Mozilla called it Project Glass Wing. The mandate: use Anthropic's Claude to find security vulnerabilities in the Firefox codebase — the browser that runs on roughly 180 million devices. The results were not incremental. Claude identified 271 distinct vulnerabilities in a single research engagement. Not all were exploitable on their own, but the volume and specificity of the findings forced a rethink at Mozilla about what automated security research now means. The AI didn't just scan for known patterns. It reasoned about control flow, memory access, and side-channel leakage in ways that took human security researchers years to learn.
What Project Glass Wing Actually Found
Mozilla wasn't the only organization in Anthropic's research pipeline. In parallel engagements, Claude surfaced vulnerabilities that had survived decades of human and automated review. A 27-year-old crash bug in OpenBSD — the operating system used by security researchers precisely because of its reputation for rigor. A 16-year-old flaw in FFmpeg, the ubiquitous media processing library embedded in virtually every platform that renders video, from YouTube to Discord to Zoom.
The Linux kernel finding was categorically different. Researchers demonstrated a root privilege escalation exploitable via a single-bit memory flip — not a sequence of misconfigurations, not a chain of unpatched CVEs, but a logical flaw in how the kernel handles certain memory operations under specific hardware conditions. Claude didn't just identify the bug; it characterized the precise trigger condition and the escalation path. That's the work of a senior security engineer who has spent years developing intuition for where kernels break.
The browser sandbox escapes were perhaps the most consequential finding from a consumer-risk perspective. Claude identified paths to escape isolation sandboxes in Chrome, Firefox, Safari, and Edge — four separate implementations, four separate codebases, four separate security teams, and Claude found seams in all of them.
The Capability Spread Problem
The individual findings matter, but the pattern matters more. Mozilla, OpenBSD, FFmpeg, Linux, Chrome, Firefox, Safari, Edge — these are not one vendor's ecosystem. They represent the entire layered stack that modern computing runs on: operating system, kernel, media codec, browser runtime, browser isolation boundary. Claude found exploitable or crash-inducing flaws at every layer in a single concentrated research effort.
Security professionals have a term for this: attack surface coverage. A senior red-team researcher might spend a three-month engagement deeply understanding one codebase. Claude covered the full stack. The implication is not that Claude is a weapon — it's that the time required to audit critical infrastructure just collapsed by an order of magnitude, in both directions. Defenders can move faster. So can attackers with access to the same or equivalent models.
The SWE-bench number captures this. Claude scores 93.9% on the software engineering benchmark — the industry-standard test for AI ability to read, reason about, and fix real-world code. At that level, benchmark saturation becomes a serious concern. Not because the number is inflated, but because it means the test itself may no longer be measuring what it was designed to measure. The ability gap between Claude and the average security engineer on routine code review tasks has narrowed to the point where it's functionally zero for many classes of vulnerability.
"By end of 2028, there is likely a 60%+ chance AI builds its own successor autonomously."
Jack Clark, Anthropic Co-Founder — AI Mythos TranscriptPentagon Designation: Supply Chain Risk
The same week that Project Glass Wing results were circulating inside security circles, the US Department of Defense labeled Anthropic a "supply chain risk." The designation is not ceremonial. Under the framework in which it was applied, the label can restrict Anthropic's access to federal contracts, limit its ability to participate in certain defense research programs, and flag its software as a risk factor for government contractors who integrate it into their own systems.
Anthropic's legal team moved quickly. The company filed for and received a temporary block on the designation, arguing that the classification was applied without due process and that the DoD's evidence for the risk categorization had not been disclosed. The case is ongoing. But the framing of the dispute reveals a structural tension that has no clean resolution: the same AI capability that makes Claude valuable to Mozilla and Linux Foundation security teams is precisely what makes the DoD nervous about uncontrolled deployment.
This is not a novel concern. The export control framework for cryptographic software in the 1990s went through the same ratchet — technology deemed too powerful to be unregulated eventually became too important to be restricted. The difference is timeline. The Clipper Chip debate played out over years. The current AI capability curve is moving faster.
DoD designates Anthropic a "supply chain risk" — restricts access to certain federal and contractor programs, citing capability concerns about uncontrolled AI deployment in sensitive codebases.
Anthropic files for injunction — argues the designation was applied without disclosed evidence or adequate due process. Legal challenge proceeds in federal court.
Temporary block granted — court issues interim relief. The underlying designation is under review. Contractors who had begun compliance procedures face uncertainty about how to treat Anthropic tooling in the interim.
The $1 Trillion Paradox
Against this backdrop, Anthropic is approaching a $1 trillion valuation. Not a speculative projection — a figure based on the terms of recent funding discussions and commitments already on the books. Google Cloud has committed $200 billion to AI infrastructure. SpaceX has committed 220,000 NVIDIA GPUs for training runs. These are not soft letters of intent. They are capital commitments of a scale that, historically, only get made when the people writing the checks believe the capability is real and the market is not hypothetical.
