Visa's Project Glasswing: AI Finds 10,000+ Security Flaws

Visa Reveals How Anthropic's Claude Mythos Is Reshaping Enterprise Security Through Project Glasswing

Visa has pulled back the curtain on its participation in Project Glasswing, Anthropic's coordinated AI-powered cybersecurity initiative, detailing how the program's flagship model — Claude Mythos Preview — is identifying software vulnerabilities at a scale and speed that would be impossible through conventional security methods. The payments giant's findings, published June 10, 2026, and co-authored by Rajat Taneja, President of Technology, and Subra Kumaraswamy, Chief Information Security Officer, offer one of the most detailed enterprise accounts yet of what the most powerful agentic AI models can actually do inside a production security environment. Taneja is set to discuss the initiative publicly at VB Transform 2026, scheduled for July 14–15 at Hotel Nia in Menlo Park, California.

The stakes for Visa are not abstract. Taneja oversees the security and resilience of 639 million transactions each day, across more than 150 million merchants and 4.6 billion active Visa cards. As he put it plainly in an earlier interview with Fortune: "That infrastructure has to run in a rock solid manner." Project Glasswing, then, is not a research experiment for Visa — it is a direct test of whether frontier AI can meaningfully strengthen the defenses protecting the global payments ecosystem.

What Is Project Glasswing — and Why Does It Matter?

Anthropic launched Project Glasswing on April 7, 2026, as a structured initiative to deploy its most capable and access-restricted frontier model for defensive vulnerability discovery across critical software infrastructure. The program's name was inspired by the glasswing butterfly, whose transparent wings make it nearly invisible — a deliberate metaphor for how software vulnerabilities can hide in plain sight for years.

The initiative launched with 12 founding partner organizations: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself. Since then, the program has expanded significantly. According to reporting by Yahoo Finance citing Anthropic's expansion announcement, Project Glasswing grew from approximately 50 initial members to roughly 200 total partner organizations, with the new cohort spanning more than 15 countries and covering sectors including energy, water utilities, healthcare, communications, and hardware. According to Techzine Global, NATO and the European cyber agency ENISA have also been granted access to the program.

Anthropic committed substantial resources to back the initiative: up to $100 million in model usage credits for participants, plus $4 million in donations to open-source security organizations. Of that donation pool, $2.5 million went to Alpha-Omega and the Open Source Security Foundation (OpenSSF) through the Linux Foundation, and $1.5 million to the Apache Software Foundation.

The model powering all of this — Claude Mythos Preview — is described on Anthropic's official website as a general-purpose frontier model and the company's most capable yet for coding and agentic tasks. For Project Glasswing participants, it is available at $25 per million input tokens and $125 per million output tokens via the Claude API, Amazon Bedrock, Google Cloud's Vertex AI, and Microsoft Foundry.

Inside Visa's Project Glasswing Participation: VVAH, MTTA, and 10,000+ Vulnerabilities

Visa's experience with Project Glasswing yielded results that are difficult to dismiss. According to Visa's official corporate blog, participants in the program identified more than 10,000 high- or critical-severity vulnerabilities across widely used, systemically important software in just the first month of testing. Across the program as a whole, Claude Mythos Preview has detected more than 23,000 software vulnerabilities since Project Glasswing launched, according to Techzine Global citing Anthropic via SiliconANGLE.

Visa did not simply plug into the program and run scans. The company built its own multi-model security test suite — now in its fifth generation — constructed around an advanced scanning harness that systematically maps its codebase, deploys AI agents, categorizes and prioritizes findings, and generates detailed reports for developers and remediation agents. The result of that work is the Visa Vulnerability Agentic Harness (VVAH), which Visa has now open-sourced to help advance defensive innovation across the broader security community. According to the tool's GitHub repository, VVAH is an autonomous vulnerability discovery harness built on learnings from Project Glasswing, designed for use with frontier AI models.

One of the more significant strategic outcomes from Visa's participation is the introduction of a new security metric: Mean Time to Adapt (MTTA). Rather than relying solely on traditional measures like mean time to detect or mean time to remediate, Visa's MTTA tracks the time elapsed from an AI-discovered weakness to a validated fix deployed in production. The metric reflects a recognition that in an era of AI-enabled vulnerability discovery — on both the offensive and defensive sides — the speed of the adaptation cycle matters as much as detection itself.

Importantly, Visa's blog also addressed the defensive resilience question directly. When Claude Mythos was tested against Visa's systems, the company's existing zero trust controls, network segmentation, and layered safeguards would have prevented exploitation of the critical findings that were flagged. This is a meaningful data point: it suggests that while AI can surface vulnerabilities at scale, existing enterprise security architecture, when properly implemented, can still contain the blast radius.

