Following the disclosure by Anthropic over its powerful Claude Mythos capabilities, the cybersecurity giant has launched Project QuiltWorks to accelerate discovery and remediation of software flaws before attackers find them, according to Chief Business Officer Daniel Bernard: ‘It was time for somebody to take the bull by the horns.’
CrowdStrike’s launch of a new initiative, Project QuiltWorks, is a sorely needed answer to the widespread questions over how to prepare for the coming onslaught of AI-discovered software vulnerabilities, according to CrowdStrike Chief Business Officer Daniel Bernard.
Anthropic’s disclosure earlier this month about the potential for AI tools to exponentially increase vulnerability discovery has set off a massive wave of demand for guidance, Bernard said.
[Related: Anthropic-OpenAI Race Obscures The Real Cybersecurity Breakdown: Analysis]
In collaboration with channel and industry partners, the cybersecurity giant is seeking to make it possible for more organizations to prepare for this potential surge in cyber risk even if they don’t have access to Anthropic’s unreleased model, Claude Mythos Preview. Just a select group of industry players, including CrowdStrike, have been given access to the model through the Project Glasswing initiative, which prevents it from being utilized as part of Project QuiltWorks, Bernard noted.
However, “you don’t need a Mythos right now to take action and start getting ready,” Bernard said.
Unveiled Thursday, Project QuiltWorks brings together other frontier AI models with Falcon Spotlight, CrowdStrike’s AI-powered vulnerability discovery offering, as well as with remediation guidance provided by system integrators, according to CrowdStrike.
The aim is to accelerate discovery and remediation of software flaws before attackers find them, Bernard said.
As an example, one participating company has been able to find 45 million vulnerabilities using the capabilities, according to Bernard. Without a doubt, “we’re going to do more patching in the next six months to 12 months than has ever been done on planet Earth before,” he said. “Before it was Patch Tuesday, once a month. Now it’s, ‘Patch every day, all the time.’ That’s what this new world looks like.”
Notably, Project QuiltWorks is also an attempt to shift the focus away from fixation on one particular AI model or another, according to Bernard.
The initiative is intentionally “less focused on a particular model. Because what we’re seeing is, the harness actually matters now more than the model,” he said.
Initial participants in Project QuiltWorks include OpenAI, Accenture, EY, IBM Cybersecurity Services and Kroll, though the plan is to open it up more broadly, Bernard said.
“We’ve seen unbelievable demand since the announcement came out,” he said. “We’re going to open it up to a lot more. There’s plenty of work to go around. Every single business is facing this question right now.”
In addition to Anthropic’s Project Glasswing, CrowdStrike also participates in OpenAI’s parallel initiative, known as Trusted Access for Cyber, making the company one of two pure-play cybersecurity vendors to do so currently.
Ultimately, with Project QuiltWorks, “I haven’t seen anybody else do what we’ve done,” Bernard said. “It was time for somebody to take the bull by the horns and do something that would benefit people.”
What follows is more of CRN’s interview with Bernard.
What led to the launch of QuiltWorks?
The background of QuiltWorks is, we are intimately involved with Anthropic in terms of Glasswing, and then also OpenAI has their version, called TAC [Trusted Access Cyber]. And we’re the only cyber company that’s been in both of those from the start. We work with these companies very closely. Our customers and partners all called us [because] the models are really good at finding vulnerabilities. But they’re trying to understand what they need to do to be ready for these frontier models running around in the wild.
So all of a sudden, there was a deluge in the last two weeks of demand and interest [around], “What do all these models mean? And are we ready for these models?” So we decided that the right thing to do is actually to unite our ecosystem. That ecosystem is service provider partners, as well as the frontier model companies themselves. Because they don’t have the mind share, they don’t have the partners or the cybersecurity expertise to go do this and start answering these questions that were being asked.
And [we need to] help people understand that we’re going to do more patching in the next six months to 12 months than has ever been done on planet Earth before, because we’re going to find things we’ve never found before. But with all that patching, it’s not like you wave a wand and it happens. You need to make sure that you actually can patch. And there’s a certain chunk of stuff that isn’t going to be able to be patched. But you need compensating controls around it, and to be able to ringfence it, and to know what those things are. So the idea is, if the adversary is now able to find vulnerabilities faster than the defenders or the business, that’s a huge problem, because then those vulnerabilities become exploits.
So [with] QuiltWorks—think of the quilt coming together as the entire ecosystem that we work with. You can see all the names in there—folks like Accenture, IBM Security, EY, Kroll, really focusing on medium enterprises and smaller enterprises. Everybody kind of does their own thing, but they all have one thing in common—they all use the Falcon platform.
I was talking with one of these providers that has a Fortune 100 healthcare firm that they’ve already started doing QuiltWorks on, and they found 45 million vulnerabilities with Spotlight coupled with a couple of the frontier models. It’s not only their applications. It’s really the applications they run in their environment.
So the basis of QuiltWorks is combining the frontier models with CrowdStrike capabilities?
