eSentire in the Age of AI-Driven Threats

Last month, Anthropic disclosed that its Claude Mythos model had autonomously discovered thousands of zero-day vulnerabilities across every major operating system and web browser, many of which had gone undetected for one to two decades. Not a red team, or a nation-state. It is a frontier AI model, running at machine speed.

This is Project Glasswing, a defensive initiative backed by up to $100 million in Anthropic usage credits, deploying Mythos to scan the software infrastructure that modern enterprise runs on: Microsoft, Cisco, Apple, Palo Alto, CrowdStrike, and Google. The named launch partners are platform and infrastructure vendors whose code is being scanned, so vulnerabilities get patched before attackers can exploit them. That is genuinely good news.

The hard truth is the consequence: if a frontier AI model can find and chain complex zero-day exploits at this scale, so can the attacker. The window between vulnerability discovery and weaponization, once measured in months is now measured in hours and minutes. Periodic pen tests, quarterly scans, and detect-monitor-alert-respond models built for human attacker speed do not close that gap.

The Defender’s Dilemma is Compounding

Attackers have always chosen when and where to strike. AI supercharges that asymmetry. Autonomous agents can now identify exploitable vulnerabilities at scale, chain multi-stage exploits, reverse-engineer patches to find bypass vectors, and launch coordinated attacks before your team reads the advisory.

The CSA–SANS briefing said it plainly: organizations need to introduce AI agents across their security operations and fundamentally re-evaluate their risk tolerance for shorter attacker timelines. The question is not whether that assessment is correct. The question is whether your security program is built for it.

How eSentire Is Meeting the Moment

eSentire is not a Glasswing launch partner. We are not scanning software codebases for vulnerabilities; that is the role of the platform vendors in the coalition. Our role is what happens after the vulnerability exists: when it is in your environment, when an attacker finds it, when the clock starts. That is where eSentire operates.

Lead with Offensive Testing

eSentire’s operating model includes penetration testing that can persistently probe your environment for exploitable threat vectors. This is a recommended approach to incorporate a living, breathing offensive simulation that extends existing vulnerability management and feeds directly into two outcomes: new or refined detection rules so Atlas knows what exploitation of that gap actually looks like in your environment and can detect if they are hit, and prioritized remediation guidance based on confirmed exploitability rather than generic CVSS scores. Attack-informed detections monitor the gaps while patching programs catch up, or better yet, integrate into orchestrated or autonomous remediation.

When Glasswing accelerates the volume of vulnerability disclosures, this is the model that absorbs it.

AI-Led Detection and Investigation

eSentire’s detection and investigation pipeline is AI-led by design. Atlas AI operatives triage, correlate, and investigate alerts at machine speed by performing autonomous investigations 43x deeper than traditional approaches, with 95% alignment to senior, tier 3 analyst decision-making. For well-understood threat patterns, investigation and response execute autonomously. No ticket queue, shift handoff or lag. The system continuously evolves to understand new patterns as the threat landscape shifts and eSentire’s Threat Response Unit (TRU) drives detection engineering and identifies leading indicators of compromise.

Controlled Autonomy

Not every threat can or should be handled autonomously. Where investigations are ambiguous, inconclusive, or carry blast radius that demands human judgment, Atlas escalates, calibrated by severity, your operational preferences, and confidence thresholds you define. AI agents on the front line, expert humans managing complexity, with the balance configurable as the threat landscape and AI investigation capability evolve. Using this model, eSentire achieves 99.99% threat containment at the initial host.

The TRU Advantage: Defense at Scale

When NetScaler CVE-2026-3055 emerged, eSentire identified exploitation attempts across customer environments six days before industry-standard network detection rules were published. Our Threat Response Unit (TRU) correlated 28+ attacker IPs and pushed protections across all customers, blocking the activity before it could progress.

