Here's What Glasswing Doesn't Cover — And Why SAP Teams Should Be Paying Attention
Project Glasswing focuses on operating systems, browsers, and open-source software infrastructure — the foundational layer that everything else runs on top of.
SAP runs on top of that layer.
And SAP's attack surface — the one where $500 billion in enterprise transactions flow every day — is an entirely different problem that Glasswing doesn't touch, was never designed to touch, and has no roadmap to touch.
What is Project Glasswing?
On April 7, 2026, Anthropic announced one of the most significant events in cybersecurity history. Project Glasswing is a coalition of twelve of the world's most powerful technology companies — Amazon Web Services, Apple, Microsoft, Google, Cisco, CrowdStrike, NVIDIA, Palo Alto Networks, JPMorganChase, Broadcom, and the Linux Foundation — united around a single mission: use frontier AI to secure the world's most critical software before attackers can weaponize it.
The catalyst was a model called Claude Mythos Preview — an unreleased frontier AI built by Anthropic that turned out to be extraordinarily capable at one very specific, very dangerous skill: finding software vulnerabilities that no human or automated tool had ever found.
Mythos didn't just find old bugs. It found chains — multi-step exploit sequences where individual vulnerabilities, each seemingly minor, combine into a critical attack path. A 16-year-old flaw in FFmpeg survived five million automated test runs before Mythos caught it. A 27-year-old remote crash vulnerability sat undetected in OpenBSD — software trusted by banks, governments, and militaries worldwide.
Mythos was not trained specifically for security. It found these vulnerabilities using general-purpose coding and reasoning intelligence — which means AI has crossed a threshold where it surpasses the best human security researchers at vulnerability discovery. That threshold will not move back.
Why Glasswing Is a Turning Point — Not Just a Press Release
What makes Glasswing different from previous AI security announcements is what Anthropic did after discovering these capabilities. They paused public release. They assembled an emergency coalition. They committed $100M in credits and $4M in direct donations to open-source security organizations.
That's not a product launch. That's a fire alarm.
The implicit message is clear: AI-powered vulnerability discovery is now sophisticated enough that unrestricted public access poses a genuine national security risk. The gap between a vulnerability being discovered and a threat actor weaponizing it — once measured in weeks — is collapsing into hours. Possibly less.
Glasswing solved the finding problem. Nobody solved the problem of fixing. This is the structural issue the cybersecurity industry has been circling for years. AI just made it impossible to ignore.
The most critical insight from the Glasswing coverage isn't about Mythos. It's about the organizations that will receive thousands of new vulnerability findings and have no infrastructure to process them. Security programs built around annual pentests, quarterly scans, and CVSS-based prioritization were designed for a world where vulnerabilities trickled in. That world is gone.
The SAP Layer — What No One in the Glasswing Coalition Is Watching
SAP vulnerabilities are not CVEs. They live in authorization objects, role assignments, SoD conflicts, RFC connections, background jobs, ABAP code, and misconfigured system parameters. None of these get a CVSS score. None appear on any Glasswing partner's radar.
The SAP Security Attack Surface Glasswing Ignores
Let's be specific. When SAP systems are compromised, it rarely happens through a buffer overflow or a kernel exploit. It happens through these vectors:
| Attack Vector | How It Works | Glasswing Coverage |
|---|---|---|
| Privilege escalation via roles | Users accumulate sensitive tcodes (SE16, SM30, SU01) through role assignments over time | None |
| SoD conflicts | A single user holds Create Vendor + Approve Payment — a direct fraud path | None |
| RFC trust abuse | Trusted RFC connections between systems allow lateral movement without re-authentication | None |
| ABAP backdoors | Custom Z-programs with missing authorization checks (AUTHORITY-CHECK) bypass SAP's security model entirely | None |
| Firefighter abuse | Emergency privileged access used outside incident scope, without controller review | None |
| Dormant privileged accounts | Service accounts or former employees retaining access to sensitive transactions | None |
| System parameter misconfigs | login/min_password_lng, auth/no_check_in_some_cases — parameters that silently disable security | None |
| Audit log gaps | SM20 not configured for sensitive transactions — giving attackers an unmonitored window | None |
Every item in that table is an actual, documented attack vector in SAP environments. Each one has led to real fraud, real regulatory findings, and real financial losses. None of them will ever appear in a Glasswing report.
