When Time Collapses: What Project Glasswing Means for Cyber-Physical Systems Security

In mathematics, the concept of a limit—especially as a variable approaches infinity—is less about reaching an endpoint and more about understanding what is true when approaching an end state. It forces us to ask what becomes true as constraints fall away and systems are pushed to their extremes. You may recall this from your calculus courses as defined by the following equation:

In the real world, we never actually arrive at infinity, but we don’t need to. The value lies in observing what becomes inevitable as a result of the exercise. In many respects, this is the most useful analogy for what Anthropic is signaling with Project Glasswing. Glasswing—and the Claude Mythos private LLM—has resulted in a compression of time in cybersecurity—shrinking the gap between vulnerability discovery, exploit development, and operational execution from months to maybe minutes. As that timeline collapses, the industry is effectively being pushed toward its own limit, where attackers can discover and weaponize weaknesses almost instantaneously.

Recent AI advancements should not only be viewed as a risk—there are so many benefits for defenders that result from the new models because independent software vendors, original equipment manufacturers, and medical device manufacturers will be incredibly more effective at producing infinitely more secure software. Yet I believe that there will be an uncomfortable and risky window of exposure until development pipelines can be AI-enabled.

It’s also important to note that the shift doesn’t create new vulnerabilities. It exposes the ones that have always existed but were previously buffered by time. For years, defenders have relied—often implicitly—on the lag between discovery and exploitation. Glasswing removes that buffer. It reveals a harsher truth: if a system is vulnerable in theory, it is vulnerable in practice, almost immediately.

Why Cyber-Physical Systems are Uniquely Exposed

Nowhere is this shift more consequential than in cyber-physical systems (CPS). While enterprise IT environments can often adapt to acceleration through patching, reconfiguration, segmentation, or rapid replacement, CPS environments operate under fundamentally different constraints. These systems are defined by longevity, safety requirements, and operational continuity, all of which resist speed.

Many CPS environments are built on aging infrastructure—industrial controllers, medical devices, building management systems—that were never designed for the threat landscape they now face. Some assets are no longer supported while others operate on firmware that is rarely updated. In a world shaped by Glasswing, these assets are not just vulnerable; they are persistently and predictably exposed. There is no realistic path to remediation solely through patching or firmware upgrades.

Even when patches or firmware updates are available, they are slow to develop. Vendors must navigate complex testing, certification, and safety validation processes before releasing updates, particularly in industries where reliability is paramount. It’s not just about creating remediations for an individual asset—CPS are integrated into systems of assets that need to be engineered to avoid downtime. This creates a structural mismatch: attackers can now operate at machine speed, while defenders remain bound by engineering and safety cycles that unfold over months or quarters.

Deployment introduces yet another layer of delays. Applying updates in CPS environments often requires planned downtime, coordination across operations and engineering teams, and acceptance of operational risk. Maintenance windows are limited and tightly controlled. In many cases, updates are deferred not because organizations are unaware of the risk, but because they cannot afford the disruption. As a result, vulnerabilities persist far longer than they would in traditional IT systems.

The stakes are also fundamentally different. In CPS environments, a successful attack does not merely result in data loss or system downtime. It can halt production, disrupt critical services, and, in some cases, create real-world safety consequences. Glasswing transforms these risks from theoretical concerns into immediate operational realities.

Project Glasswing: Rethinking Security When Time is No Longer a Control

If time can no longer be relied upon as a buffer, organizations must instead focus on what remains effective even when attackers operate at near-instant speed. This requires a shift toward structural risk reduction.

Asset Intelligence: Visibility and Operational Truth

Asset intelligence has evolved beyond mere inventory maintenance as mature organizations require  high-fidelity, continuously updated asset knowledge, including their configurations, roles, and relationships within operational processes. Claroty’s platform plays an integral role here by aggregating and enriching data through a CPS-specific knowledge base and data lake, and establishing a true operational baseline. Asset intelligence is a problem that requires depth of understanding and clarity. That’s why we were the first provider in the CPS protection market to initiate the CPS Library Project—to mine for truth and address the gaps that are inherent from missing information from typical asset collection methods.

In a Glasswing world, a detailed and high fidelity inventory—enriched with context—is non-negotiable. If defenders lack clarity and context on their own environment, they cannot hope to keep pace with adversaries who can rapidly map and exploit it.

Exposure Management: From Assets to Outcomes

Understanding assets, however, is only the starting point. The next step is understanding how those assets combine to deliver value. Exposure management in CPS environments must move beyond isolated vulnerabilities to focus on interconnected systems and attack paths.

A single vulnerable controller may not appear critical in isolation, but if it sits within a production line or clinical workflow, its compromise can have cascading effects. By analyzing how assets interact and where risk accumulates, organizations can prioritize mitigation efforts based on real operational impact rather than abstract severity scores.

Claroty’s approach is proactive and continuous, with intelligence that delivers context around exposures, context that is paired with asset criticality and business impact risk assessments in order to protect uptime and reliability. 

Network Segmentation: Reducing the Attack Surface

Architectural controls are essential—network segmentation being one of the most effective—as vulnerability discovery accelerates while CPS exposure remediation lags in a  time-compressed environment.

By enforcing strict boundaries on machine-to-machine communication, segmentation limits lateral movement and prevents attackers from turning a single foothold into a broader compromise. Unlike patching, segmentation does not depend on vendor timelines or maintenance windows. It directly removes entire classes of risk by design. 

With millions of assets in our data warehouse, Claroty has built an understanding of how CPS assets should be communicating as designed, and has enabled asset owners with the ability to build policies and enforce known good communications paths between zones or assets. A core xDome module is Network Security Management, which helps  organizations implement enforcement with macro- and micro-segmentation in a step-by-step manner to progressively understand exceptions and reduce risk.

Secure Remote Access: Controlling Human Pathways

Traditional remote access models, built around persistent connectivity and shared credentials, are poorly suited to a world where attackers can rapidly exploit any available pathway. Unfortunately, many operators and engineers have implemented remote access for connectivity haphazardly, and we have seen remote access sprawl get out of control in many asset-intensive organizations—sometimes with thousands of remote access pathways to production lines or critical processes—frequently without mulit-factor authentication (MFA).

Organizations can significantly reduce the attack surface associated with human access through a solution that enforces identity-based least-privilege access and tightly controls how users interact with systems. 

At Claroty, we help understand the sprawl and centralize remote access into a single centralized control point so organizations can govern and manage necessary access into critical systems.

Cyber Resilience: CPS Backup and Disaster Recovery Strategies

Operational resilience must be treated as a core security capability. If Glasswing represents a move toward inevitability—where compromise becomes a question of when rather than if—then recovery becomes a defining factor of operational continuity.

Too often, organizations focus their backup and recovery strategies on IT systems while neglecting CPS environments, particularly at the lower levels of the Purdue Model. This creates a dangerous imbalance. While IT systems may be restored quickly, the systems that actually drive physical operations may not.

CPS-aware backup and recovery ensures that configurations, logic, and firmware can be restored in a timeframe that aligns with business and operational requirements.

Resilience After Time Collapses

Project Glasswing ultimately forces a rethinking of cybersecurity’s underlying assumptions. For years, defenders have relied on time—time to detect, time to patch, time to respond. That advantage is eroding. As the gap between discovery and exploitation approaches zero, organizations must design their security strategies around what holds true without it.

In cyber-physical system protection, this means embracing visibility, understanding interdependencies, enforcing architectural controls, and planning for recovery. These are not new ideas, but their importance is magnified in a world where acceleration is no longer theoretical but operational.