Project Glasswing Has a Blind Spot. It's You.
Last week, Anthropic unveiled Project Glasswing, an AI system that autonomously discovers zero-day vulnerabilities faster than human teams. It achieved an 83.1% score on vulnerability reproduction benchmarks and has uncovered thousands of previously unknown flaws within weeks rather than years, including a 27-year-old bug in OpenBSD and a 16-year-old issue in FFmpeg, affecting major operating systems and browsers.
Then came the partner list. Amazon, Apple, Google, Microsoft, NVIDIA, CrowdStrike, Palo Alto Networks, JPMorganChase. Twelve founding partners. About fifty organizations in total.
Fifty.
There are 33 million developers in the world. Hundreds of thousands of companies shipping code every single day. Open-source maintainers, most of them unpaid, holding up the infrastructure the rest of us rely on. And the tool that just rewrote the rules of vulnerability discovery? Fifty organizations got access.
I get it. You don't hand a scanner like this to the entire internet on day one. Simon Willison and others have argued that restricted early access is a reasonable trade-off, and they're probably right. Responsible disclosure needs controlled access.
But nobody is answering the obvious question: what does everyone else do?
The fix gap
Daniel Stenberg, the guy who built cURL, said it clearly:
Adds more load on countless open source maintainers already struggling.
AI finds bugs exponentially faster than people can fix them. When Anthropic made the announcement, fewer than 1% of the vulnerabilities Mythos found had been patched.
Discovery scales. Remediation does not.
That is the real story. Not the benchmarks. Not the partner list. The gap between knowing something is broken and actually having the people and the time to fix it.
If you are a Fortune 500 company with a security team and a Glasswing partnership, you are fine. You scan your systems, you prioritize, you assign engineers. If you are a startup, a mid-size company, a solo maintainer, or a team in a country where none of those twelve partners operate, you are on the wrong side of that gap.
The code you ship today will be read by models that catch what humans miss. That is not speculation, it is already happening. The only question is whether you find your vulnerabilities before someone else does.
This is a structural problem
The cybersecurity industry has always had an access problem. Enterprise security tools cost serious money. A penetration test runs $20,000 to $120,000. The best threat intelligence is paywalled. Compliance frameworks need consultants that small teams cannot afford.
Glasswing did not create this. But it made it sharper. If frontier AI models can find zero-days at scale, and only a handful of organizations get to use them defensively, the rest of the ecosystem is exposed. Not because they wrote worse code. Because they could not access the same tools.
Forrester flagged it directly: Anthropic becomes a critical infrastructure dependency. Nation-states may stop hoarding zero-days and start racing to exploit them before patches land. The CVE triage system could buckle under the volume. And the ones least equipped to respond, small teams, open-source projects, companies without security budgets, carry the most risk.
So what can you actually do?
Glasswing is not coming to your laptop. Mythos is not going to be generally available. The partner list is not getting longer anytime soon. So the question becomes practical: what is available right now, to anyone, that moves in the same direction?
I have been working on this problem for a while. My name is Victor Purcallas Marchesi. I have a political science background and work as a software engineer. The intersection of technology and access has been a consistent focus of my work for years. When Glasswing was announced, it confirmed a direction I had already been building toward: tools that help evaluate and strengthen code with AI should not be restricted to closed partnerships and enterprise contracts.
That is why I built Quodeq.
Quodeq is an open-source code quality and security scanner. It uses AI to evaluate any codebase across six dimensions from ISO 25010: security, reliability, maintainability, performance, flexibility, and usability. It maps every finding to CWE identifiers, the same taxonomy used by NIST, OWASP, and compliance standards like PCI-DSS.
It is not Mythos. It does not discover zero-days in the Linux kernel. But it puts AI-powered security and quality analysis in the hands of the startup that cannot afford a pentest, the open-source maintainer drowning in vulnerability reports, the team in Montevideo or Lagos or Krakow that was never going to make Glasswing's partner list.
The tool matters. But the philosophy behind it matters more.
Open source. MIT license. Fork it, modify it, ship it, sell services on top of it. No enterprise tier. No "contact sales." No freemium. You can read every line of evaluation logic. There is something ironic about proprietary security tools: they ask you to trust their assessment of your code, but you cannot assess theirs.
Local first. Evaluation results, scores, violations, fix plans, trends, all stored as JSON files on your machine. No Quodeq servers. No account. No telemetry. Your code stays yours. Your results stay yours.
You choose how it runs. Quodeq works with cloud providers like Claude, Gemini, or Codex for faster, deeper analysis. Your choice, your API key. A thorough evaluation of a 300-file project costs a few dollars. An incremental scan after touching five files costs pennies. But it also runs entirely offline through Ollama with models like Gemma 4. Your source code never leaves your machine. No API keys. No cloud. No vendor lock-in.
Speed or privacy. You decide. Most tools make that decision for you. Quodeq does not.
The 90-day clock
Glasswing has a 90-day public reporting window. After that, Anthropic will disclose what was found, what was fixed, and what was learned. That means in roughly three months, a wave of vulnerability information hits the public record. Some of it patched. Some of it, based on the current 1% fix rate, not.
When that happens, every codebase that shares dependencies with the affected projects becomes a target. Not because anyone chose to attack you specifically. Because the vulnerabilities are public knowledge and scanners will find them automatically.
You do not need Glasswing access to start preparing for that. You need a way to scan your code, understand where you are exposed, and prioritize what to fix. You need a compass.
That is what Quodeq does. It does not fix your code for you. It shows you where the problems are, explains why they matter, and gives you a plan. You take it from there.
The window is open. Use it.