Beyond Glasswing: From Managing to Promoting Access

Quarantine buys time, but it isn’t a cure. The most critical steps in the Covid-19 pandemic response came after lockdowns bought breathing room: fine-tuning vaccines, mass-producing them, and distributing them before the clock ran out. Cyber defense is in the same race. Frontier AI can already find vulnerabilities faster than humans can patch them, and the response so far—highly capable models granted to a trusted few—is a kind of quarantine that buys cyber defenders a head start.

But a head start means nothing if squandered. Just as Operation Warp Speed defined the U.S. pandemic response, cyber defense needs a bold push to make the best of this critical window: triaging defenders, translating models into deployable tools, and distributing those tools at scale.

This April, Anthropic launched Project Glasswing—a partnership giving their most cyber-capable model, Mythos, to a small group of organizations. In a May 2025 report, we described the idea of creating a “rapid response force of keystone defenders,” through “small, trusted coalitions” between frontier AI developers and actors such as Apple, CrowdStrike, and the Linux Foundation—all actual Project Glasswing partners—“to focus on the use of AI to accelerate software testing and patching.” Like Project Glasswing, the goal would be to let organizations at the heart of the modern software supply chain use AI to find and fix vulnerabilities in their own code, getting a head start on attackers.

Anthropic is not the only frontier developer thinking about how model access can shape the defensive landscape. OpenAI has expanded its own trusted access program to give qualifying defenders tiered access to its enhanced GPT-5.4-Cyber and published an action plan framing its approach as “controlled acceleration.” Anthropic has restricted access to a small cohort, while OpenAI argues for broader distribution with graduated safeguards. Yet neither approach offers a concrete strategy for turning model access into defensive capacity for the organizations that need it most.

In our 2025 report, we also coined the term “differential access,” defining it as a strategy to tilt the cybersecurity balance toward defense by shaping access to advanced AI-powered cyber capabilities. What we wanted to capture was something broader than who gets early or tiered access to a model. The term refers to the differential between attackers and defenders, and the question it poses is simple: How can society maximize that gap? Doing so requires not only managing access to keep dangerous capabilities from attackers but also promoting access to defensive AI capabilities to defenders.

Promoting access to these capabilities is not passive. Instead, it requires concerted work across public and private sectors alike. This includes triaging which defenders need help first, prioritizing capabilities that favor defense, and resourcing defenders with complementary investments—talent, funding, and institutional capacity—to let them deliver on the access they have received from developers.

Why Managed Access Is Useful

Current AI models are becoming much better at finding vulnerabilities, potentially faster than the rest of the software ecosystem can fix them. The end result could be what some have termed the “vulnpocalypse”: a world in which AI-enabled discovery outruns the human capacity to patch the very problems AI identifies.

To understand why this matters, and what to do about it, think back to the pandemic analogy at the beginning of this piece. Covid-19 did not overwhelm hospitals because infections were untreatable; it overwhelmed them because cases arrived faster than the system could absorb. The vulnpocalypse threatens something similar: not a single catastrophic cyber incident, but a flood that exceeds the capacity of human developers to triage, test, and deploy fixes.

Patching software, after all, is not frictionless. Developers must meticulously test for conflicts; otherwise, patches can break production systems—in 2024, for example, an errant CrowdStrike update took down what felt like half the world’s airports. Downstream system administrators must do the same while also balancing uptime for their users. For now, frontier AI seems much better at removing friction from vulnerability discovery than patch development.

Against this backdrop, managed access can buy valuable time. It gives defenders a head start on the flood of newly discovered vulnerabilities, and allows them to triage, fix, and distribute patches before the same capability diffuses to attackers. This is analogous to what some researchers have called an adaptation buffer: a period that society can use to build resilience, in the gap between when a dual-use capability is first demonstrated and when it becomes widely available.

Such adaptation buffers come with a price. They can delay frontier models from reaching the market, which thus slows down the broader distribution of positive benefits, including life-changing and lifesaving innovations. Managed access also reduces transparency, which makes it difficult to verify AI developers’ claims, such as whether Anthropic’s Mythos truly is a “game-changing” innovation. What’s more, it draws a sharp line between the AI haves and have-nots. Which AI capabilities truly warrant managed access is something that society will need to decide collectively.

