Up next
Author
Share article
The post has been shared by 0 people.
Facebook 0
X (Twitter) 0
Pinterest 0
Mail 0

AI-driven defensive security exists at production scale. The deployment gap is the structural risk — and as of May 11, the offensive cascade is no longer theoretical.

By Thorsten Meyer — May 2026 · Software Security · Part 3

The previous two pieces on Copy Fail and the disclosure collapse documented the offensive side of the AI-driven security cascade: vulnerability discovery has collapsed from $500K-$7M broker-market pricing to an hour of inference compute, the 90-day disclosure window has dissolved into a commit-monitoring race, and the most consequential breaches of 2026 (Vercel, Canvas, the broader supply-chain wave) are happening at the trust-boundary layer where defensive infrastructure is least mature.

This piece is about the other side of that capability cascade — and why “symmetric capability” doesn’t produce “symmetric outcomes” on the timelines that matter.

The defensive capability genuinely exists. Anthropic’s Project Glasswing has 12 launch partners (AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, plus Anthropic itself) using Claude Mythos Preview defensively, with $100M in usage credits committed plus $4M in donations to open-source security. Google has Big Sleep (DeepMind + Project Zero, already credited with preventing the first AI-driven zero-day exploit in the wild) and CodeMender (72 upstreamed open-source security fixes in six months, including patches to projects with 4.5M+ lines of code). Microsoft Security Copilot is now bundled with Microsoft 365 E5, putting AI-driven SOC capability into the default deployment of an enterprise stack used by hundreds of thousands of organizations. GitHub Copilot Autofix is enabled by default on every repository using CodeQL — open-source projects get it free, and it’s resolved over 460,000 alerts in 2025 at a median 28-minute fix time versus 1.29 hours without.

This is genuine defensive capability at production scale. It is not a research demo. It is shipped, billed, integrated into the development pipeline of substantial portions of the global software stack.

The structural problem is not capability. It is deployment. The same capability that exists in Project Glasswing partner organizations and Microsoft 365 E5 tenants does not yet exist in the vast majority of enterprises that need it. The same Copilot Autofix that closes vulnerabilities in 28 minutes on enabled repositories is disabled on the majority of enterprise codebases. Defensive deployment is lagging offensive deployment by 12-24 months — and that gap is the entire game.

And as of yesterday — May 11, 2026 — the offensive deployment is no longer theoretical. Google Threat Intelligence Group disclosed the first confirmed real-world use of an AI-built zero-day exploit by a criminal threat actor. A 2FA bypass in an open-source web-based system administration tool, planned for a mass exploitation campaign. GTIG caught it before deployment. Next time they might not.

This piece is the read on what the defender’s capability actually looks like at production scale, why the deployment gap is the structural risk rather than capability, the three asymmetric advantages defenders genuinely have, the May 11 GTIG disclosure as catalyst for what comes next, and what enterprise security leaders need to operationalize in the 12-24 month window where the gap is still closeable.

The headline finding: the defender’s window is open. The defensive cascade exists. But the deployment gap is wider than capability advocates acknowledge — and the offensive cascade just crossed the operational threshold. The next 12 months are determined by deployment, not by capability.

The Defender’s Counter-Cascade.
DISPATCH / MAY 2026 SECURITY · DEFENDER’S COUNTER-CASCADE · PART 3
▲ Part 3 · Security Counter-Cascade · May 2026
Software Security · Part 3 · The Defender’s Counter-Cascade

The defender’s
counter-cascade.

AI-driven defense exists at production scale. The deployment gap is the structural risk — and the offensive cascade just crossed the operational threshold.

Project Glasswing · Big Sleep + CodeMender · Copilot Autofix · Security Copilot bundled in M365 E5. The defensive cascade is real and shipping. The capability exists at the most critical layer of the global software stack. But deployment lags capability by 12-24 months. And as of May 11, GTIG confirmed the first AI-built zero-day in a planned mass exploitation campaign. The clock is now running differently.

Thorsten Meyer / ThorstenMeyerAI.com / May 2026 · Part 3
▲ The catalyst
May 112026
GTIG confirms first AI-built zero-day in the wild.
2FA bypass in popular open-source web-based system administration tool. Semantic logic flaw · hardcoded trust assumption · Python script with characteristic LLM markers (hallucinated CVSS score, textbook Pythonic formatting, educational docstrings). Not Gemini. Not Mythos. Planned for mass exploitation campaign by prominent cybercrime group. GTIG caught it before deployment. Next time they might not.
$100M
Project Glasswing usage credits · Anthropic commitment
12 launch partners + ~40 critical-infra orgs · April 8
460K
Copilot Autofix alerts resolved · 2025
28-min median fix · 2x speedup vs without
72fixes
CodeMender · OSS upstreamed in 6 months
Some at 4.5M+ LOC scale · libwebp fbounds-safety
73%
Enterprises discover critical risks AFTER deploying
Security Copilot research · the deployment-gap signal
PROJECT GLASSWING AWS · APPLE · BROADCOM · CISCO · CROWDSTRIKE · GOOGLE · JPMORGAN · LINUX FOUNDATION · MICROSOFT · NVIDIA · PALO ALTO MYTHOS DEPLOYED DEFENSIVELY $25/$125 PER MILLION TOKENS · CLAUDE API · BEDROCK · VERTEX AI · MICROSOFT FOUNDRY MAY 11 GTIG FIRST AI-BUILT ZERO-DAY · 2FA BYPASS · MASS EXPLOITATION CAMPAIGN · DISCLOSURE PREVENTED IT BIG SLEEP 18 MONTHS OPERATIONAL · NOV 2024 SQLITE · JUL 2025 CVE-2025-6965 · FIRST AI-DRIVEN PREVENTION OF IMMINENT EXPLOIT COPILOT AUTOFIX ENABLED BY DEFAULT · FREE FOR PUBLIC REPOS · BACKED BY GPT-5.3-CODEX · Q2 2026 HYBRID SCANNING DEPLOYMENT GAP CAPABILITY EXISTS · DEPLOYMENT LAGS BY 12-24 MONTHS · THE STRUCTURAL RISK JULY 2026 GLASSWING 90-DAY REPORT LANDS · MASSIVE PATCH WAVE EXPECTED · ENTERPRISE INFRASTRUCTURE NEEDS TO BE READY
The defensive cascade · what actually ships in May 2026

