Anthropic's Project Glasswing used a restricted AI model to surface over ten thousand high-severity vulnerabilities across more than a thousand open-source projects. The 2026 Verizon DBIR tells us vulnerability exploitation just became the number one initial access vector for breaches—up 55% in a single year. Only 26% of critical vulnerabilities were fully remediated last year, down from 38% the year before. Median time to resolution: 43 days, up from 32. That was the pre-Glasswing baseline—before AI-scale discovery even entered the equation. Tim Chase, Program Director at MFG-ISAC, and Brian Geffert, VP of Cyber Defense at 3M and former Global CISO at KPMG International, join Matt Calligan to confront what this means for an industry that has heavy OT interconnection, no regulatory floor equivalent to NERC CIP, and a security culture that has outsourced too much to tools that are now becoming the attack surface themselves.
