Agentic Runtime Security: When Patching Can’t Keep Up.

What Glasswing’s latest updates mean for Agentic Runtime Security

Anthropic told the world it can find ten thousand critical vulnerabilities in a month, and no one can patch them fast enough. Anthropic is framing that asymmetry as a finding. For defenders, it’s closer to a new post-Mythos operating model.

Key points

• AI can now find critical vulnerabilities far faster than anyone can patch them. The bottleneck in security has flipped from finding flaws to fixing them.
• Anthropic's Project Glasswing quantifies the gap: 10,000+ high- and critical-severity vulnerabilities found, only a fraction patched, and the capability going industry-wide within 6 to 12 months.
• In 2026, exploitation often begins before a patch even exists. The unpatched window, not the patch, is where attacks now land.
• Faster patching alone won't close it. Agentic Runtime Security does behavioral detection, attack reconstruction, and containment across cloud, SaaS, identity, and AI.

‍

When I wrote about Claude Mythos shrinking the remediation window back in April, the argument was still partly a forecast. Mythos Preview proved that AI could compress the path from vulnerability discovery to working exploit, and we argued that when an exposure can’t be closed fast enough, it needs a compensating control that detects misuse, reconstructs the attack path, and contains impact before the business feels it.

Two more announcements from Project Glasswing have landed since then. They don’t soften that argument. They confirm it, quantify it, and – read the way a defender should – make it considerably more urgent.

The bottleneck in cybersecurity has officially flipped. Finding vulnerabilities is no longer the hard part. Fixing them is. And the window between the two is exactly where attackers will now operate.

What Anthropic's updates said

Update one (May 22): the bottleneck moved. In the first Glasswing update, Anthropic reported that roughly 50 partners had used Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities in the world’s most systemically important software. The line that matters most is Anthropic’s own framing of what changed: progress on software security used to be limited by how fast we could find new vulnerabilities. Now it’s limited by how fast we can verify, disclose, and patch them.

The supporting numbers are not subtle:

• Cloudflare alone found 2,000 bugs – 400 of them high or critical – in the first month, with a false-positive rate its team considers better than human testers.
• Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing Mythos, more than ten times what it found in the prior version with a previous Claude model.
• Anthropic’s scan of 1,000+ open-source projects surfaced 6,202 high- or critical-severity findings at a 90.6% true-positive rate.
• Mythos constructed a working certificate-forgery exploit in wolfSSL (CVE-2026-5194), a cryptography library used by billions of devices.

And then the big tell. Of 530 high- or critical-severity bugs Anthropic disclosed that only 75 had been patched at the time of writing. Maintainers asked Anthropic to slow down. Average time to patch a confirmed critical vulnerability: about two weeks. Palo Alto Networks shipped five times its usual number of patches in one release; Microsoft said its patch volume would “continue trending larger for some time.”

That’s what a broken remediation pipeline looks like when you point a powerful, industrial vulnerability-discovery engine at it. The discovery curve went vertical. The patching curve barely moved.

Update two (June 2): the capability is going wide. The expansion announcement extends Glasswing to roughly 150 new organizations across more than 15 countries – now spanning power, water, healthcare, communications, and hardware and including vendors whose code other organizations and governments depend on. For most of these partners, Anthropic estimates a major attack could affect more than 100 million people.

The more important sentence for everyone not in Glasswing is the timeline. Anthropic expects that within 6 to 12 months, many other AI companies will have Mythos-class models, and some may release them without the safeguards that prevent misuse. Glasswing’s stated purpose is no longer just to harden critical code. It’s to push the entire industry toward “operating norms that reflect this reality” before that happens.

Read those two updates together, and the picture for defenders is stark. A small set of trusted defenders has an asymmetric advantage today, the capability is proliferating on a clock measured in months, and the patching ecosystem is already buckling under the volume that just one model produces.

The gap is no longer a forecast. It’s an operational fact.

In April we called this the “unfixable gap” or the space between identifying an exposure and actually closing it. The Glasswing updates put hard numbers on both sides of that gap, and our own threat-landscape analysis fills in the rest.