The capability exists. It is shipping. At production scale.

Project Glasswing’s 12 launch partners. Google’s 18-month operational stack. GitHub’s open-source default. Microsoft’s M365 E5 bundle. This is not research demo. It is operational infrastructure at the most critical layer of the global software stack.

Four production-deployed defensive stacks · May 2026
The defensive cascade is real. The capability gap from a year ago has closed. The deployment gap remains the binding constraint.
▲ ANTHROPIC · GLASSWING
Project Glasswing · $100M defensive deployment
  • 12 launch partners + ~40 critical-infrastructure orgs
  • Mythos Preview deployed defensively at $25/$125 per M tokens
  • Claude API · Bedrock · Vertex AI · Microsoft Foundry
  • $4M OSS security donations · Alpha-Omega + Apache
  • 90-day public report lands early July 2026
▲ GOOGLE · DEEPMIND + ZERO
Big Sleep + CodeMender
  • Big Sleep: 18 months operational · zero false positives
  • Nov 2024 first finding · Jul 2025 first prevention of imminent exploit
  • CodeMender: Gemini Deep Think + multi-agent scaffolding
  • 72 fixes upstreamed to OSS in 6 months · some 4.5M+ LOC
  • Deployed fbounds-safety to libwebp
▲ GITHUB · COPILOT AUTOFIX
Copilot Autofix · the OSS default
  • Enabled by default · every CodeQL repo
  • Free for public repositories · $30/committer for private
  • 460K+ alerts resolved · 28-min median fix · 2x speedup
  • Backend: GPT-5.3-Codex (OpenAI)
  • Q2 2026: hybrid AI scanning beyond CodeQL
▲ MICROSOFT · SECURITY COPILOT
Security Copilot · bundled in M365 E5
  • Bundled in M365 E5 · early 2026 default deployment
  • Defender XDR · Sentinel · Intune · Entra · Purview
  • 30+ MS agents + 50+ partner agents in Store
  • Agent 365 GA May 1 · M365 E7 Frontier Suite $99/user
  • Phishing Triage · MITRE ATT&CK Coverage · Initial Triage

This is not exhaustive. Snyk DeepCode AI · CodeRabbit · Cursor · SonarQube+AI · Arctic Wolf Aurora · Wiz red/green/blue · Atheris · ParticleFuzz · DARPA AIxCC. The defensive capability layer is broad, well-funded, and shipping at production scale.

The deployment gap · three compounding dimensions
Intelligent Continuous Security: AI-Enabled Transformation for Seamless Protection

Intelligent Continuous Security: AI-Enabled Transformation for Seamless Protection

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

“Available” is not “deployed.”

The structural problem is not capability. It is deployment. The deployment gap operates at three levels simultaneously — and each compounds the others.

Three compounding gaps · why capability ≠ deployment
Each gap reinforces the others. Organizations that lack maturity also lack governance. Organizations that lack governance also lack budget.
01Maturity gap
Organizational readiness
Most enterprises cannot deploy AI-driven defensive tooling effectively. Tool surfaces problems faster than organization can remediate. Either disable, ignore, or accumulate backlog. The capability requires organizational maturity most enterprises don’t have.
02Governance gap
Process & SLA design
30-day patch SLA doesn’t work under AI-driven CVE volume. Patch evaluation, change management, regression testing, deployment automation all need redesign. Most enterprises run AI-driven tooling in legacy governance designed for human-paced threats.
03Cost gap
Access & price points
Glasswing restricted to ~52 organizations. M365 E5 $57.50/user/mo. M365 E7 $99/user/mo. GHAS $30/committer. Enterprise platforms $100K-$1M+. Geographic concentration: 11 of 12 Glasswing partners US-based.
73% of enterprises discover critical data exposure risks AFTER deploying Microsoft Security Copilot. The empirical signature of the maturity gap. The capability surfaces problems; the organization lacks capacity to remediate the volume.
Three defender advantages · asymmetries that favor defense
Amazon

enterprise code vulnerability fix software

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Defenders have three real advantages. They require investment.

The deployment gap is real. But it is not the complete picture. Defenders have three asymmetric advantages that, if leveraged, compensate. Each requires deliberate organizational investment in the substrate that makes the capability effective.