The Structural Problem: SAP Security Is Still Manual
While Glasswing accelerates infrastructure-level vulnerability discovery to machine speed, SAP security at most mid-market enterprises is still operating on human speed:
Annual User Access Reviews conducted via spreadsheet. Quarterly SoD reports generated from GRC tools and reviewed by auditors. Periodic vulnerability scans that check known CVEs against SAP kernel versions. Firefighter log reviews that happen days or weeks after the access was used. Role design managed through tickets and Excel.
This was already a problem before Glasswing. The Glasswing moment makes it existential — because it demonstrates clearly that the broader threat environment is now operating at AI speed. If your SAP authorizations are being reviewed quarterly, but threats are operating hourly, you have a structural gap that no new infrastructure-level tool closes.
Glasswing will patch the OS your SAP runs on. It will not tell you that JOHN.SMITH has S_TCODE access to SE16 and SU01, hasn't been reviewed in 18 months, and left the company six weeks ago. That's the finding that costs you.
What AI-Native SAP Security Looks Like
The lesson from Glasswing isn't "AI is coming for SAP security eventually." The lesson is that continuous, AI-powered security intelligence is now the baseline standard — and organizations that haven't applied that standard to their SAP layer are carrying unquantified risk.
What does AI-native SAP security actually deliver? It means your authorization landscape is being analyzed continuously, not quarterly. It means SoD conflicts are surfaced and prioritized by business risk — not by rule count. It means every ABAP program is scanned for missing authorization checks before it reaches production. It means Firefighter session logs are reviewed automatically, matched against open incidents, and escalated when usage falls outside the approved scope. It means when a user's role assignment drifts from their peer group baseline, that drift is detected in days — not discovered during a SOX audit six months later.
It also means your security team stops spending 60% of their time on report generation and starts spending their time on decisions.
How AI-Native SAP Security Raises the Bar
The Glasswing moment signals that AI-powered, continuous analysis is now the minimum standard for security — not just for infrastructure, but for every layer of the enterprise stack. Here's what that standard looks like when applied to SAP:
| SAP Security Domain | Current State at Most Enterprises | AI-Native Approach (SyntaAI) |
|---|---|---|
| Vulnerability scanning | Periodic scans, manual review cycles | Continuous, AI-reasoned, context-aware |
| SoD analysis | Rule count output, auditor-driven review | Business risk prioritization, remediation paths |
| ABAP code security | Reviewed during audits or not at all | AI-powered authorization check analysis at transport |
| User access review | Annual or semi-annual, spreadsheet-driven | Continuous behavioral drift detection |
| Firefighter oversight | Log download and manual controller review | Real-time monitoring, automated controller escalation |
| Audit readiness | Weeks of evidence gathering before audits | Always-on, automated ITGC evidence collection |
What This Means for SAP Security Leaders
Project Glasswing is a signal, not a solution — at least not for SAP teams. The signal is clear: the security industry has crossed a threshold where AI-powered, continuous analysis is no longer a competitive advantage. It's table stakes.
For SAP BASIS leads, Security managers, IT Risk heads, and CISOs running SAP landscapes, the questions to ask right now are not "how do we respond to Glasswing?" They are:
Are we doing User Access Reviews continuously or annually? Annual is no longer defensible when your threat environment operates at machine speed.
Do we know which ABAP programs in production are missing AUTHORITY-CHECK? If the answer is "we'd need to check," that's the answer.
Can we produce Firefighter log evidence for an auditor in under an hour? If not, you're one audit request away from a finding.
Is our SoD analysis telling us what's risky or what's technically conflicted? The difference is the difference between a useful tool and a noise generator.
Glasswing covers the CVE layer. SAP has one. But the authorization layer — role assignments, SoD conflicts, Firefighter abuse, RFC trust — that's the attack surface no patch Tuesday will ever close.
Conclusion
Project Glasswing is genuinely important. The coalition Anthropic assembled, the capabilities Mythos demonstrated, and the institutional response it has triggered represent a real shift in how the industry thinks about AI and security.
But for organizations running SAP — and the hundreds of billions of dollars in financial transactions, HR data, supply chain decisions, and regulatory-sensitive processes that run through those systems — Glasswing is patching a different floor of the building.
The SAP authorization layer, the role design layer, the custom code layer, the access governance layer: these have always required specialized intelligence to secure properly. What's changed is that AI makes it possible to apply that intelligence continuously, at scale, without a team of expensive consultants.
That's not a future state. That's available now.
See What SyntaAI Finds in Your SAP
AI-native SAP security. 1,400+ controls. Continuous intelligence. No expensive consulting overhead.
Request a Demo