The basis of QuiltWorks is, you need to have an operating system to run your cybersecurity program. That operating system is Falcon. We have vulnerability visibility, and that’s augmented and integrated with all the frontier models.
A customer could bring their own model, or we and our partners have access to a whole host of different models. You’ll notice in the messaging around QuiltWorks, it’s less focused on a particular model. Because what we’re seeing is, the harness actually matters now more than the model. We’re getting to a point where the differences between the models are quite minor. And the weights that you apply to the models and your ability to instrument the models is actually what produces the most value, in a visible manner. So we’re giving everybody a playbook.
[The idea is] to be able to have the right exec-level reporting every week—to show a board and a leadership team, what are the vulnerabilities, what’s been fixed, what’s still left to be fixed, what can’t be fixed and how do we fix it? What kind of tuning do we need to do in the environment? What new products do we need to deploy to be able to both understand risk and then reduce risk, remediate and have the right reporting?
Before it was Patch Tuesday, once a month. Now it’s, “Patch every day, all the time.” That’s what this new world looks like. It’s the Y2K moment of our time in security. And I think every other cybersecurity vendor is sort of sitting and watching this thing unfold. Here at CrowdStrike, we don’t watch things unfold. We unfold them. We solve them, and we actually do something about it.
And I think the bigger question that the market has is, what is the relationship between frontier models and ISVs? And for us, as the operating system of security and also the ecosystem of security, the frontier models that I’ve seen, that have popped out in the last couple weeks, have done one thing: Drive demand. Because they create a much more nuanced view of risk. And what do you do with risk? You have to have the right technologies and the right solutions to be able to see the risk, stop the risk, control the risk. If anything, AI innovation and AI progress necessitates more cybersecurity, not less cybersecurity.
So part of the idea is that people are trying to figure out what to do if they can’t access Mythos? But you’re not leveraging Mythos in what you’re doing here?
Glasswing has all sorts of rules around it, and we abide by those rules. And some others in the program maybe don’t abide by the rules— but we [do]. That’s why we have the participation of everybody, because they trust CrowdStrike.
Whether it’s [Claude] Opus 4.7, whether it’s OpenAI’s latest model, we want customers to use all of the best models—as well as our small language models—to be able to start solving problems. We wanted to shift the conversation [from] “OK, there are these new models. They’re going to one day be in the wild. Some of them already are in the wild.” What does an organization need to do to be ready? Let’s focus on that. Because we have all the answers to that, but we’ve got to do the work.
Everybody’s sitting there worried about the models, wanting to learn about models. I want everybody busy getting ready for the models and benefiting from the models. That’s just our approach at CrowdStrike— let’s go stop the breach. Let’s not watch the breach. I think the whole industry is busy watching breaches and CrowdStrike is busy stopping breaches.
There’s tons more that want to join in [QuiltWorks]. We just couldn’t [include everyone] but we started somewhere—and there’s plenty of room in the crowd, don’t worry. But they all have one thing in common—they all use CrowdStrike. They all use CrowdStrike to solve the problem. They use us to generate the data. They use us to put in the compensating controls. They use us to do the patching. They use us to be that operating system of cybersecurity. They use us for the reporting.
Look at the opportunity for us to play a protagonist role in actually solving the problem for the industry and for the world. And we’ll leave everybody else on the sidelines to watch.
I think a lot of people’s reaction to Glasswing and Mythos is like, “OK, this is definitely going to be helpful for those that have access to it, but there are lots of other companies out there.” You’re addressing that part of it—where there are other companies that want to take action and are trying to figure out how to do it?
Exactly. And to some extent, you don’t need a Mythos right now to take action and start getting ready. It’s been great also to see OpenAI really lean in to being partner-friendly and wanting to solve this problem and help customers solve a problem.
But I think these frontier model labs [are realizing], if you want your tech to be adopted, you need it to be secured. And you need to drive on the roads that have been paved for you, into the hearts and minds of the CISO and of security teams. Because the unlock for AI adoption in the enterprise is security. And what we’ve seen over the last two weeks is a whole different angle of that, where security is now central into the whole AI adoption discussion. Because all of a sudden, these models, by happenstance, became really good at finding vulnerabilities. I don’t think, in 20 years, the industry has really gotten this into vulnerabilities. Because we were kind of at this Pareto efficiency, where the human speed of discovering vulnerabilities was good enough for stopping them. The technologies that were there were good enough for stopping them. Every once in a while, there’d be a big vulnerability. But it’s a lot of work to find a vulnerability. Now it’s not a lot of work.
As far as solution providers go, or whoever is wondering about this— are you looking for more people to be part of QuiltWorks? How is that working?
We’ve seen unbelievable demand since the announcement came out. We worked with a couple of the ones that we just do a lot with. This was sort of a collective idea that we put together in the wake of some of these new models. And we’re going to open it up to a lot more. There’s plenty of work to go around. Every single business is facing this question right now. I haven’t seen anybody else do what we’ve done. It was time for somebody to take the bull by the horns and do something that would benefit people.
