Anthropic ran an experiment this month that should worry every security team still doing manual code audits.
Project Glasswing - an AI agent built to find vulnerabilities in open-source software - discovered over 10,000 high or critical-severity bugs in essential codebases within 30 days. That's not a slow, careful review. That's industrial-scale security auditing at a speed no human team could match.
The initial update doesn't name every project affected, but it confirms the findings are real, reported to maintainers, and being patched. The bugs are the kind that matter - authentication bypasses, memory corruption issues, privilege escalation vulnerabilities. The kind security researchers spend weeks hunting for.
What Changed
AI tools have been assisting with code review for a while now. This is different. Glasswing isn't suggesting improvements or flagging suspicious patterns. It's performing full security audits - reading codebases, understanding logic flow, spotting edge cases where assumptions break down.
The volume is the shift. 10,000 findings in a month means roughly 330 per day. A skilled security researcher might find a handful of critical vulnerabilities in that time if they're very good and very lucky. Glasswing is doing this at scale, across multiple projects, simultaneously.
For builders, this has immediate implications. If you maintain open-source software, assume an AI agent has already scanned your code. If it hasn't found anything, that's either good news or you're not important enough to audit yet. If it has found something, expect a vulnerability report soon.
The Infrastructure Problem
Security teams aren't set up for this volume. Most projects have one or two maintainers handling bug reports in their spare time. If an AI starts filing dozens of critical vulnerability reports, the backlog becomes unmanageable.
The industry will need to adapt. That means automated triage systems, AI-assisted patching, and possibly AI agents that don't just find bugs but propose fixes. The bottleneck isn't finding vulnerabilities anymore - it's fixing them fast enough.
This also raises a question nobody has answered yet: what happens when the capability to find vulnerabilities at scale becomes widely available? Right now, Anthropic is running Glasswing responsibly - reporting bugs to maintainers, waiting for patches before disclosure. But the same technology could be used to stockpile zero-days or sell exploits.
What Builders Should Do
If you're maintaining code that matters - anything handling authentication, payments, user data, or infrastructure - assume it's being audited by AI right now. That's not paranoia. It's the new baseline.
Run your own security scans. Use static analysis tools. Fuzz test your inputs. Peer review anything that touches privilege boundaries. The old advice still applies, but the urgency just increased.
For security researchers, this is either a threat or an opportunity depending on how you respond. AI won't replace manual audits entirely - it misses context, makes assumptions, and sometimes hallucinates problems that aren't there. But it will handle the bulk work, freeing researchers to focus on complex logic bugs and architectural flaws that require human intuition.
The Timeline
This capability is available now. Anthropic published the initial results. Others will replicate it. Within six months, expect multiple AI-powered security audit tools competing for market share.
The software you shipped last year was built security audits were slow and expensive. The software you ship this year will be built every line of code can be audited by AI at negligible cost.
That changes the game. Vulnerabilities that might have stayed hidden for years will be found in days. The only question is whether they're found by people trying to fix them or people trying to exploit them.