On the discovery side

48,185 CVEs were published in 2025, up roughly 20% year-over-year on top of a 38% jump the year before – about 131 disclosed per day. Ninety zero-day vulnerabilities were exploited in the wild, with the enterprise share at an all-time high. Now layer the AI multiplier on top of a curve that was already bending upward.

On the patching side

The average critical-severity vulnerability sits open for around 165 days. Roughly a third of critical vulnerabilities remain unpatched at 180 days. And in about 60% of breaches, a patch was already available at the time of compromise. This is a patching gap, not a patching absence. The fix existed. It just wasn’t deployed in time.

Now the part that should challenge the “just patch faster” conversation. On average in 2026, exploitation begins about a week before the patch is even released. eCrime breakout times are measured in minutes, with the fastest observed under half a minute. Handoffs from initial-access broker to ransomware affiliate happen in seconds.

It’s already showing up in the wild:

• Oracle E-Business Suite (CVE-2025-61882) was exploited as a 0-day from early August – nearly two months before the emergency patch – followed by an extortion campaign hitting EBS customers globally. The gap was measured in weeks.
• The TanStack / GitHub Actions in May 2026 chained three flaws in a novel pattern: 84 malicious packages published in six minutes, an 18-minute window that quickly moved to GitHub, OpenAI, Mistral, and Grafana. Patching wasn’t even an option; the gap was structural.
• In May 2026, Google’s threat intelligence group attributed the first publicly confirmed in-the-wild 0-day developed with AI assistance – a 2FA bypass against a popular open-source admin tool. The discovery curve is now visible in production.

In every case, exploitation reached production before patching could. When exploitation is structurally faster than remediation, runtime detection and response has to carry the load that patching no longer can.

What closes the vulnerability gap

This is where the arithmetic, not Mitiga’s preference, leads. And it’s also where Anthropic’s own guidance lands: network defenders should shorten patch timelines and keep comprehensive logs for detection and response, because security can’t depend on any single patch landing in time.

Agentic Runtime Security is detection and response that watches cloud, SaaS, identity, and AI at runtime, anticipating, disrupting, and stopping active attacks on behavior and threat intelligence before indicators of compromise exist, containing them before business impact. The control that covers the window patching can't close in time.

Three principles follow directly from the post-Mythos threat model.

Behavior first, followed by IOCs when they arrive. Indicators of compromise lag by definition – they describe attacks that already happened somewhere else. When exploitation precedes the patch, and sometimes precedes the CVE entirely, detection has to start on behavior: anomalous workflow execution, unfamiliar token usage, and abnormal lateral movement. IOCs get layered in as intelligence matures. A hunt that only fires on known indicators is, by construction, always late.

Treat known-but-unfixed exposure as a live detection surface. Every exposure you can’t close on a risk-removing timeline is an open window, and it needs to be watched like one. The legacy workload, the cloud misconfiguration, the SaaS integration, and the AI-connected service you can’t remediate this quarter; those become some of the most important detection surfaces in the enterprise, not items that sit in a posture backlog.

Defend from AI by defending with AI. If attacker operations are getting faster, more concurrent, and more cloud-native, human-speed investigation cannot keep pace. Does that mean handing all control to autonomous agents? It does not. It does mean using AI where it counts – validation, prioritization, triage, attack reconstruction, and guided preemptive containment – with approval boundaries, scoped permissions, auditability, and reversibility.

The most damaging attacks will not wait for posture teams to finish remediating. They move through compromised OAuth tokens, abused connected apps, social-engineered identities, third-party integrations, and API-driven data access – across cloud, SaaS, identity, and AI. Those are runtime detection and response problems. They demand telemetry, correlation, investigation, and containment at machine speed. This approach is the essence of Zero-Impact Breach Prevention in a post-Mythos threat landscape.

Why posture management can’t be the answer here

The Glasswing updates bring a category distinction into view. Posture-based tools, including SaaS Security Posture Management (SSPM) with identity threat detection bolted on, are good at what they’re built for: finding misconfigurations, flagging compliance drift, and scoring identity risk. In a world where exploitation beats the patch, that’s necessary but nowhere near sufficient.