Three defender advantages · the asymmetric substrate
Source code access · telemetry & validation · coordination. The capability is symmetric; the substrate isn’t.
01SOURCE
CODE ACCESS
Defenders have their own code. Attackers don’t.
AI-driven discovery with source access produces materially better results than against compiled binaries. The advantage compounds across iterations. Defenders running internal AI-driven discovery build a defensive moat attackers cannot easily replicate.
REQUIRES:
codebase
integration
02TELEMETRY +
VALIDATION
Defenders have operational telemetry. Attackers don’t.
Production logs, runtime data, incident history — the substrate that distinguishes signal from noise. Validation is the binding constraint on AI-driven defense. Big Sleep + CodeMender are built around this; defenders without telemetry cannot replicate it.
REQUIRES:
observability
investment
03ECOSYSTEM
COORDINATION
Defenders coordinate. Attackers can’t.
AWS shares findings with Apple. Linux Foundation distributes patches across OSS ecosystem. ISACs/ISAOs aggregate threat intelligence. $100M Glasswing seed for coordination across the partner consortium. Defensive capability scales through coordination; offensive does not.
REQUIRES:
consortium
participation

The three advantages are real and substantial. But they require investment to leverage. Organizations that invest in source-code accessibility, observability, and coordination participation are positioned to leverage the cascade. Organizations that invest only in tooling acquisition produce minimal defensive returns.

Operational deployment ladder · by urgency
Electronic Security Command Patch

Electronic Security Command Patch

Officially Licensed Product of the Department of the Air Force.

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Six priorities. Ordered by what gets done first.

The structural arguments above translate into specific operational priorities for CISOs and security teams. The next 12 months determine whether the deployment gap closes or widens. Each enterprise that operationalizes is one fewer contributing to the structural gap.

Six operational priorities · the deployment ladder
Ordered by cost-effectiveness × urgency. Free actions first; substrate investment second; architectural redesign third.
01this week
Deploy what’s free first.
GitHub Copilot Autofix on all GitHub-hosted code. Free for public · included in GHAS for private. Audit which repos have Autofix enabled · re-enable where disabled without specific reason. Marginal cost: zero. Marginal cost of not running it: 2x slower resolution.
FREE
+ GHAS
02this month
Audit M365 E5 entitlements.
Security Copilot is included in M365 E5 (bundled early 2026). Most organizations haven’t operationalized the SCUs. You’re paying for it either way. Enable in Defender XDR · Phishing Triage Agent · MITRE ATT&CK Coverage · Initial Triage. No new procurement required.
INCLUDED
IN E5
03this quarter
Apply for Glasswing partner access if eligible.
Critical infrastructure operators · major OSS maintainers · financial services beyond JPMorgan · healthcare tech · energy sector · defense contractors. Application via Anthropic with Glasswing partner sponsorship if possible. OSS maintainers: Claude for Open Source program — subsidized by $100M budget.
APPLY
VIA SPONSOR
046 mo
Invest in the substrate.
Source code accessibility, telemetry, coordination. Expand AI tooling access boundaries · invest in observability infrastructure · join sector ISACs/ISAOs. The three defender advantages require substrate investment. Tooling alone produces minimal defensive returns.
CAPITAL
INVESTMENT
05by July
Plan for the volume problem.
Glasswing 90-day report lands early July 2026 → massive patch wave. Target 72-hour deployment for kernel patches · 7-day for major apps · 14-day for everything else. Build automation infrastructure. Most enterprises cannot meet these targets today. Building capability is a 6-12 month project that needs to start now.
PATCH
VOLUME
061 year
Architect for breach assumption.
The defensive cascade reduces volume reaching production. It does not eliminate the volume. Network segmentation · least-privilege · robust logging · IR infrastructure. The framing shift: “prevent breaches” → “detect and contain breaches.” The durable operating model for the AI-driven threat environment.
ARCHITECTURE
REDESIGN

The defensive cascade is real. The deployment gap is the structural risk. The offensive cascade just crossed the operational threshold. The next 12 months determine whether the gap closes or widens.

— Software security · the defender’s counter-cascade · Part 3 · May 2026
Digital Forensics and Incident Response: A practical guide to deploying digital forensic techniques in response to cyber security incidents

Digital Forensics and Incident Response: A practical guide to deploying digital forensic techniques in response to cyber security incidents

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

I · The defensive cascade · what actually ships in May 2026

Worth establishing what is operationally deployed, because the gap between “available” and “deployed” is the whole argument:

Project Glasswing · Anthropic + 12 critical-infrastructure partners

Launched April 8, 2026. The 12 launch partners are the major surfaces of the global software stack: AWS (400 trillion daily network flows analyzed), Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase (financial sector), Linux Foundation (open-source maintenance), Microsoft, NVIDIA (silicon), Palo Alto Networks (network security). Plus access extended to over 40 additional organizations maintaining critical software infrastructure.

Each partner is deploying Mythos Preview defensively — scanning their first-party codebases and the open-source projects they depend on. Anthropic committed $100M in Mythos usage credits across these partner deployments plus $4M direct donations split between the Linux Foundation’s Alpha-Omega program ($2.5M) and the Apache Software Foundation ($1.5M).

Critically: Mythos Preview is not generally available. It is offered to Glasswing partners at $25/$125 per million input/output tokens (input/output pricing reflecting the capability tier) via Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry. Anthropic has committed to publishing a 90-day public report summarizing what Glasswing has fixed. That report lands in early July 2026 — and will document the first wave of high-volume patch releases across operating systems, browsers, and critical infrastructure software that have been identified and remediated under the program.

