Post cover image

June 6, 2026

Security is not a Feature. It is the Foundation.

What changes for tech founders now that AI can find ten thousand vulnerabilities in a month.

Genevieve Richards

5 min read

There is a version of this conversation that gets filed under "enterprise IT concerns." Compliance checklists. SOC 2 audits. The stuff you deal with later, after you have product-market fit, after you have traction, after you have a reason to care.

That conversation is over.

Anthropic published something quietly significant on May 2026. Their Project Glasswing initiative, running for just over a month, has used a frontier AI model called Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities across some of the most important software in the world. Cloudflare found 2,000 bugs in its critical systems. Mozilla found 271 vulnerabilities in Firefox in the same scanning cycle that previously surfaced a fraction of that. The UK's AI Security Institute reported that Mythos Preview is the first model to solve both of their cyber range simulations end to end.

The finding that should stop founders cold is not the volume. It is this: the bottleneck in software security is no longer finding vulnerabilities. It is patching them fast enough. Some open-source maintainers have already asked Anthropic to slow down its disclosure rate because they cannot keep up.

AI has fundamentally changed the economics of discovering flaws in software. Models as capable as Mythos Preview will not stay exclusive to Anthropic's partners for long. When they are more broadly available, the cost of finding and exploiting a vulnerability in your product drops dramatically. What was once the domain of well-funded threat actors becomes accessible to almost anyone with an API key and bad intent.

If you are building a SaaS product right now and security is still on the roadmap somewhere after Series A, you are building on borrowed time.

None

The old mental model does not hold.

Founders have historically thought about security in phases. You ship fast, you validate, you grow, and then at some point, usually when a large enterprise buyer asks for a penetration test or a CISO flags something, you invest in security properly. It felt rational. Resources are scarce. Speed matters. Security is expensive and slows you down.

That logic was always questionable. Now it is indefensible.

The issue is not just that attackers have better tools. It is that the tools finding vulnerabilities are now the same tools being used to build software. Every open-source package you depend on, every third-party library you imported without scrutiny, every API endpoint you exposed to get to demo-ready — all of it is now scannable at scale by any motivated adversary, at a cost that keeps falling.

And the open-source finding from Project Glasswing deserves particular attention for founders. Of the more than 1,000 open-source projects scanned, Mythos Preview estimated over 6,000 high- or critical-severity vulnerabilities, with a 90.6% true positive rate after independent verification. If your stack sits on top of common open-source libraries — and it does, because all modern software does, you are downstream of whatever those maintainers are scrambling to patch right now. You did not write that code. You did not introduce that vulnerability. But it is in your product.

What security-by-design actually means in practice.

Security by design is not a philosophy. It is a set of decisions you make before you write the first line of code, and then consistently thereafter.

It starts with your dependency choices. The instinct at early stage is to move fast and grab whatever library solves the immediate problem. The discipline is to treat every dependency as a surface you are adopting into your product. Pin your versions. Set up automated scanning. Know what is in your stack and why.

It continues with your architecture. How data flows through your system, where it is stored, what is exposed externally, how authentication is handled. These are not implementation details to be cleaned up later. They are structural decisions that become increasingly expensive to change the longer you leave them. An authentication layer bolted on after six months of building looks different from one that was a design constraint from week one.

It extends to your team's habits. Code review practices that flag obvious security issues. A default posture of least privilege. Secrets management that does not involve environment variables checked into a repository. None of this is sophisticated or expensive. All of it compounds into a significantly more defensible product.

And it covers your incident posture. What happens when something goes wrong? Do you know? Have you thought about it? Most early-stage products have no answer to this question. The ones that do move faster when it matters, and they lose less.

None

The commercial argument, if you still need one.

Security is no longer a niche concern at the enterprise tier. Gartner Digital Markets' 2024 research found that security is the second most important factor in software purchasing decisions, sitting just below price and that this focus is most pronounced among enterprise and midsize business buyers. A separate March 2026 survey of 301 founders and technical leaders by Zip found that 74.1% of companies have already been required to demonstrate specific security controls in order to close a deal. The same research noted that the bar has shifted from policy documentation to active proof.

The cost of getting this wrong is not abstract. Verizon's 2025 Data Breach Investigations Report found that 30% of breaches in 2024 involved a third-party vendor double the rate from the prior year. IBM's 2025 Cost of a Data Breach Report put the average cost of a third-party or supply chain compromise at $4.91 million per incident.

For founders, the practical implication is this. Security posture is now part of the sales or GTM conversation, and being unprepared for it stalls deals. The founder who has documentation ready, a clear account of their patch cycle, how third-party dependencies are managed and what their incident response process looks like is not at a disadvantage relative to larger competitors. They are at an advantage relative to other early-stage products that treat security as something to formalise later.

None

What to do this week.

Anthropic has released Claude Security in public beta for Enterprise customers, and a CVE dashboard tracking the open-source vulnerabilities being disclosed. These are not hypothetical tools for future use. They are available now.

If you are building on a modern JavaScript or Python stack, run a dependency audit this week. Not as a quarterly exercise. This week. Know what is outdated. Know what has known CVEs. Set up automated alerts so you are not finding out from your users.

Shorten whatever your current patch cycle is. The assumption that you have ninety days before an unpatched vulnerability becomes a live risk is less reliable than it was. The discovery-to-exploit timeline is compressing.

And if you are writing architecture documents or investor materials that describe how your product handles data, make security an explicit section. Not the security page on your marketing site. An honest, specific description of your approach on how dependencies are managed, how access is controlled, what your incident response looks like.

The founders who will navigate this well are not the ones who hire a security consultant before their Series B. They are the ones who decided, at the beginning, that security was part of what they were building.

The model already changed. The question is whether your build process has.