The paradox is not that Anthropic is simultaneously valuable and regulated. Every significant technology company has operated in that space. The paradox is the specific nature of the tension: the capability that makes Anthropic's valuation plausible — AI that can autonomously identify exploitable flaws in the software stack that all modern infrastructure runs on — is the same capability that makes the DoD classification comprehensible, if not legally defensible.
The traditional startup story is: disruptive technology, regulatory lag, eventual accommodation. The Anthropic story adds a second track running in parallel: technology so capable that the national security apparatus cannot ignore it, even as the commercial investment thesis depends on deploying it broadly.
Benchmark Saturation and What It Actually Means
A 93.9% score on SWE-bench is not a marketing number. SWE-bench uses real GitHub issues from real open-source projects — the kind of messy, context-dependent, poorly-documented bugs that stump junior engineers. The benchmark was designed to be hard. At 93.9%, the question shifts from "can Claude code?" to "what does it mean that we've run out of benchmark?"
The research community calls this benchmark saturation. When a model approaches the ceiling of what a benchmark measures, two things happen simultaneously. First, the benchmark stops being a useful differentiator — you can no longer rank models against each other using it, because they all cluster near the ceiling. Second, and more important, the benchmark stops being a proxy for the underlying capability you care about. A model that scores 93.9% on SWE-bench may be better or worse than a competing model at the specific task you need — but you can't tell from the benchmark anymore.
What this means in practice: the security research capabilities demonstrated in Project Glass Wing are not a special deployment of Claude. They are the expected behavior of a production model operating on a codebase. The specialized security research workflow that Mozilla built around Claude is downstream of a general capability, not a fine-tuned special case. Any organization that deploys Claude-level AI against a codebase it doesn't own is doing security research, whether or not it's classified as such.
What Builders Need to Monitor Now
The implications split cleanly into two categories: defensive opportunity and policy risk. On the defensive side, the Project Glass Wing model is now replicable. Any engineering organization with access to frontier AI and a codebase it wants audited can run the same class of exercise Mozilla ran. The cost of that engagement, which would have required a dedicated red team for months, is now compressible to weeks or days with the right scaffolding.
The policy risk is less tractable. The DoD's supply chain risk designation — even temporarily blocked — signals that government bodies are beginning to develop regulatory frameworks for AI deployment in critical systems. Those frameworks will almost certainly be modeled on existing software supply chain controls (SBOM requirements, FedRAMP authorization, CMMC compliance), but applied to AI model weights, training pipelines, and API dependencies. Organizations building on top of foundation model APIs need to track this development. The framework that doesn't exist today will exist in 18 months.
- ✓ CISA AI security guidance. The Cybersecurity and Infrastructure Security Agency has been tasked with developing AI-specific supply chain security guidelines. Watch for the draft publication — it will define "AI supply chain risk" in ways that affect how federal contractors classify their model dependencies.
- ✓ FedRAMP AI extension. The Federal Risk and Authorization Management Program currently covers cloud services. An extension to AI model APIs is in early discussion. If your product sells to government entities, track whether the API you depend on will require its own FedRAMP authorization — and what happens to your authorization if your AI provider loses or disputes a supply chain designation.
- ✓ EU AI Act Article 6 and Annex I classifications. High-risk AI systems under the EU AI Act include systems used for critical infrastructure. "Security research tooling" is not currently a listed category, but software vulnerability discovery tools are adjacent to several that are. Track the Commission's delegated acts — they determine what gets reclassified.
- ✓ The Anthropic v. DoD case outcome. The temporary block on the supply chain designation is the precedent-setting event. If the block holds, it signals that AI companies can successfully contest security classifications in court on due process grounds. If it doesn't, it establishes that AI capability alone is sufficient legal basis for supply chain risk designation.
- ✓ Jack Clark's 2028 threshold. The Anthropic co-founder's statement — 60%+ probability that AI autonomously builds its own successor by end of 2028 — is not a prediction made in isolation. It's a datapoint from the person who has seen Anthropic's internal capability roadmap. Position your product architecture for a world where AI-written code is the majority of new code in your stack by late decade.
- 271 Firefox vulnerabilities — Project Glass Wing, single research engagement. Not all independently exploitable, but the density and specificity forced a security posture review at Mozilla.
- 27-year OpenBSD crash bug — survived decades of human and automated review including the OpenBSD team's own audits; identified by Claude in one research pass.
- 16-year FFmpeg flaw — embedded in virtually every platform that renders video: YouTube, Discord, Zoom, VLC, and hundreds of others. Patched post-disclosure.
- 93.9% SWE-bench score — the software engineering benchmark is approaching saturation; scores at this level stop differentiating between models and start raising questions about what the benchmark is actually measuring.
- $200B Google Cloud commitment + 220K SpaceX GPUs — the infrastructure investment is so large it creates path dependency: the organizations funding it are financially committed to a world where the capability is deployed at scale.
- Anthropic's temporary block on DoD designation — currently held by court order; the underlying legal question (whether AI capability alone constitutes supply chain risk) is unresolved and will produce precedent that applies to every frontier AI lab.