Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more
blog

What Project Glasswing Means for Your Third-Party Cyber Risk Program

Published

Apr 16, 2026

Authors

Jessica Stanford

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

Last week, Anthropic demonstrated something the security industry has been bracing for: an AI model that can find and exploit zero-day vulnerabilities autonomously, at scale, across every major operating system and web browser on the planet.

The project is called Glasswing. The model is Claude Mythos Preview. The implications for your third-party cyber risk management program are immediate. This project is one of the first AI-powered vulnerability scanners, which will be followed by many others. While the hype around it is still in debate, the opportunities for defenders and threats from attackers are real.

What Glasswing Found and Why It Matters for Vendor Security

The numbers are not abstract. Mythos Preview found a 27-year-old vulnerability in OpenBSD, the operating system trusted to run firewalls and critical infrastructure across the internet. It also found a 16-year-old flaw in FFmpeg, a video encoding library embedded in thousands of enterprise applications, in a line of code that automated testing tools had examined five million times without flagging it.

These are not edge cases. These are the foundational layers of modern software infrastructure. They sat undetected through decades of human expert review and billions of automated test cycles until an AI found them in days.

Mythos Preview reproduced known vulnerabilities at an 83.1% rate on industry benchmarks, compared to 66.6% for the next-best model. That gap is not incremental. It is a capability threshold.

How AI-Discovered Zero-Days Change Third-Party Cyber Risk Management

The conventional TPCRM posture, assessing top vendors annually, re-assessing after incidents, and monitoring critical suppliers quarterly, was designed for a world where finding and exploiting vulnerabilities required rare human expertise and significant time.

That world ended last week.

The attack surface your vendors represent is not just their first-party systems. It includes every library they import, every operating system they run, and every open-source component in their container stack. AI-augmented attackers do not respect the perimeter you drew around your top 50 suppliers. They probe every tier. And now they can do it at scale.

Concentration risk is now the most urgent question in third-party cyber risk. How many of your critical vendors share the same service, infrastructure, the same cloud provider, or the same FFmpeg build? A single AI-discovered zero-day in a shared dependency becomes a simultaneous exposure across your entire vendor ecosystem.

What Black Kite Provides that Periodic Assessments Cannot

Black Kite was built on a thesis that has now been validated at scale: the cyber ecosystem risk that matters is continuous, Nth-party, and connected. Not periodic. Not siloed. Not limited to vendors you can name on a spreadsheet.

TPCRM Capabilities Built for AI-speed Threats:

  • The Ransomware Susceptibility Index® (RSI™) predicts vendor susceptibility before an attacker exploits it, whether that attacker is human or AI. 
  • FocusTags® bridge the gap between a global threat and your specific ecosystem, so your team is not manually mapping threat advisories to a vendor list. 
  • The Vulnerability Intelligence Brief™ (VIB™) identifies which vendors in your ecosystem run affected software and quantifies exploitability. That capability architecture was designed for exactly this moment.


Map your concentration risk before an adversary does. See how Black Kite works.