Anthropic Endorses EPSS for Vulnerability Triage as 120-Plus Vendors Already Embed the Model
Updated
Updated · O'Reilly Media · Jun 4
Anthropic Endorses EPSS for Vulnerability Triage as 120-Plus Vendors Already Embed the Model
2 articles · Updated · O'Reilly Media · Jun 4
Summary
Anthropic’s April security-operations guide tells teams to patch CISA’s known exploited flaws first, then “use EPSS to prioritize the rest” — a rare public endorsement of a non-LLM defensive model by a frontier AI lab.
EPSS estimates the probability a CVE will be exploited within 30 days, addressing a backlog problem that has grown from hundreds of thousands of findings in 2015 to millions in cloud environments by 2020.
Anthropic argues static CVSS severity scores cannot handle the next wave of flaws, warning its upcoming Mythos model could drive an order-of-magnitude increase in findings over the next 24 months.
More than 120 vendors already embed EPSS, but Anthropic’s backing gives CISOs cover to shift SLAs, board metrics and audit conversations from severity buckets toward exploitability-based prioritization.
The report says EPSS is only a global baseline: the bigger long-term challenge is building local, context-rich models that factor in asset exposure, controls and telemetry to judge actual enterprise risk.
Is EPSS's 30-day forecast obsolete in an age of AI exploits weaponized in minutes?
If AI finds flaws faster than humans can patch, is manual vulnerability management officially over?
How can defenders build 'local knowing machines' to fight the AI-driven vulnerability tsunami?
Surviving the AI-Driven Vulnerability Flood: EPSS, Anthropic’s Project Glasswing, and the Future of Cybersecurity Triage
Overview
In early 2026, rapid advancements in artificial intelligence, especially Anthropic's Claude Mythos Preview, began to transform cybersecurity by uncovering an unprecedented number of vulnerabilities. This surge in discoveries exposed the urgent need for more efficient and predictive ways to prioritize and address security flaws. In response, Anthropic launched Project Glasswing in May 2026, bringing together about 50 partners to secure the world’s most critical software infrastructure before advanced AI could be misused. This collaborative effort marks a significant shift in how the industry manages vulnerabilities, emphasizing proactive defense and industry-wide cooperation.