You've got firewalls. You've got endpoint protection. You've probably got a compliance framework you can wave at auditors and a patch cadence that felt reasonable the last time you benchmarked it. But here's the question worth sitting with: if the threat environment your security program is built around doesn't exist anymore, would your program know?
Not in theory. Not in a vendor's glossy PDF. In practice. With your team, your sites, your budget, and the attacker who just leveled up without telling you.
Something happened recently that every IT leader running a multi-site organization should understand. Not because it's the end of the world. Because the conversation in the industry about it has been loud, scattered, and largely unhelpful, and the people who need a clear read on it the most are the ones least likely to get one from their inbox.
This is Matrix Networks' attempt at a clearer one.
On April 7, Anthropic published a technical disclosure about an unreleased AI model called Claude Mythos Preview. The short version: the model autonomously found thousands of previously unknown vulnerabilities in every major operating system and web browser. It wrote working exploits on the first try roughly 83% of the time. It chained vulnerabilities together to bypass operating system sandboxing. It reverse-engineered closed-source binaries. It found a 27-year-old flaw in OpenBSD, an operating system famous for being hard to break. It found a 16-year-old bug in FFmpeg that had survived approximately five million automated scans of the same line of code.
An Anthropic engineer with no formal security training typed a prompt asking the model to find a remote code execution vulnerability, and went home. Came back the next morning to a complete, working exploit.
When Anthropic figured out what they'd built, they did something the AI industry has never done. They decided not to release it.
In its place, they formed Project Glasswing, a defensive coalition of AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, backed by $100 million in usage credits. The coalition gets access to the model defensively, to find and patch vulnerabilities in the software they maintain, before the capability proliferates to everyone else. The Federal Reserve and Treasury briefed major US bank CEOs on the cyber risks before the announcement went public.
That's not a product launch. That's an institutional response to something the institutions involved understood immediately.
Here's the part most of the coverage glosses over, and it's the part that should actually land.
The median time from a vulnerability going public to it being exploited in the wild collapsed from 771 days in 2018 to single-digit hours by 2024. By 2025, the majority of exploits were being weaponized before public disclosure. Mythos collapsed what was left. The exploitation phase now begins at discovery, not at disclosure.
A working zero-day exploit, including discovery and weaponization, was demonstrated at compute costs as low as about fifty dollars. Multi-vulnerability privilege escalation chains in the Linux kernel, the kind that used to command six-figure consulting engagements from elite researchers, now execute at the cost of a tank of gas.
And the capability is not going to stay restricted. Anthropic's own estimate is six to eighteen months until comparable capability reaches broader availability. Wiz, which does this for a living, estimates twelve to eighteen months until open-weight models that anyone can run locally, with no safety controls and no audit trail, catch up. Once the weights are public, there is no recall mechanism.
That window is the point. Because if you're running a mid-size organization with a small security team across multiple sites, the window doesn't close the same way for you as it does for a Fortune 500 with a three-hundred-person security operations center.
It closes sooner. And harder.
This is the part where most security content goes sideways. A vendor publishes a scary story, blames the IT team for not being prepared, and offers to sell them a product. The reader either buys or learns to ignore the message, and everybody's signal-to-noise ratio degrades a little more.
So directly: the asymmetry between Project Glasswing members and everyone else isn't about skill. It isn't about commitment. It isn't about whether your team is good at their jobs. The IT directors Matrix Networks works with are some of the sharpest people in the industry. The asymmetry is about structure.
Coalition members have security teams of hundreds or thousands. Their budgets are in the tens or hundreds of millions annually. They have the legal infrastructure to sign an NDA with Anthropic, the procurement velocity to deploy Mythos defensively, and the executive sponsorship to do all of it in weeks.
You probably have one to fifteen people covering security across your entire environment. That team is also responsible for laptop refreshes, password resets, quarterly compliance reporting, and whatever the CEO's assistant broke this morning. Your seven sites across three time zones each add attack surface without adding defensive capacity. Every remote user is an identity boundary. Every SaaS vendor enabled AI features in the last twelve months and forgot to tell you. Every open source dependency in your software stack may have an unpatched vulnerability Mythos already found and nobody has fixed yet.
The math doesn't work. And it's not your fault. It's the math.
Here's the call Matrix Networks had to make.
This post could have been written the way most vendor posts get written. Lead with the scariest stats. Gate the whole thing behind a form. End with a call-us-today. The reader either converts or unsubscribes, and either way, Matrix gets its metrics for the week.
That version isn't useful. So we did something else.
We published a twenty-page industry brief called “The Glasswing Window” that walks through what Mythos actually demonstrated, why open-weight model proliferation closes the defender's window, why multi-site mid-size organizations are uniquely exposed, what's overstated in the industry coverage (because plenty of it is), and what an integrated response actually looks like when assembled. It includes a one-page board summary you can edit and take upstairs without rewriting it. It includes a 30-day playbook of actions you can execute without hiring anyone, including us. The brief is behind an email gate so we can share more of what we publish with the people reading it. That's the only reason.
We also built an interactive assessment based on the Cyber Defense Matrix, a framework developed by Sounil Yu and published independently of any vendor. You answer 25 diagnostic questions about your current capabilities across five functions and five asset classes. You get back a heatmap of your maturity, a composite Glasswing Window Score weighted toward AI-speed defensive disciplines, a prioritized list of your biggest gaps, and a discussion guide for your next leadership meeting. The assessment is completely free and requires no contact information. You can take it anonymously and use the result internally regardless of whether we ever speak.
The goal was to make this feel like the conversation Matrix Networks would have over coffee if you called today. Not a pitch. Not a funnel. A clear read on a moment that deserves one.
Take the assessment. Twenty minutes and you'll know where you sit on a maturity grid the entire industry is reorganizing around. You'll walk away with specific gaps worth raising at your next leadership meeting, regardless of what happens next.
Read the brief for the full picture. Especially the calibration section, which names what's overstated in the industry coverage. Most vendors won't publish that section because it complicates the upsell. We kept it in because without it, the brief would be doing the exact thing we were trying not to do.
And if the assessment makes it clear that the work ahead is bigger than what your current team can absorb alone, talk to us. Not because Matrix is the only partner who can help. Because most organizations in this segment are trying to do this alone, and that's the mistake Project Glasswing was formed to prevent. If the biggest technology companies in the world concluded they couldn't face this transition individually and built a coalition to do it together, that's worth considering for an organization running a twelve-person IT shop across nine sites.
One thing worth saying out loud: most of the best security work your team will do in the next eighteen months costs nothing. It's visibility you already have and aren't using. It's patch velocity you could compress with a policy change and some executive sponsorship. It's an honest conversation with your broker about how cyber insurance is reflecting AI risk before your next renewal catches you flat-footed.
The expensive work matters too, eventually. But if the free work isn't done, the expensive work doesn't land right anyway.
Start there. If you want help figuring out where “there” is, Matrix Networks would welcome the conversation.
The window is closing. Let's use the time we have.
"The Glasswing Window: A New Capability Threshold in Cybersecurity, and What It Means for Your Organization" is a twenty-page industry brief written for IT leaders at mid-size organizations. Includes a board-ready summary, a 30-day playbook, full citations, and an honest calibration of where the threat is overstated.