On April 7th, Anthropic unveiled something that should be on every business owner's radar.

The company launched Project Glasswing — a specialized AI model built exclusively for cybersecurity — and its first significant result stopped a lot of people cold. In early testing, the model identified security problems in every major operating system and web browser it scanned.

Every. Single. One.

This isn't a theoretical warning about AI's future potential. This is a research result that landed yesterday, and it has concrete implications for any NYC business that runs on software — which, at this point, means every business.

Traditional cybersecurity works like this: a team of human researchers or paid "white hat" hackers methodically probe software for vulnerabilities. It's slow, expensive, and limited by how many hours humans can work.

Glasswing runs continuously. It doesn't need sleep, doesn't get fatigued, and can analyze code at a scale no human team can match.

Anthropic built the model in partnership with major tech companies and positioned it as a tool for defensive security — finding holes so they can be patched before bad actors find the same holes and exploit them. The model is being kept under controlled access specifically because Anthropic is worried about the flip side: a powerful enough AI that knows where all the vulnerabilities are could theoretically be weaponized.

That's why the company restricted the rollout and is only letting select partners — Apple and Amazon among them — test the more powerful "Mythos" version under tight conditions.

The finding itself — vulnerabilities in every major OS and browser — isn't shocking to security professionals. Serious software has bugs. The shocking part is that an AI found them all at once, systematically, in a timeframe no human team could replicate.

Let's cut to what this actually means if you own a restaurant in Astoria, a law firm in Midtown, a retail shop in Flatbush, or a construction company based out of Queens.

Your devices are running vulnerable software. Today. Not someday. Now. The OS on your MacBook, your Windows PC, your Android phone — all of them have known and unknown vulnerabilities that patches haven't fully addressed yet. Glasswing just made a very compelling case that the attack surface is larger than most people assumed.

The patch cycle matters more than ever. When Microsoft, Apple, or Google push a security update, they're often quietly fixing exactly the kind of vulnerabilities Glasswing identified. The people who get hit are the ones who click "remind me tomorrow" for six weeks and never install it. Stop doing that.

AI-powered attacks are already here. Glasswing is a defensive AI. But the same underlying capability — large models scanning software for exploitable weaknesses — is available to offensive actors. State-sponsored hackers and criminal groups are already using AI to automate vulnerability scanning. The asymmetry between defender and attacker is closing, fast.

Small businesses are disproportionately targeted. This surprises a lot of people. NYC small business owners often assume they're too small to be worth attacking. Wrong. Exactly the opposite is true: you're a softer target than a corporation with a dedicated IT security team, and attackers know it. Ransomware gangs specifically build tools to sweep small business networks because the defenses are weaker.

None of this requires a $50,000 IT contract. Here's what actually moves the needle:

1. Turn on automatic updates — everywhere.
Your OS, your browsers, your productivity software. Every major platform has an auto-update option. Turn it on for all of them. Updates exist specifically to patch the kind of vulnerabilities Glasswing is finding. If you're not installing them, you're leaving doors unlocked.

2. Audit who has access to what.
One of the most common attack vectors against small businesses isn't a sophisticated zero-day exploit — it's a former employee whose account was never deactivated, or a team member with admin access who doesn't need it. Do a 30-minute audit: who can log into your business tools, and should they still have that access?

3. Enable multi-factor authentication on everything that matters.
Your email. Your accounting software. Your cloud storage. Your payroll system. If an attacker gets a password — through phishing, a data breach at a third party, or brute force — MFA is the last line of defense. It stops the overwhelming majority of account takeover attempts cold.

4. Know what you'd do if you got hit.
Ransomware incidents in NYC have hit medical practices, law offices, construction firms, and restaurants. The businesses that recover quickly are the ones with current backups stored somewhere the ransomware can't reach. Set up an automated backup to an external drive or a cloud service that maintains version history. Test it. Make sure it actually works before you need it.

Glasswing is notable not just for what it found, but for what it represents. AI is being applied to cybersecurity at scale — and it's happening faster than the regulatory and defensive infrastructure can keep up.

Anthropic's decision to restrict Mythos (the more powerful version) is a signal worth paying attention to. This is a company that built a model capable enough to find system-level vulnerabilities in every major platform — and immediately decided it was too dangerous to release broadly. That's a responsible call. It's also a window into where this technology is going.

Within 18 to 24 months, AI-assisted vulnerability scanning will be standard in both offensive and defensive security toolkits. The businesses that have basic hygiene in place — patches current, MFA enabled, backups running, access controls audited — will weather that environment. The ones that don't will get hit.

For NYC small business owners, the good news is that basic hygiene actually handles the majority of real-world attacks. You don't need enterprise-grade security infrastructure. You need consistent fundamentals, applied consistently.

Of the vulnerabilities Glasswing identified, browsers are among the most significant. Browsers are complex, they run code from arbitrary websites, and they're updated constantly for exactly that reason. Chrome, Firefox, Safari, Edge — check your browser version right now. If you're more than one major version behind, you're running known vulnerabilities.

This is a 30-second fix. Open your browser settings, check for updates, and install them. Do it on every device in your business. Then put a monthly reminder on your calendar to check again.

The AI found the holes. Now you just have to close yours.

The Metro Intel covers local business and real estate news across all five NYC boroughs. If this was useful, forward it to a business owner who needs to hear it.