Nonetheless, adaptation buffers and managed access will become increasingly relevant as capabilities advance in other domains. Frontier developers’ safety frameworks already track capability thresholds not just in cyber, but in other areas such as bio, persuasion, and AI research and development acceleration. Despite differences in speed and timing, the underlying dynamics around adaptation are likely to be similar. The risk is rarely that a single capability leads to catastrophe; it is that rapid change overwhelms the current system, outrunning the rate at which existing institutions can adapt. Cyber may be the first domain where new capabilities are forcing us to think about adaptation buffers, but it is unlikely to be the last.

Building Societal Resilience: Adaptation Buffers Are Not Enough

Adaptation buffers have their limits. They help buy time but do not imply a strategy for using that time well. Or to stretch the Covid-19 metaphor further: Lockdowns are a way to buy time and stave off the worst. But they’re effective only if paired with a viable exit strategy.

A core part of that is creating a “vaccine,” or in this case developing AI-enabled tools—such as for patching, triage, and asset inventory—that help defenders keep up with AI-enabled vulnerability discovery. But fixing software globally in a time crunch is not an easy task. There needs to be a wider supply chain effort to distribute cyber defense tools, especially to under-resourced defenders.

Do not assume any of this will happen by default. To understand what a buffer without adaptation might look like, look to China’s own Covid-19 experience. After an initial, traumatic period of lockdowns, China stamped out the coronavirus successfully within its own borders, and Chinese citizens were free to travel internally for the next two years. But this buffer was hiding a problem rather than solving it. Because Chinese vaccines were less potent than their Western mRNA counterparts, and takeup was low among the vulnerable elderly population, the end of China’s “zero Covid” policy led to a devastating wave of deaths.

Without a serious effort to build defensive capacity, frontier AI access restrictions could leave defenders dangerously unprepared in the same way. Even if all frontier AI developers agreed to restrict access to frontier models, the general cyber threat would continue to evolve. Open-weight models would improve further, with past trends suggesting they lag the frontier by about eight months. And other adversarial nation-states, such as China, could develop their own frontier cyber capabilities, or perhaps steal them through processes such as adversarial distillation, which is profoundly difficult to stop.

The implication is that society cannot rely on the buffer alone. The time it buys must be used to actively promote access and build defensive capacity. There are three requirements for doing this effectively.

First, promoting access requires meticulous triage. Adaptation buffers do not last forever. Just as the Covid-19 pandemic needed us to vaccinate the most vulnerable members of society, the vulnpocalypse will require us to do something similar. One way to triage is by focusing on reach. Managed security service providers, cloud providers, and content delivery providers already serve large customer bases. Augmenting their existing tools with frontier AI capabilities could allow many organizations to accrue benefits more quickly. Another triage approach is to focus on consequences. Prioritizing lifeline infrastructure operators and parts of the defense industrial base concentrates scarce defensive capacity where compromise would do the most damage. 

Second, promoting access requires a focus on defense-favored capabilities. This means not just a narrow focus on vulnerability discovery. There are a range of possible tools that could cover automated patching and vulnerability triage, asset inventory and configuration management, security operations center workflows such as alert correlation and threat hunting, and automated incident response. Frontier AI systems have jagged capabilities, but developers may be able to shape this intentionally. For example, AI developers could train their products on datasets for these defense-favored cyber capabilities. Downstream research and development will also be important, such as by developing scaffolding or tooling that supports these defensive applications.

Third, promoting access requires attention to the complements of model access, meaning talent, funding, or institutional capacity. A regulated hospital or utility needs the capacity to supervise a new tool and integrate it without disrupting operations—an internal “trust layer,” composed of tacit knowledge and tooling, that does not appear overnight. It is rare that one can drop a new capability into an organization, especially a highly regulated one, and expect them to use it instantly.