Visa has invested $3.3 billion into AI and data infrastructure over the past decade, according to Tech Brew citing Taneja, and its Project Glasswing work reflects the maturity that investment has built — not just in detection capability, but in the organizational and architectural frameworks needed to act on AI-generated findings at enterprise speed.

The Broader Enterprise Security Implications

The scale of vulnerabilities surfaced through Project Glasswing — more than 23,000 across the program since April — raises a question that every enterprise security team will need to grapple with: if AI can find this many critical flaws this quickly, how long have those flaws been present, and how many remain undiscovered in systems that have not yet been scanned?

Project Glasswing's expansion to roughly 200 organizations across more than 15 countries, covering critical infrastructure sectors like energy, water, and healthcare, signals that this question is being taken seriously well beyond the technology industry. The inclusion of NATO and ENISA, as reported by Techzine Global citing the Financial Times, further underscores how the program has moved from a private-sector initiative into a matter of national and international security infrastructure.

For enterprise security and technology leaders, Visa's open-sourcing of VVAH is a notable development in its own right. By making the harness available on GitHub, Visa is effectively lowering the barrier for other organizations — including those without Visa's decade-long AI investment history — to begin running similar agentic vulnerability discovery workflows using frontier models.

The introduction of MTTA as a metric also carries implications beyond Visa. As AI agents move from passive scanners to active participants in the security cycle, the relevant performance benchmarks for security operations will need to evolve. Time-to-detect and time-to-remediate remain important, but MTTA captures something distinct: the organizational agility to move from machine-generated insight to production-validated fix, which is increasingly where competitive security posture is determined.

Expert Reactions

Visa's leadership framed their Project Glasswing participation in terms of both institutional responsibility and ecosystem benefit. In the official Visa corporate blog, Rajat Taneja and Subra Kumaraswamy wrote: "Our participation in Anthropic's Project Glasswing reflects a proactive approach to testing advanced AI for cybersecurity and strengthening the global payments ecosystem."

From the broader partner community, AWS offered a direct account of how Claude Mythos Preview is being applied in practice. Amy Herzog, VP and CISO at AWS, stated: "We've been testing Claude Mythos Preview in our own security operations, applying it to critical codebases, where it's already helping us strengthen our code."

What's Next: VB Transform 2026 and the Road Ahead for Agentic AI Security

Rajat Taneja is confirmed as a speaker at VB Transform 2026, VentureBeat's flagship enterprise AI conference, scheduled for July 14–15, 2026, at Hotel Nia in Menlo Park, California. The event is focused on agentic AI orchestration at scale, covering multi-agent systems, LLM observability, RAG infrastructure, and agentic AI security — a lineup that reflects how quickly the operational questions around AI deployment have moved from theoretical to pressing.

Taneja's session is expected to offer an inside look at Visa's Project Glasswing work, including the development and open-sourcing of VVAH and the strategic thinking behind MTTA as a new security benchmark. For enterprise security leaders and technology executives, it will be one of the first opportunities to hear a direct, detailed account from a participant organization at the scale and complexity of Visa's infrastructure.

The trajectory of Project Glasswing itself points toward continued expansion. The program has already grown from 12 founding partners to approximately 200 organizations in roughly two months. With new sectors — energy, water utilities, healthcare — now inside the program, and international bodies like NATO and ENISA granted access, the initiative appears to be evolving from a technology-industry collaboration into something closer to a global critical infrastructure security effort.

What remains to be seen is how organizations outside the founding partner tier — particularly those in healthcare, energy, and water utilities with fewer dedicated security resources than a company like Visa — will operationalize the findings that Claude Mythos generates. The open-sourcing of VVAH is one answer to that challenge, but it is only a tool. The organizational capacity to act on AI-generated vulnerability data at speed is a distinct and harder problem, and one that Visa's introduction of MTTA as a metric implicitly acknowledges.

For now, the numbers from Project Glasswing's first months — more than 23,000 vulnerabilities detected, more than 10,000 high- or critical-severity findings in the first month alone — make a straightforward case that agentic AI has already changed the calculus of enterprise security, whether organizations are ready or not.

For more tech news, visit our news section.

Why This Matters for Your Health and Productivity

The security of digital infrastructure is not a concern limited to enterprise IT departments. Every app you use to track your health, manage your finances, or optimize your daily routines depends on the resilience of the systems beneath it. As AI-powered vulnerability discovery scales across critical infrastructure — payments, healthcare, energy — the foundations of the digital tools you rely on are being actively hardened. Staying informed about these developments means understanding not just the technology headlines, but the systems that underpin your daily life. Join the Moccet waitlist to stay ahead of the curve.