The structural significance: this is the largest coordinated defensive-deployment effort in cybersecurity history. The capability is operational at the most critical layer of the global software stack. But access is restricted to the 12 + ~40 = ~52 partner organizations. Everyone else operates without Mythos-class defensive capability.

Google · Big Sleep + CodeMender + the AI-driven defense stack

Google’s defensive AI security stack has been operational longer than any competitor. Big Sleep — developed by Google DeepMind and Google Project Zero, first introduced November 2024 — has been continuously operational for 18 months. Its operational milestones:

  • November 2024: First real-world vulnerability discovered (SQLite stack buffer underflow) — the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software
  • July 2025: Discovered CVE-2025-6965 (critical SQLite vulnerability) that threat actors had planned to exploit — the first AI-driven prevention of imminent exploit in the wild
  • August 2025: 20 vulnerabilities reported across FFmpeg, ImageMagick, and other widely-used codebases
  • March 2026: 47+ vulnerabilities documented in public tracker

The Big Sleep architecture is a three-stage agent: codebase familiarization (the agent “becomes an expert” before attempting exploitation), variant analysis (looking for patterns of known bug categories), and exploit verification (proving the vulnerability is actually exploitable, not theoretical). The verification step produces zero false positives — a substantial improvement over historical fuzzing-based discovery.

CodeMender — introduced March 2026 — is the patching counterpart to Big Sleep. Uses Gemini Deep Think models with multi-agent scaffolding (LLM-based critique tool for diff analysis, debugger integration, source code browser, advanced program analysis tools including static, dynamic, fuzzing, differential testing, and SMT solvers). Six months of development. 72 security fixes upstreamed to open-source projects including some at 4.5M+ LOC scale. Recent example: deployed -fbounds-safety annotations to libwebp (the image compression library used in essentially every web browser and image-processing application worldwide).

The strategic framing comes from Heather Adkins (Google VP of Security) and Four Flynn (Google DeepMind) in their [un]prompted 2026 talk: “We are not far off from a world where there will be an open-source full hacking tool where you can type in ‘go hack Google’ and a week later it does.” The defensive infrastructure exists to anticipate that world. The gap is in deployment, not in capability.

GitHub Copilot Autofix · the open-source defensive tool that scaled

GitHub Copilot Autofix is the most-deployed AI-driven defensive security tool in 2026. Enabled by default on every repository using CodeQL. Available free to all public repositories and to open-source maintainers. Available to enterprise customers with GitHub Code Security ($30/active committer/month following the GHAS unbundling in April 2025).

The operational data is impressive:

  • 460,000+ alerts resolved in 2025 through Autofix suggestions
  • 28-minute median time from alert to fix in pull-request-time scanning
  • 0.66 hours average resolution time with Autofix versus 1.29 hours without — roughly 2x speedup
  • Languages: JavaScript/TypeScript, Java, Python, C#, C/C++, Go, Kotlin, Swift, Ruby, Rust
  • Backend model: GPT-5.3-Codex (OpenAI) per GitHub’s responsible-use documentation
  • Q2 2026 announcement: hybrid AI-based scanning beyond CodeQL static analysis is coming

The Security Campaigns feature (October 2025 public preview) lets organizations group related vulnerabilities, assign Copilot to remediate, and track progress through unified dashboards. The “assign Copilot to fix this alert” workflow is now available via REST API — meaning automated security-debt remediation at the org level is operational.

The structural significance: GitHub Code Security ($30/active committer/month) is positioning Autofix as the default defensive layer for code-hosted-on-GitHub. The free open-source tier means OSS maintainers — who have historically been left without security tooling — get it without cost. This is the largest single democratization of defensive security tooling in history.

Microsoft Security Copilot · the SOC capability bundled into M365 E5

Microsoft Security Copilot is the production-deployed AI-driven SOC capability. Originally launched as a separate product on a “Security Compute Unit” (SCU) consumption-based model. Early 2026 announcement: Security Copilot is now bundled with Microsoft 365 E5 — putting the capability into the default deployment of an enterprise stack used by hundreds of thousands of organizations.

Operational integrations: Microsoft Defender XDR, Sentinel, Intune, Entra, Purview, plus ServiceNow and Jamf integrations. The Microsoft Security Store (launched 2026) hosts 30+ Microsoft-built security agents plus 50+ partner SaaS solutions. Recent example agents from partners include MITRE ATT&CK Coverage Insight Agent and Initial Triage Agent (Inspira Enterprise, May 6, 2026), Phishing Triage Agent, Threat Intelligence Briefing Agent.

Microsoft’s positioning is explicit: “AI is the force multiplier for defenders.” The agents perform bounded tasks — phishing triage, MITRE coverage analysis, incident summary, guided remediation, conditional access optimization — that previously required experienced SOC analysts working at significantly higher cost and slower cadence.

But there’s an important caveat documented by Microsoft’s own research: 73% of enterprises discover critical data exposure risks AFTER deploying Copilot. The capability surfaces problems that already existed; it does not fix weak foundations. Security Copilot rewards well-governed tenants and penalizes neglected ones. Most enterprises are not well-governed tenants. The deployment readiness gap is substantial.