A Playbook for Cyber Defense at Warp Speed

Meaningfully promoting access requires more than providing access to cyber-capable models and API credits. It should look more like Operation Warp Speed, but for cyber defense: a concerted, government-backed effort to triage the most exposed defenders, translate frontier capabilities into tools they can deploy, and distribute those tools at scale. Done well, this would position defenders not only to weather the vulnpocalypse but also to adapt to future capability jumps as AI starts to reliably automate other stages of the cyber kill chain.

Such coordination is needed because many important organizations lack the resources to turn model access into defensive capacity. Project Glasswing’s launch partners sit at the leading edge of the software ecosystem, but many critical defenders—hospitals, utilities, port authorities—sit at the other edge. Such “trailing-edge organizations” often hold sensitive data or operate critical systems, but chronically underinvest in security. They must compete for limited cybersecurity talent with better-funded actors, like the financial sector, while grappling with corporate inertia, legacy systems, and complex operational constraints. Historically, with human attackers scarce, an approach of “security through obscurity” has let trailing-edge organizations exist in a tenable equilibrium, but as AI drives down the cost of cyberattacks, that equilibrium could shift rapidly.

Markets, on their own, may be slow to support trailing-edge organizations in adapting to the new equilibrium. Security vendors have few incentives to proactively build products for this small, fragmented customer segment, and frontier AI developers lack the capacity or know-how to close their defensive gaps. Talent flows are also sticky—even if critical defenders hike pay for cybersecurity hires, training skilled talent could take years. This means that governments play a critical role in coordinating and marshaling resources, working hand-in-hand with the private sector to accelerate this shift.

In an Operation Warp Speed for cyber defense, the first priority is triage: identifying which defenders need help first. Adaptation buffers do not last forever, and it is impossible to harden everything at once. Triage should consider two dimensions: which sectors matter most, and which shared dependencies cut across them.

Identifying specific sectors or entities to protect demands more granular analysis than the sprawling definition of “critical infrastructure,” which includes commercial facilities such as shopping malls. The civilian priority should be lifeline infrastructure—such as energy, water, transport, and communication systems—whose disruption imposes immediate, widespread harm. The Cybersecurity and Infrastructure Security Agency’s National Critical Functions framework is a useful starting point to narrow the focus to vital functions (such as “supply water” and “transmit electricity”) whose disruption could cause debilitating, cascading failures. On the defense side, nuclear command, control, and communications (NC3) systems stand out as a foremost priority. But military planners should also be mindful that “outside-the-fence” civilian infrastructure—such as ports—could be vital for the military’s ability to project and sustain forces, as a 2024 Defense Science Board task force concluded. Across critical sectors and entities, policymakers should consider not just the impact of losing certain services, but how long they would take to recover: Grid infrastructure that is well protected by fail-safes may be recoverable in hours, but a damaged bridge, rail line, or water plant could take days to restore.

Some of the most consequential nodes are shared software and hardware dependencies that cut across many sectors, meaning that policymakers must prioritize keystone actors in the digital supply chain as well. Open-source software is an obvious case: The recent LiteLLM supply-chain compromise—in which attackers slipped malicious code into a widely used Python package to harvest credentials from anyone who installed it—exemplifies how a single Python package sitting beneath many major AI agent frameworks can become a systemic vulnerability. Proprietary cybersecurity products are another increasingly dangerous case. These devices and applications often sit at trust boundaries with broad network access, making them attractive entry points for attackers. Mandiant has reported that the four most commonly exploited vulnerabilities of 2024 were all in networking edge devices; Volt Typhoon, for instance, used flaws in Fortinet, Ivanti, and Cisco appliances to gain initial access to a broad swathe of critical networks. Particularly as defenders adopt AI-enabled cyber defense tools more widely, they must be careful not to introduce new vulnerabilities themselves.

And if triage capacity allows, hardware may be the next priority for early attention: Vulnerabilities at this layer are rare, but when they emerge—as with Spectre and Meltdown—the affected hardware can remain in service for decades, and giving defenders a head start on workarounds is much easier than retrofitting fixes after exploitation begins.