The structural limits matter:

Scope.

SSPM and SaaS-bound ITDR correlate within SaaS and identity. They do not extend into cloud-infrastructure runtime – the IaaS control plane, workloads, and cross-platform attack paths – which is explicitly out of scope for the category. An attacker chaining a compromised SaaS token into cloud control-plane abuse moves straight through that seam. (for a deeper view into SSPM vs. Agentic Runtime Security, see our Compare page SSPM vs. Agentic Runtime Security.)

Detection model.

Posture-centric tooling leans on configuration scans and, at best, identity-bounded behavioral analytics. Agentic Runtime Security starts from behavioral indicators of attack across all four surfaces and decodes early-stage attacker activity to anticipate where it’s headed – before IOCs exist.

Compensating control framing.

Continuing to monitor identity behavior when a configuration isn’t yet remediated is useful, but it isn’t the same as treating every unfixable gap as a watched detection surface with the telemetry depth to reconstruct and stop a live attack across environments.

Forensic depth.

Closing the gap after the fact requires IR-grade reconstruction – a forensic record across cloud, SaaS, identity, and AI that’s deep enough to rebuild the full attack story in minutes, not fragmentary event search with short retention. This is the power of Mitiga’s Cloud Security Data Lake that collects, enriches, and normalizes logs across all surface areas.

Mitiga’s premise is that these four surfaces – cloud infrastructure, SaaS, identity, and AI – have to live in one correlated forensic system, not four siloed posture dashboards. Mitiga’s Zero-Impact platform, powered by Helios AIDR, is built around exactly that: panoramic awareness across all four, behavioral detection that catches compromised credentials, lateral movement, and data exfiltration in real time, automated triage that collapses alert noise into a prioritized attack story, and containment that can revoke sessions, quarantine identities, and block API calls mid-flight, before impact materializes.

That’s the difference between knowing a window is open and seeing the attacker the moment they climb through it.

What security leaders should do now

The Glasswing updates are not an abstract AI debate. They’re real-world validation that the capability curve points in one direction: discovery is speeding up, exploit development is speeding up, and the pressure on remediation windows is increasing – with the broader proliferation Anthropic warns about arriving on a 6-to-12-month horizon.

So, let’s start from a more honest premise. Assume some known exposure in your environment will stay open longer than you’d like. Then ask the only question that matters:

If an attacker uses that exposure tomorrow, will we see them in time to stop the impact?

If the answer is uncertain, the gap has stopped being a remediation problem and become a runtime defense problem. Posture tells you where the windows are. Agentic runtime detection and response is what’s standing there when someone climbs through one.

In a post-Mythos era, compensating controls aren’t secondary anymore. The gap is the strategy now.

‍

Frequently asked questions about what Project Glasswing means for Agentic Runtime Security

What is Agentic Runtime Security?

A detection-and-response approach that watches cloud, SaaS, identity, and AI at runtime, decodes attacker behavior before indicators of compromise exist, and contains the attack before it causes impact instead of relying on patching or posture to keep attackers out.

Why can't patching keep up with AI-driven vulnerability discovery?

AI now finds critical vulnerabilities far faster than vendors can verify, disclose, and ship fixes. In 2026, exploitation often begins about a week before a patch is released, and in roughly 60% of breaches a patch already existed but wasn't deployed in time. The exposure window, not the patch, is where attacks land.

How is Agentic Runtime Security different from SSPM or ITDR?

SSPM and SaaS-bound ITDR find misconfigurations and score identity risk within SaaS and identity but don't extend into cloud-infrastructure runtime or correlate a cross-platform attack path. Agentic Runtime Security starts from behavioral indicators of attack across all four surfaces and keeps IR-grade forensic depth to reconstruct and contain a live attack.

Ready to close the gap with Agentic Runtime Security for Cloud, SaaS, and AI?

See whether your SOC can detect and contain an AI-speed attack path across cloud, SaaS, identity, and AI. Explore Mitiga Helios AIDR or request a demo today.