Microsoft’s RSAC 2026 announcement (March 23-27) further extended the stack with Agent 365 — the enterprise control plane for AI agents, generally available May 1, 2026, bundled in the new Microsoft 365 E7 “Frontier Suite” tier at $99/user/month with Copilot Cowork. Agent 365 includes shadow AI discovery (covering OpenClaw, GitHub Copilot CLI, Claude Code, and other widely-used agents), network-level prompt injection blocking, and 15+ new Security Copilot partner agents.

The aggregate

These four examples are not exhaustive. Snyk DeepCode AI, CodeRabbit ($12/user/month), Cursor’s security features, SonarQube + AI integrations, JFrog SAST, Black Duck Polaris (powered by Coverity), Arctic Wolf Aurora Superintelligence Platform (“the world’s largest commercial agentic SOC” announced RSAC 2026), Wiz’s red/green/blue agents framework (Shift Right / Shift Left / Detect-Respond), Google Cloud Model Armor (LLM firewall), DARPA AIxCC final-round technologies, OpenAI GPT-5.4-Cyber (parallel to Mythos), open-source projects like Atheris and ParticleFuzz with LLM-augmented modes — the defensive capability layer is broad, well-funded, and shipping at production scale.

The capability exists. The genuine question is not whether defenders have AI-driven security capability available. It is whether the capability gets deployed in the organizations that need it on a timeline that matters.

II · The deployment gap · why “available” is not “deployed”

The deployment gap operates at three levels simultaneously, and each compounds the others.

Organizational maturity gap

Most enterprises are not equipped to deploy AI-driven defensive security tooling effectively. The Microsoft Security Copilot research finding — 73% of enterprises discover critical data exposure risks after deployment — is not a Microsoft problem. It is the empirical signature of enterprises whose security posture was deficient enough that they had no visibility into their own exposure.

The pattern: enterprise deploys AI-driven security tool → tool surfaces problems → enterprise discovers they have far more vulnerabilities than they thought → enterprise lacks the capacity to remediate the volume surfaced → enterprise either disables the tool, ignores its outputs, or accumulates a remediation backlog that grows faster than capacity to address it.

This is not a hypothetical concern. It is the operational reality documented across multiple vendor studies. The capability surfaces problems faster than the organization can fix them. Deployment requires organizational maturity that most enterprises do not have.

Governance and process gap

The 30-day patch SLA that worked under historical CVE volume does not work under AI-driven CVE volume. But changing the SLA requires changing the underlying governance — patch evaluation processes, change management approval cycles, regression testing infrastructure, deployment automation. None of these change overnight.

Arctic Wolf’s framing from RSAC 2026 captures it: “AI alone produces volume. Humans alone cannot keep pace. When they’re paired together, they produce trustworthy outcomes.” The integration of AI-driven discovery with human-in-the-loop validation requires substantial process redesign. Most enterprises have not undertaken that redesign. They are running AI-driven security tooling in legacy governance frameworks designed for human-paced threats. The mismatch is structural.

The OAuth governance gap from Part 2 is the same pattern applied differently. Most enterprises have no inventory of OAuth permissions granted by employees to third-party SaaS applications. Implementing OAuth governance requires the inventory, the policies, the monitoring infrastructure, and the human capacity to maintain them — none of which AI-driven tooling provides on its own.

Cost and accessibility gap

The defensive capability exists at price points that exclude most organizations:

  • Project Glasswing access: restricted to 12 + ~40 partner organizations. Mythos Preview is not commercially available to the general market
  • Microsoft 365 E5: $57.50/user/month (commercial), required for default Security Copilot inclusion
  • Microsoft 365 E7 (Frontier Suite): $99/user/month with Cowork — adds Agent 365 capabilities
  • GitHub Code Security: $30/active committer/month
  • Enterprise AI-augmented platforms (Snyk, SonarQube, JFrog, etc.): typically $20-50/developer/month for AI-augmented tiers
  • Arctic Wolf Aurora and similar managed offerings: enterprise pricing in the $100K-$1M+ annual range depending on environment scale

Open-source maintainers and small organizations can access GitHub Copilot Autofix free for public repositories. That is the single accessible defensive AI security tool for non-enterprise users, and it is meaningful — but it does not cover the breadth of capability available to Glasswing partners.

The geographic distribution of defensive capability is heavily concentrated. Glasswing partners are 11 of 12 US-based (Linux Foundation is the exception). The cloud providers, the silicon vendors, the major SaaS infrastructure — all American. The defensive AI security capability is concentrated where the capital and the frontier AI labs are. For organizations in regions without ready access to these capabilities, the deployment gap is essentially permanent at current pricing and access models.

The compound effect

The three gaps compound. Organizations that lack maturity also lack governance capacity. Organizations that lack governance capacity also lack budget. Organizations that lack budget cannot afford the capability. The cycle reinforces itself. Meanwhile, the offensive side has no such cycle — once vulnerability discovery capability exists at a frontier lab, the marginal cost of using it offensively is roughly the same as using it defensively, but the access barriers are different.

This is the structural asymmetry: the defensive cascade requires organizational, governance, and capital investment to deploy. The offensive cascade requires only access to the capability. The same dollar of AI-driven security tooling produces different defensive and offensive returns because deployment is much harder than use.

III · The three defender’s advantages · what genuinely favors defense

The structural asymmetry above is real and important. But it is not the complete picture. Defenders have three genuine asymmetric advantages that, if leveraged, can compensate for the deployment gap.

