Project Glasswing Found the Vulnerabilities. Now What?

How packet observability and agentic AIworkflows close the gap between discovery and defense.

By Ron Nevo, CTO – cPacket Networks

Anthropic recently launched Project Glasswing – a coalition that includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The mission: use frontier AI to find and fix vulnerabilities in critical software before attackers can exploit them. Claude Mythos Preview, Anthropic’s security-focused AI model, has already identified thousands of previously unknown high-severity vulnerabilities across every major operating system, every major web browser, the Linux kernel, and a wide range of other critical software.

This is an important inflection point. The industry has long understood that the volume of undiscovered vulnerabilities far exceeds what human security researchers can find. Glasswing changes the math – AI-driven discovery at this scale means that the rate of vulnerability disclosure is about to increase by orders of magnitude. This volume of vulnerability discovery will likely only grow as new frontier models achieve this level of functionality, or models that are specifically trained for this task are deployed. Moreover, it is unknown how many of these vulnerabilities have already been known and exploited by more stealthy actors.

But discovery is only the first half of the equation. Glasswing uses AI to find and fix vulnerabilities before attackers can exploit them. Packet observability is an essential complement to detecting attacks that are already running in the infrastructure. Glasswing and future initiatives will secure the doors and windows. Packet-level observability helps ensure that prowlers are not walking the hallways. They address different aspects of the same problem.

The Network Is Where You See the Truth

Observing packets as they traverse the network is the best way to see the impact of a breach. It is the only layer of your infrastructure that provides an objective, independent view of what is actually happening between systems, regardless of what any individual device believes about its own state.

And the urgency of that visibility is about to increase dramatically.

The next few weeks and months will be critical. As Glasswing and similar AI-driven initiatives ramp up, the stream of vulnerabilities discovered will grow exponentially. Each disclosure sets off a cascade that takes real time to work through. Identifying the fix, developing and testing the software patch, rolling it out across environments, and then the hardest part – updating every affected system through rolling changes, while verifying success at every step in the patching process. In complex enterprises, that process can take weeks or months to complete. Some systems will be missed. Some patches will fail silently. Some environments will be deprioritized because they're considered lower risk.

During this extended remediation window – and we should be honest that it will be an extended one – the attack surface remains open. Moreover, attacks that were already launched into the infrastructure could continue to run, even after their initial entry point has been patched. This is precisely why organizations need to double down now on a tamper-proof monitoring solution that can see what's happening on the network – even before every endpoint has been patched, every rule has been written, and every agent has been updated.

The network, observed at the packet level, doesn't have these dependencies. It reflects what's actually happening – every connection, every protocol exchange, every data flow – regardless of whether anyone has defined what to look for. Lateral movement looks like lateral movement. C2 callbacks look like C2 callbacks. Exfiltration looks like exfiltration. These are behavioral patterns in the traffic itself that are visible to deep packet inspection, whether or not the vulnerability being exploited has been catalogued yet.

Code-level security analysis – what Glasswing does brilliantly – tells you how exploits could be implemented. Packet-level observability tells you what is being exploited, right now, on your network.

The Tamper-Proof Record

There's a second dimension that is critical in regulated industries and increasingly everywhere else: the evidentiary record.

When a breach occurs – or when a regulator asks you to prove one didn't – you need an objective, tamper-proof record of what actually traversed your network. Not what a device logged about its own behavior. Not what an application reported about its own health. Not what a summary metric implied about aggregate traffic. You need the ground truth: what packets moved between which endpoints, carrying what protocols, at what times.

Packet capture and packet-derived metadata provide exactly this. They are independent of the systems being monitored – they can't be altered by a compromised host, suppressed by a misconfigured agent, or filtered by a device that doesn't understand what it's seeing.

In a post-Glasswing world, where the volume of disclosed vulnerabilities will increase dramatically, the ability to go back in time and definitively answer the question "were we exploited during the window before we patched?" becomes not just valuable, but essential.

This isn't an aspiration. Organizations running packet observability infrastructure today already have this record. The question is whether they're using it, and whether their coverage extends to every part of their network that matters.

From Reactive Dashboards to Agentic Workflows

Glasswing accelerates vulnerability discovery. But it also accelerates the operational burden of responding to those discoveries. If every new zero-day disclosure triggers a manual investigation – pull up the dashboard, write a query, review the results, escalate if necessary. Then the bottleneck moves from finding vulnerabilities to confirming whether you're being exploited. The humans in the loop become the constraint.

This is where agentic AI workflows fundamentally change the equation.

