Project Glasswing and the Two-Tier Internet: What It Means If Your Vendors Aren't on the List

April 2026 | TAAUS Secure Technologies

In April, Anthropic made a decision most people in cybersecurity have been quietly expecting for two years. The company's newest AI model — capable of autonomously discovering and exploiting software vulnerabilities at a scale no human research team can match — was judged too dangerous to release broadly. Instead, access went to roughly 40 organizations under a program called Project Glasswing: AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, Nvidia, Broadcom, JPMorgan Chase, the Linux Foundation, and a handful of others responsible for the software that runs most of modern computing.

The stated goal is defensive. Give the companies that maintain the world's critical software infrastructure a head start on finding and patching the vulnerabilities an adversary with the same tool would eventually find anyway. It's a reasonable plan. It may even work.

But for every organization that runs on software not made by a Glasswing partner — which is to say, most of them — the announcement carries a quieter message worth thinking hard about. The internet is being split into two tiers. Your business likely sits in the second one.

What the Glasswing list actually tells you

The partner list is not a random sample of the tech industry. It is, with very few exceptions, the hyperscalers, the operating system vendors, the chipmakers, and the largest security platforms. These companies share three characteristics: they maintain software used by billions of people or devices, they have mature internal security programs capable of absorbing a flood of newly discovered vulnerabilities, and they have the commercial relationships that made early access possible.

What is not on the list is equally instructive. The practice-management SaaS that your law firm's entire workflow depends on. The specialty EHR your medical group chose because it integrates with a particular billing system. The fund-administration platform that handles your investor reporting. The CAD and MES software running on your factory floor. The municipal-government case-management system. The K-12 student information system. These products will receive vulnerability disclosures on the same timeline as everyone else: after the Glasswing partners have had their turn, and in many cases after attackers have had theirs.

This is not a criticism of Anthropic's triage. Given a choice between patching Linux and patching a boutique vertical-market application, the utilitarian answer is obvious. The point is that the utilitarian answer is not the answer that helps you.

The vendor audit most firms have never done

If you are the managing partner of a law firm, the CEO of a regional healthcare group, or the COO of a manufacturing business, your exposure to the next twelve months of AI-discovered zero-days is not determined by your own security posture. It is determined by the security posture — and the Glasswing proximity — of the twenty to fifty software vendors you depend on to operate.

Most mid-market firms have never performed this audit in a structured way. The question is not "is our data encrypted" or "do they have SOC 2." Those questions were designed for a threat environment that no longer exists. The questions that matter now are operational:

Which vendors in our stack maintain their own security research teams, and which outsource the function or skip it entirely? When a critical vulnerability is disclosed in their product, what is their historical median time-to-patch — and do we have contractual commitments to it? Do they publish a software bill of materials, so we know which upstream components (and therefore which upstream vulnerabilities) ride along with their product? What is their relationship, direct or indirect, with the organizations receiving early vulnerability disclosures?

These are not IT questions. They are procurement questions, and for a CEO or managing partner, they belong on the same page as vendor financial stability and business-continuity planning. A supplier who cannot patch quickly is, in 2026, a supplier who may take your operations offline.

What "second-tier" risk actually looks like

The pattern to expect over the next year is not dramatic. There will not be a single cinematic breach. What will happen, instead, is a sustained elevation in the baseline rate at which smaller software vendors ship urgent patches — and a corresponding elevation in the rate at which the firms that depend on them fall behind.

For a 60-attorney law firm, the concrete version of this is a Thursday afternoon email from a practice-management vendor announcing a critical patch that must be applied within 72 hours to remain in a supported configuration. The firm's outsourced IT provider schedules the work for the following Tuesday. On Monday, the vulnerability is weaponized. For a regional medical group, the same story plays out with an EHR vendor and a ransomware affiliate. For a municipal government, it plays out with a case-management platform and a data-exfiltration group. The mechanics are boring. The consequences are not.

What to do this quarter

Three things are worth doing now, before the patch cadence accelerates further.

First, get an actual inventory of the software your business depends on — not just the applications IT manages, but the SaaS tools individual departments have adopted. For most mid-market firms this list is longer and stranger than leadership expects. You cannot assess vendor risk on a list you do not have.

Second, rank those vendors by operational criticality: if this product were unavailable or compromised for 72 hours, what stops? The vendors at the top of that list are the ones whose security posture you need to understand in detail. The others can be handled more lightly.

Third, accept that your own patch-and-response capacity is now a first-order business metric. The organizations that will fare best over the next two years are not the ones with the most sophisticated defenses. They are the ones that can reliably deploy a critical patch across their environment within hours of its release, and that have the detection and response depth to catch what gets through. This is an operational discipline, not a technology purchase — though it generally requires both.

If you would like help conducting a vendor-criticality audit or benchmarking your patch-response capability against the requirements of the current threat environment, TAAUS works with firms in financial services, legal, healthcare, and government to build both. Schedule a consultation.