Advantage 1 · Source code access

The most fundamental defender advantage: defenders have access to their own source code; attackers don’t. When AI-driven vulnerability discovery operates with source-code access, it produces materially better results than the same capability operating against compiled binaries. The difference is not subtle — it’s the difference between reading a function definition versus reverse-engineering its behavior from observed I/O patterns.

This advantage compounds across iterations. Each cycle of source-code-aware defensive scanning produces refined results that improve the model’s understanding of the codebase. Defenders running internal AI-driven vulnerability discovery against their own code build up a defensive moat that attackers cannot easily replicate against the same code from outside.

This is why the Project Glasswing partner deployment matters specifically. AWS scanning AWS’s codebase with Mythos. Apple scanning Apple’s codebase. JPMorganChase scanning JPMorganChase’s codebase. The capability operates with maximum information. The same capability operating against AWS from outside has substantially less information to work with.

For organizations not in Glasswing, the equivalent capability exists at lower cost through Copilot Autofix (for GitHub-hosted code), Snyk DeepCode AI, SonarQube AI, and the broader AI-augmented SAST/SCA tooling layer. The advantage is real if defenders use it. Most don’t.

Advantage 2 · Telemetry and validation infrastructure

Defenders have access to operational telemetry that attackers don’t. Production logs, runtime behavior data, customer support tickets, security incident response data, vulnerability remediation history. This is the data substrate that lets defenders distinguish “AI surfaced a vulnerability” from “AI surfaced a vulnerability that is actually exploitable in our specific deployment context.”

The validation step matters enormously. Most AI-driven vulnerability discovery produces some volume of false positives — findings that look like vulnerabilities but are not exploitable in the specific deployment configuration, or are mitigated by other controls, or are already remediated through other means. Telemetry data is what distinguishes signal from noise.

This is the architecture Big Sleep and CodeMender are built around. Validation is the binding constraint on AI-driven defensive deployment, not discovery. The CodeMender multi-agent system specifically includes a critique tool that compares original and modified code to verify proposed changes don’t introduce regressions. Without that validation infrastructure, the patches would be unusable. Defenders have the data substrate to build this validation; attackers don’t.

The strategic implication: enterprises that invest in observability, telemetry, and incident-response data infrastructure are building the substrate that lets AI-driven defensive tooling produce trustworthy outputs. Organizations that lack this infrastructure cannot effectively deploy AI-driven defense even if they have access to the capability. Telemetry investment is a prerequisite, not a complement.

Advantage 3 · Coordination across the defense ecosystem

The Glasswing partner consortium model is the operational form of this advantage. Defenders can coordinate; attackers cannot. AWS sharing defensive findings with Apple and Google. The Linux Foundation distributing patches across the open-source ecosystem. CrowdStrike sharing threat intelligence with Microsoft Defender. The defense ecosystem aggregates findings in ways the offensive ecosystem does not.

This is the explicit structural bet of Project Glasswing: $100M committed by Anthropic to seed coordination across the partner consortium, with the explicit commitment to publish a 90-day public report sharing what was found and fixed so the broader industry benefits. The defensive capability scales through coordination; the offensive capability doesn’t scale the same way because attackers operate with information asymmetries against each other.

The structural implication: defenders who participate in coordinated defensive programs (Project Glasswing, the Linux Foundation Alpha-Omega program, the Apache Software Foundation security work, sector-specific ISACs, public-interest CERT coordination) gain compounding advantages over defenders who operate in isolation.

For organizations not yet in coordinated programs, the path forward is participation in the ecosystem rather than capability acquisition in isolation. This is one of the strongest arguments for sector-specific consortium models — financial services ISAC, healthcare ISAO, energy sector coordination, etc. — to acquire AI-driven defensive capability collectively rather than individually.

The aggregate

The three advantages — source code access, telemetry/validation infrastructure, coordination — are real and substantial. But they require investment to leverage. None of the three operate automatically when an organization deploys AI-driven defensive tooling. Each requires deliberate organizational investment in the substrate that makes the advantages operational.

This is the critical insight: the deployment gap is not just about access to AI-driven defensive capability. It is about the organizational substrate that makes the capability effective. Organizations that invest in source-code accessibility, observability, and coordination participation are positioned to leverage the defensive cascade. Organizations that invest only in tooling acquisition without the substrate produce minimal defensive returns.

IV · The May 11 catalyst · GTIG’s first AI-built zero-day disclosure

Everything above was written knowing the offensive cascade would eventually cross the operational threshold. As of yesterday — May 11, 2026 — it has.

Google Threat Intelligence Group published the latest GTIG AI Threat Tracker report. The headline finding: GTIG identified what it believes is the first real-world case of attackers using AI to discover and weaponize a zero-day vulnerability in a planned mass exploitation campaign.

The technical details:

  • Vulnerability: a 2FA bypass in a popular open-source web-based system administration tool
  • Mechanism: semantic logic flaw — developer hardcoded a trust assumption that contradicted the application’s authentication enforcement
  • Exploit form: Python script with the characteristic markers of LLM-generated code (educational docstrings, hallucinated CVSS score, textbook Pythonic formatting, detailed help menus, clean ANSI color class)
  • Attribution: GTIG has high confidence the threat actor used an AI model. Not Google’s Gemini, not Anthropic’s Mythos — the model was not identified, but the structural markers are characteristic of LLM-generated code
  • Intended use: mass exploitation campaign by a “prominent cybercrime group” with valid user credentials acquired through other means
  • Outcome: GTIG worked with the affected vendor to responsibly disclose and patch the vulnerability before the mass exploitation campaign could be executed. The disclosure prevented the attack.