An agentic workflow is not a dashboard. It's not a visualization waiting for someone to look at it. It's an autonomous investigation process that can run on a schedule or be triggered by an external event – such as a new vulnerability disclosure. It interacts directly with your monitoring infrastructure to answer specific questions:

  • Are there new exploits present on our network?
  • Are there anomalous connections to known C2 infrastructure?
  • Has any endpoint-initiated communication with a suspicious domain since the vulnerability was published?
  • Are there signs of lateral movement that correlate with the disclosed attack vector?


At cPacket, we've built this capability through our integration with the Model Context Protocol (MCP), which enables AI agents to interact directly with our packet observability platform. When a new vulnerability is disclosed, an agentic workflow can immediately begin querying the network data – not summarized metrics in a data warehouse, but the deep packet intelligence at the point of observation – to determine whether the associated exploitation patterns are present. This happens at machine speed, across the full breadth of the monitored network, without waiting for a human to decide which query to run, or depending on human analysis speed.

The value compounds over time. As Glasswing and similar initiatives accelerate the pace of disclosure, organizations will have to manage multiple concurrent vulnerability windows. Manual investigations won't scale linearly with disclosure volume. Agentic workflows do. Each new threat indicator can be incorporated into the monitoring posture immediately, and the system continuously validates that remediation efforts are actually working – confirming at the packet level that exploit traffic has ceased, not just that a patch was deployed.

This is the operational model that the post-Glasswing era demands: continuous, proactive, AI-driven monitoring that operates at the depth and speed the threat landscape now requires.

The Layer 7 That Matters

When people talk about deep packet inspection and Layer 7 analytics, the conversation often gravitates toward application-specific protocol decoding – trading protocols, database transactions, API calls. That's important work, and it serves operational and performance monitoring well.

But the Layer 7 that matters for security in a Glasswing context is different. Zero-day exploitation doesn't typically traverse proprietary application protocols. It traverses the foundational protocols that every organization depends on: DNS, LDAP, HTTPS/TLS, SMB, SSH. These are the protocols where command-and-control channels hide, where data exfiltration occurs, where lateral movement propagates, and where certificate and encryption compliance failures create exploitable gaps.

Packet observability platforms that focus Layer 7 analytics on these security-relevant protocols – extracting metadata about DNS beaconing patterns, TLS certificate health, LDAP authentication anomalies, SMB lateral access patterns – are the ones that can detect the exploitation that Glasswing's vulnerability discoveries are designed to prevent.

Glasswing Is Necessary. It's Not Sufficient.

Project Glasswing represents a significant step in cybersecurity. The idea that frontier AI can give defenders a durable advantage in finding vulnerabilities before attackers do is powerful, and the coalition of organizations backing it signals real commitment.

But securing the code is the left side of the timeline. Monitoring the runtime is the right side. The more vulnerabilities AI discovers – and Glasswing will dramatically accelerate that discovery – the more critical runtime network observability becomes during the remediation window and beyond. Every zero-day found is a window opened. Packet observability is what ensures no new perpetrators come through that window until after it's closed.

The organizations that will navigate the post-Glasswing landscape most effectively are the ones that combine code-level security with runtime packet observability and agentic AI workflows – discovery, detection, and continuous validation operating as a unified defense.

The vulnerabilities have been found. The question now is whether your infrastructure can see what happens next.

Related Resources

Toward Generating a New Cloud-Based Distributed Denial of Service (DDoS) Dataset and Cloud Intrusion Traffic Characterization

Toward Generating a New Cloud-Based Distributed Denial of Service (DDoS) Dataset and Cloud Intrusion Traffic Characterization

MDPI's paper by York University & cPacket on cloud DDoS detection stresses the importance of robust datasets for security.

Network Observability-Achieving Zero Downtime – Solution Brief

Network Observability-Achieving Zero Downtime – Solution Brief

Today’s complex hybrid infrastructure demands complete network observability enabled by packet capture and analytics to support zero downtime enterprises.

cPacket Introduces Packet Capture cStor 200S, Extending Its Performance Leadership

cPacket Introduces Packet Capture cStor 200S, Extending Its Performance Leadership

Next-generation appliance delivers sustained and concurrent capture-to-disk, indexing and analytics at 200Gbps—more than double the speed of industry competitors.

Products
Observability PlatformPacket BrokerPacket CaptureControl CenterCloud SuiteObservability AI
Resources
ResourcesEventsNews
Company
AboutContact UsCareers
@ 2026 cPacket Networks. All Rights Reserved.
Security Compliance|    Privacy Policy|     Patents