When Glasswing disclosures surface new vulnerabilities in the platforms you rely on, eSentire integrates that intelligence immediately: updated Atlas detection rules, proactive TRU advisories, exploit-informed remediation prioritization, and direct escalation from your named SOC team if a disclosure materially changes your risk profile. No action required from you. 

The Bottom Line

Mythos found thousands of zero-days. Attackers have access to similar AI capabilities. The speed asymmetry that has always favored the attacker just got significantly wider. Security programs built on periodic assessments, reactive patching, and human-speed response are structurally mismatched to what is coming.

eSentire’s operating model - offensive testing, AI-led detection, controlled autonomy, machine-speed response, is built for this environment. The attack surface is getting harder to defend. The question is whether your security program is setting the pace, or if the attacker is.

Frequently Asked Questions

What is Project Glasswing?

Project Glasswing is a defensive cybersecurity initiative funded by Anthropic, deploying its unreleased Claude Mythos Preview model - a frontier AI system that has demonstrated the ability to surpass all but the most skilled humans at finding and exploiting software vulnerabilities. In its initial deployment, Mythos identified thousands of zero-day vulnerabilities, including critical flaws in every major operating system and web browser, many of which had gone undetected for one to two decades. Anthropic has committed up to $100 million in usage credits to support these efforts. The 12 named launch partners are primarily platform and infrastructure vendors - Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks - whose own software products are being scanned. An additional 40+ organizations with critical software infrastructure have been granted extended access.

Does AI-powered vulnerability discovery change the threat landscape?

Yes, meaningfully. AI models capable of discovering zero-day vulnerabilities at scale also compress the attacker’s timeline. When vulnerability discovery accelerates, exploitation follows. The practical implication is that periodic security assessments and reactive response models become increasingly inadequate as the gap between “vulnerability exists” and “vulnerability is exploited” shrinks from weeks to days or hours. eSentire addresses this shift through continuous offensive testing, AI-led autonomous investigation (43x deeper, 95% alignment to senior analyst decision-making), and multi-signal detection spanning endpoint, network, identity, cloud, email, browser, and logs. Full realization of an attack usually requires more than a single vulnerability or exploit, multi-signal coverage ensures detection across multiple surfaces.

How is eSentire monitoring Glasswing developments?

eSentire’s Threat Response Unit (TRU) is actively tracking all vulnerability disclosures emerging from Glasswing and related AI-driven discovery efforts. When Glasswing partners disclose and patch vulnerabilities in platforms our customers use, TRU incorporates those findings into detection logic, threat hunting operations, and Atlas AI operative behavior immediately. Sentire’s role is different: we are the operational layer that detects and responds to the exploitation of vulnerabilities, including those that Glasswing and similar AI-driven efforts surface across your environment. The NetScaler CVE-2026-3055 response, where eSentire detected active exploitation six days before industry-wide advisories, is a concrete example of this model in action.

What should I expect from eSentire as Glasswing disclosures continue?

As Glasswing-discovered vulnerabilities are disclosed and patched by the affected vendors, you should expect: immediate integration of new vulnerability intelligence into Atlas detection rules and TRU threat hunting operations; proactive TRU advisories when disclosures are relevant to your specific technology stack; exploit-informed remediation prioritization so your team focuses on what is actually exploitable; and ongoing monitoring for exploitation attempts across all signal sources. If a disclosure materially changes the risk profile for platforms you rely on, your named eSentire SOC team will escalate directly with specific containment recommendations. No action is required to activate these protections — they are part of the continuous operating model already in place.

ABOUT THE AUTHOR

Mark Gillett VP, Product

Mark Gillett is Vice President, Product Management at eSentire. He has nearly 25 years experience in the cybersecurity industry, driving the evolution of detection, investigation, and response from the early days of SIEM to modern-day Managed Detection and Response (MDR) and Extended Detection and Response (XDR). In his current leadership role at eSentire, Mark leads the product management function for the company's core MDR services, with a specific focus on in-house developed technologies that assist in delivering those services to customers. Mark holds a Bachelor of Science degree from Laurier University in Waterloo, Canada.