John Hultquist (GTIG Chief Analyst) characterized the disclosure in interviews: “a taste of what’s to come” and “the tip of the iceberg.” GTIG’s own framing: this was the first confirmed case, but the broader pattern of AI-augmented offensive operations is much wider.

The same GTIG report documents:

  • North Korean group APT45 sending thousands of repetitive prompts to AI models to recursively analyze vulnerabilities and validate proof-of-concept exploits — building exploit arsenals impractical to manage without AI assistance
  • China-linked actor UNC2814 using “expert-persona jailbreaking” to push Gemini into researching pre-authentication remote code execution flaws in TP-Link router firmware and Odette File Transfer Protocol implementations
  • China-nexus actor using Hexstrike and Strix frameworks alongside Graphiti memory system to autonomously probe Japanese technology firms and East Asian cybersecurity platforms
  • TeamPCP / UNC6780 (the March 2026 LiteLLM compromise that I documented previously) extracting cloud secrets and monetizing through ransomware partnerships
  • Russia-linked operators integrating AI-generated audio into news footage for influence operations

The structural read: this isn’t a single AI-built zero-day. It’s the first publicly attributed one. The actual operational deployment of AI-driven offensive capability is far broader than what GTIG can publicly confirm. The offensive cascade is operational across multiple state-sponsored and criminal actors simultaneously.

What makes the GTIG disclosure significant editorially is what it confirms about the timeline. The transition from “AI as theoretical force multiplier” to “AI as operational tool in adversary workflows” is complete. The defensive cascade — which has been building for 18 months at Google, longer at Anthropic — now operates in a threat environment where offensive AI deployment is happening at scale.

The clock the previous pieces described — the 18-36 month window for defenders to operationalize before offensive capability proliferates broadly — is no longer the right framing. The clock is now: how quickly can the defensive cascade be deployed before the offensive cascade produces its first uncontained mass exploitation event. GTIG caught this one. The next instance may not be caught.

V · What enterprise security leaders need to operationalize · concretely

The structural arguments above translate into specific operational priorities for CISOs and security teams. Ordered by urgency:

Priority 1 · Deploy what’s free first

GitHub Copilot Autofix on all your GitHub-hosted code. It is free for public repositories and included with GitHub Code Security for private/internal repositories. The default-enabled setting works for most organizations. The marginal cost of running it is essentially zero. The marginal cost of not running it is “every code-scanning alert in your codebase takes 2x longer to resolve than it would with Autofix.”

Audit which of your repositories have Autofix enabled. Audit which have it disabled and why. Re-enable where disabled without specific reason. This single action covers the largest single AI-driven defensive deployment for code-hosted-on-GitHub.

Priority 2 · Audit your Microsoft 365 E5 entitlements

If you have Microsoft 365 E5, Security Copilot is included. Most organizations have not operationalized the Security Compute Units (SCUs) allocated under E5. The Defender XDR, Sentinel, Intune, Entra, and Purview integrations are all available without additional license cost. You are paying for the capability either way; using it requires deliberate operationalization.

Specifically: enable Security Copilot in Defender XDR for incident summary and investigation. Enable Phishing Triage Agent if you have meaningful phishing volume. Evaluate the MITRE ATT&CK Coverage Insight Agent and Initial Triage Agent (May 2026 GA from Inspira Enterprise) if your SOC operates on Sentinel. None of this requires new procurement. It requires deliberate enablement of capability you already own.

Priority 3 · Apply for Project Glasswing partner-adjacent access if eligible

Project Glasswing’s 12 launch partners + ~40 additional organizations are the formal partner set. Critical infrastructure operators, major OSS maintainers, and organizations maintaining infrastructure that “billions of people depend on” may be eligible for the additional-partner tier.

Specifically: financial services firms beyond JPMorganChase, healthcare technology operators, energy sector operators, defense contractors with cleared security teams, major SaaS infrastructure providers, telecom operators. The application path is via Anthropic directly with sponsorship from a Glasswing partner organization if possible.

Open-source maintainers: apply through the Claude for Open Source program. Mythos-class capability available specifically for OSS security work, with usage credits subsidized by Anthropic’s $100M Glasswing budget.

Priority 4 · Invest in the substrate that makes AI-driven defense effective

This is where most of the work actually lives. The three defender’s advantages — source code access, telemetry/validation infrastructure, coordination — require organizational investment. Specifically:

  • Source code accessibility: ensure your AI-driven security tooling has access to your full codebase including infrastructure-as-code, configuration files, secrets management, deployment pipelines. Most enterprises restrict AI tooling access in ways that limit defensive effectiveness. Audit the access boundaries and expand where appropriate.
  • Telemetry investment: invest in observability infrastructure that produces validation data for AI-driven security findings. Production logs, runtime behavior data, dependency manifests, deployment configuration data. This is the data substrate that distinguishes “vulnerability found” from “vulnerability that is actually exploitable in your specific deployment.”
  • Coordination participation: join your sector’s ISAC/ISAO. Participate in CISA’s Joint Cyber Defense Collaborative if eligible. Subscribe to relevant CERT/CSIRT distribution lists. The defensive ecosystem operates through coordination; participation is the access mechanism.