From Access to Capability

The second priority is translation: Turning frontier capabilities into tools defenders can actually deploy, rather than just granting them access to models. A cyber-capable model needs to be refined into something that works within the operational reality of a water utility or hospital network: scaffolded for specific workflows, adapted to operational constraints, and validated against real-world conditions. Medicine faced the same kind of problem and built a discipline around solving it: Translational research bridges the gap between laboratory breakthroughs and clinical practice. A similar gap separates what frontier models can do from what real defenders need. And crossing it demands the same process of sustained partnerships between actors who understand the problem from different angles and staged validation before deployment in environments where failure carries real consequences.

This means coordinating partnerships with frontier AI developers, security vendors and startups, critical infrastructure operators, and institutions such as the national laboratories. The process might start with national labs providing digital twins of the control systems that run physical infrastructure, where defensive tools can be evaluated without risking production systems. From there, tools could be refined through iterative feedback from operators who know what their environments actually require, with frontier developers supplying the model access and compute to power successive rounds of improvement. Trust in AI-enabled defensive automation should be earned gradually, with defenders retaining oversight over critical decisions until reliability is demonstrated under real-world conditions.

Governments can catalyze this work in two ways. The first is by funding it directly. For example, ARPA-H’s UPGRADE program is investing more than $40 million to build automated vulnerability detection and patching tools specifically for hospital environments. This effort brings together equipment manufacturers, cybersecurity experts, and hospital information technology staff, with one team building hospital-scale digital twins for testing. A similar model, drawing on state-of-the-art frontier systems, could work for other sectors such as water utilities, port authorities, and grid operators. The second way is through procurement. By committing to purchase and adopt tools that meet defined performance thresholds for its own networks, governments can create a demand signal in a market that does not yet exist, pulling capital and talent into tackling the problem of translation.

The Last Mile

The third priority for an Operation Warp Speed for cyber defense is distribution: getting these tools to defenders who can actually use them. Even with triage and translation in place, many trailing-edge organizations will lack the capacity to integrate new tools into their environments. But closing this last-mile gap is its own challenge. Policymakers should consider funding forward-deployed engineering teams modeled on what Palantir has done with its defense and intelligence customers—embedding engineers who bring in AI expertise directly with operators, rather than expecting them to figure out integration alone. More ambitiously—as GovAI’s Kamile Lukosiute has posited—governments and industry could work together to create national programs in this spirit, drawing on the public service tradition of the United States’ AmeriCorps, to train and steer integration talent toward under-resourced defenders, rather than leaving them to compete for engineers they cannot afford.

This exercise cannot stop at national borders. Anthropic’s initial Project Glasswing cohort is heavily weighted toward large U.S. firms, but the systemically important nodes of global digital infrastructure do not sit exclusively within the United States. OpenAI’s recently published action plan acknowledges this, proposing to extend its Trusted Access for Cyber program to allied democratic partners over time. This instinct is right—but extending access to allied defenders means more than just providing model access and API credits. It means the translation infrastructure and forward-deployed talent that turn access into deployed capability.

To provide funding at the scale needed to meet this moment, the financial sector could be a powerful ally. Institutional investors, pension funds, and banks stand to lose if the open-source ecosystem—which underpins their software—is undermined, and markets will falter if societal infrastructure is disrupted. Mythos has already sent a ripple of unease through the financial sector, with the U.S. Treasury urging major banks to test their systems before the model’s public release. With global cybercrime damages already costing hundreds of billions of dollars, even modest AI-driven increases would dwarf the cost of such a program many times over.

Steering the Frontier

Together, these mechanisms—triage, translation, and distribution—describe what an Operation Warp Speed for cyber defense would actually require: not just access to capable models, but the institutional scaffolding to turn that access into deployed capability, at home and among allies.

Managed access can complement a promote-access agenda, but it is not a substitute for one. Even as a lively debate unfolds around who should get access to cutting-edge frontier AI capabilities, and when, that debate should not obscure the need to thoughtfully accelerate the adoption of defensive capabilities. Society should not be complacent that adaptation buffers will ensure safety, nor assume that the natural diffusion of frontier AI will produce an adequate societal immune response.

William Gibson once observed that “the future is already here, it’s just not very evenly distributed.” The key task, in this critical window, is to distribute it to defenders first.