences for software suppliers, security researchers, and enterprise buyers. Public disclosure systems have traditionally provided a common reference point for tracking flaws across products and vendors, while closed processes would place more responsibility on trusted networks and bilateral coordination.

Automation in remediation alone will not solve the problem. AI tools that help generate fixes or suggest response actions still depend on organisations having accurate asset inventories, a clear view of application architecture, and governance processes that support rapid decision-making.

Many businesses remain weak in those areas, particularly where infrastructure has grown through acquisitions or spans a mix of cloud, on-premises, and third-party environments. In those settings, determining whether a newly found vulnerability affects critical systems can take significant time, even before any patch is tested or approved.

Changing ownership

Security teams may have to rethink how they prioritise vulnerabilities and assign responsibility for response. Traditional severity ratings and linear triage models may be less useful in an environment where discovery is continuous and exploit development can also be accelerated by AI.

That would shift attention from simply ranking technical flaws to deciding which systems and business services must be addressed first, and who has the authority to act quickly when new weaknesses are identified. It also raises questions for boards and senior executives about whether current cyber governance models are suited to machine-speed discovery.

Forrester presents Project Glasswing as an early signal of that pressure, rather than a narrow product development story. The issue, in its view, is not only whether a single model can find more bugs, but whether the wider security system can absorb a higher volume of vulnerability intelligence without becoming overwhelmed.

"If true - and we have little reason to doubt the veracity of the claims - this will break the vulnerability management playbook and perhaps the cybersecurity approaches of today," Forrester analysts wrote.