Project Glasswing warns power sector

A new class of artificial intelligence tools can now find software flaws faster than many utilities can patch them, pushing grid cybersecurity into a tighter race. (powermag.com) Anthropic announced Project Glasswing on April 7, 2026, saying its Claude Mythos Preview model is being used by 12 launch partners to find and fix critical software vulnerabilities before attackers do. The partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. (anthropic.com) Anthropic said the model has already identified thousands of previously unknown vulnerabilities, including a 27-year-old bug in OpenBSD and a 16-year-old flaw in FFmpeg that other automated testing had missed. Anthropic said those vulnerabilities were patched and that it does not plan a general public release of the model. (cyberscoop.com) Software vulnerabilities are coding mistakes that can act like an unlocked side door in a building. In the power sector, those doors can sit inside business systems, vendor software, cloud services, and some operational technology that helps monitor and control electricity networks. (powermag.com) Utilities already patch slowly for practical reasons: many industrial systems cannot be rebooted on demand, some updates require vendor approval, and outages for maintenance must be scheduled around reliability needs. North American Electric Reliability Corporation Critical Infrastructure Protection standards include requirements for system security management and for configuration change management and vulnerability assessments. (nerc.com) The pressure is rising because defenders are not the only ones who can use faster tools. Forrester analysts wrote on April 8 that Project Glasswing could force organizations to rethink vulnerability management and patching because attackers may be able to move from discovery to exploit “in minutes.” (forrester.com) Federal agencies already treat exploited flaws as a priority list rather than a routine maintenance problem. The Cybersecurity and Infrastructure Security Agency maintains a Known Exploited Vulnerabilities catalog and tells organizations to use it to prioritize remediation based on active threat activity. (cisa.gov) The Energy Department has been pushing the sector toward the same mindset through its Office of Cybersecurity, Energy Security, and Emergency Response, which says it works to protect the reliable flow of energy and backs risk-management guidance for the electricity subsector. The department also points utilities to preparedness tools such as the Cybersecurity Capability Maturity Model and the Cybersecurity Risk Information Sharing Program. (energy.gov) Project Glasswing also comes with money and limits. Anthropic said it will provide up to $100 million in usage credits, donate $4 million to open-source security organizations, and extend access to more than 40 additional organizations that build or maintain critical software infrastructure. (anthropic.com) For utilities, the immediate change is not a new regulation but a shorter clock. The old patch cycle that treated many flaws as next-month work is colliding with tools built to find weak points at machine speed. (powermag.com)