Priority 5 · Plan for the volume problem

The 30-day patch SLA was reasonable under historical CVE volume. It is not reasonable under AI-driven CVE volume. Plan for the volume increase that the Glasswing 90-day report will trigger when it lands in July 2026. Plan for the volume increase that GTIG’s documented offensive deployment will produce as more disclosures land through the rest of 2026.

Specifically: target 72-hour deployment for kernel security patches, 7-day for major application stacks, 14-day for everything else. Build the automation infrastructure to support these cadences. Most enterprises cannot meet these targets today. Building the capability to meet them is a 6-12 month project that needs to start now.

Priority 6 · Architect for breach assumption

The defensive cascade reduces the volume of vulnerabilities that reach production. It does not eliminate the volume. Some fraction of components in any modern stack will be compromised at any given time. Architect accordingly: network segmentation, least-privilege everywhere, robust logging, incident response infrastructure.

The OAuth governance work from Part 2 is part of this. The shared-kernel multi-tenancy threat model update from Part 1 is part of this. The framing shift is from “prevent breaches” to “detect and contain breaches.” The historical “prevent” framing assumes capability that no organization actually has. The “detect and contain” framing is the durable operating model for the AI-driven threat environment.

VI · The structural close · what comes next

The defensive cascade is real. Project Glasswing, Big Sleep + CodeMender, Copilot Autofix, Microsoft Security Copilot, the broader ecosystem of AI-augmented defensive tooling. The capability exists at production scale and is being deployed at the most critical layer of the global software stack.

The deployment gap is the structural risk. Most enterprises that need the capability either lack access (cost, eligibility), lack organizational maturity (deployment readiness, governance), or lack the substrate (source code accessibility, telemetry, coordination). The capability exists; the deployment doesn’t.

The offensive cascade just crossed the operational threshold. GTIG’s May 11 disclosure confirmed the first AI-built zero-day in a planned mass exploitation campaign. The transition from theoretical to operational is complete. Multiple state actors and criminal groups operating AI-augmented offensive capability simultaneously. The clock the previous pieces described is now running differently. The 18-36 month window is still open, but the offensive deployment is no longer a hypothetical pressure.

What gets built institutionally during the next 12 months matters disproportionately. Specifically:

  • The July 2026 Glasswing 90-day report lands and produces a substantial wave of patch releases across operating systems, browsers, and critical infrastructure software. Enterprise patch infrastructure needs to be ready by then. The volume will be larger than enterprises are currently prepared for.
  • The defensive deployment race continues. Microsoft’s Agent 365 GA on May 1 expanded the platform’s reach into shadow AI discovery. GitHub’s Q2 2026 hybrid AI scanning announcement is coming. The race to make AI-driven defense the default deployment for software stacks is operational.
  • The regulatory response begins to crystallize. The EU Cyber Resilience Act enforcement provisions come into force progressively through 2026-2027. NIST 800-218 SSDF revisions are anticipated. The FDA premarket security requirements for medical devices, SEC cyber-incident disclosure refinements, and the broader regulatory framework for AI-driven security are all in motion. The regulatory environment will require AI-driven defensive deployment in ways the current discourse has not yet metabolized.
  • The offensive disclosures continue. GTIG’s May 11 report will not be the last. Anthropic’s red-team disclosures, Microsoft Defender’s threat-intelligence publications, CrowdStrike’s adversary tracking, Mandiant’s incident response reporting — all producing visible evidence of the offensive operational deployment. Enterprise security teams need to be reading these reports as policy inputs, not just as news.

The defensive window is open. The defensive cascade exists. The deployment gap is the binding constraint. The next 12 months determine whether the gap closes or widens. That is the operational reality the enterprise security community is now in.

This is what the Defender’s Counter-Cascade looks like in May 2026. The capability is real. The deployment is uneven. The clock is running. Each enterprise that operationalizes effective AI-driven defense is one fewer enterprise contributing to the structural deployment gap. The work is individual and aggregate simultaneously.

That’s the read on where we are. The next piece in this series will look at the bug bounty market collapse — the economic restructuring underway as AI-driven vulnerability discovery makes the historical bug bounty economics non-viable, and what that means for the defensive talent pipeline over the next decade.

About the Author

Thorsten Meyer is a Munich-based futurist, post-labor economist, and recipient of OpenAI’s 10 Billion Token Award. He spent two decades managing €1B+ portfolios in enterprise ICT before deciding that writing about the transition was more useful than managing quarterly slides through it. More at ThorstenMeyerAI.com.

Sources

You May Also Like
ai productivity paradox question

AI Productivity Paradox: If AI Is So Powerful, Why Isn’t Productivity Booming?

Despite widespread AI adoption, many organizations don’t see major productivity boosts because…

The DeepSeek effect: how a low‑cost, high‑performance AI is reshaping business—inside and outside China

Executive summary.Since its January 2025 debut, the DeepSeek model series has catalyzed…

Quiet GPUs for Local AI: Acoustic and Thermal Roundup

Disclosure: This article contains affiliate links, and as an Amazon Associate I…
empathy and creativity reign

The Human Touch: Why Empathy and Creativity Still Trump AI in Many Jobs

A compelling look at why empathy and creativity remain essential in the workforce, highlighting what AI can’t replicate and why humans still matter.