On April 7, 2026, Anthropic's Project Glasswing demonstrated that AI models can now autonomously discover and exploit vulnerabilities at scale across major operating systems and browsers with no human guidance. The time between a CVE being published and a working exploit appearing has collapsed from months to hours. The same capabilities that accelerate your engineering team now accelerate attackers.
Tenzai put together what you and your team should do now.
The change happening in offensive security right now is not just speed; it's capability. AI systems can now reason about applications, iterate on attack paths, and chain vulnerabilities together. This moves offensive security from static scanning to adaptive exploitation. Organizations that rely solely on patching and scanning will fall behind. The only way to keep up with AI-driven attackers is to continuously test your own systems with the same class of capabilities.
After fielding in many frantic calls from security teams from organizations big and small, the Tenzai team compiled a to-do list, sequenced deliberately. Budget and procurement unlock everything else. Inventory tells you what you're defending. Continuous offensive testing finds problems before attackers do. Rapid patching closes them. War room practice ensures your team can execute under pressure when it matters.
Here's where to start.
1. Set budget aside.
Every item on this list requires spending authority. Pre-allocate a dedicated security budget with a fast-track approval mechanism. If budget needs sign-off every time a new threat or tool emerges, your response will always lag behind the threat. This is the prerequisite that unlocks everything else, which is why it's first.
2. Create a fast-track procurement process.
The security tooling landscape is changing faster than standard procurement cycles were designed for. Build a streamlined vendor evaluation and onboarding path specifically for security technology - one that can move in days, not quarters. Define pre-approved vendor categories and spend thresholds that don't require full RFP cycles. If you can't onboard a new defensive tool quickly, you can't respond to a new threat quickly.
3. Build a comprehensive asset inventory.
You almost certainly don't have a complete picture of your internet-facing hosts, APIs, services, open source libraries, and third-party dependencies. Use agents to build and continuously maintain a live inventory. Generate real SBOMs. You cannot patch, monitor, or defend what you don't know exists - and attackers will find it before you do.
4. Establish continuous, adaptive application pentesting.
Establish the ability to run AI-assisted penetration tests against your applications continuously, not quarterly. The goal is not just scanning for known vulnerabilities, but testing with attacker-like behavior: chaining findings, iterating on attack paths, and validating rapid exposure to newly disclosed CVEs. This is the capability that mirrors how attackers now operate. It needs to be on-demand, not scheduled.
5. Run LLM-based security code reviews — as an additional layer.
Current AI models are increasingly effective at identifying input validation flaws, injection vulnerabilities, and insecure patterns in code. Integrate LLM-based security review into your development pipeline as an additional layer alongside traditional SAST and manual review, before code ships. The models will only improve, but waiting means vulnerabilities reach production in the meantime.
6. Prepare to rapidly patch open source libraries.
Know your open source dependencies and have a tested, rehearsed process to update them fast. This means current SBOMs, automated dependency scanning, and a deployment workflow you've already run. When the next Log4j drops, you need to know within minutes what you're running, not within days. The process needs to exist before you need it.
7. Prepare to rapidly patch your own application code.
When a vulnerability is found in your first-party code, you need a pre-built process for fast-tracking a fix through development, review, and deployment. Build and rehearse this workflow now... under pressure is the wrong time to design it. Know who approves, who deploys, and what the rollback plan is.
8. Automate patching in general.
Manual patch approval and deployment doesn't scale to the current volume of vulnerabilities. Automate patch intake, testing, and deployment across your infrastructure. Prioritize internet-facing systems for 24-hour remediation cycles. Use the CISA KEV catalog and EPSS scoring to sequence what gets patched first.
9. Establish direct lines to your major vendors.
When a critical vulnerability drops in software you depend on, support ticket queues won't cut it. Establish named contacts, escalation paths, and communication protocols with your OS, cloud, infrastructure, and critical application vendors before you need them. Relationships built in advance move faster in a crisis.
10. Practice war rooms, and assume a Log4j-level event every week.
Run regular exercises that simulate a critical vulnerability in widely-used software requiring immediate response across your entire estate. These drills should be timed, realistic, and include your patching, communication, and decision-making workflows. Teams that have run the scenario before respond faster and make fewer mistakes under pressure. If your last war room exercise was more than 90 days ago, schedule the next one today.
A note on where this is going.
The old model - find, patch, repeat - assumed a relatively slow attacker with limited iteration. That assumption is now wrong. AI systems can reason about your application, adapt when one attack path fails, and chain low-severity findings into critical exploits. Defense has to simulate that continuously, not catch up to it quarterly.
Actions 4 and 5 on this list are where that shift is most visible. Continuous, adaptive offensive testing, across both running applications and the code that produces them, is no longer a red team luxury. It's the baseline for any security program that wants to stay ahead of what attackers can now do.
Tenzai powers the offensive layer required across these actions - from LLM-based code review to continuous, adaptive application testing - enabling organizations to operate at attacker speed.