Rubrik just joined a select Anthropic security program. The headline is not the real story. What it tells us about where cyber risk is heading, and why protecting and recovering your data now matters more than ever, is what every executive should be watching.
This week, Rubrik announced it had been granted access to Anthropic's Claude Mythos Research Preview as part of Project Glasswing, a program Anthropic opens only to invited organizations that build critical software. Rubrik is using this frontier AI defensively, pointing it at its own platform to find and fix vulnerabilities before anyone else can.
Key Takeaways
|
It is easy to read that as routine vendor news. It is not. It is one of the clearest signs yet of a change that will shape business risk for years to come. The question every leadership team should ask is not "what did Rubrik announce," but "what does a company like Rubrik see coming that made this worth doing?"
Here is what they see…
For most of the history of business security, time was on the defender's side. A flaw in some software would be made public, and companies had weeks, often months, to test and apply a fix before attackers got around to using it. That head start was the basis of almost every patching plan in existence.
That head start is gone.
Researchers at Flashpoint found that the average time between a flaw being disclosed and its first real attack dropped from about 745 days in 2020 to roughly 44 days in 2025. Other 2025 studies put the typical window at just a few days, with many attacks landing within a day of a flaw going public. Rapid7's 2026 threat report said attacks that used to take weeks now take days, and sometimes minutes, and that confirmed attacks on newly disclosed serious flaws more than doubled in a single year.
Now compare that with how fast defenders move. According to Verizon's 2026 Data Breach Investigations Report, the time it takes a typical company to fix a critical flaw did not get better last year. It got worse, rising from 32 days to 43. So here is the picture: attackers now work in hours, while most companies still work in weeks.
What changed? AI. The same tool that lets a computer read through code and spot a serious flaw in minutes works just as well for whoever is holding it. Anthropic's own Project Glasswing shows this plainly. In just a few weeks, about fifty partner companies used Claude Mythos to find more than ten thousand serious flaws in the world's most important software. Anthropic is now growing the program toward two hundred companies, and has said this kind of AI will reach all of its customers soon.
Read that again. The power to find serious flaws at machine speed is about to be widely available. To defenders, and to attackers.
This is the hard truth in the numbers, and it is the one Rubrik's move quietly accepts. When attacks can show up faster than fixes can be built, tested, and rolled out, no company can patch its way to safety. Some flaws will be used against you before there is even a fix to apply. The gap between "flaw found" and "flaw fixed" is no longer a small problem to shrink. It is the new normal you have to plan around.
That does not make prevention useless. It makes prevention not enough on its own. A plan built only on keeping attackers out assumes you will always be faster than the threat. In 2026, that is no longer a safe bet for anyone.
So the real question changes. It is no longer just "how do we stop every attack." It becomes "when something gets through, how fast and how completely can we get back on our feet?" And when you follow that question all the way down, it lands on one thing: your data.
Strip away the technical details and almost every attack has the same goal. Lock up your data and demand a ransom. Steal it and sell it. Quietly change it so you can no longer trust it. Your data is what the business runs on, and it is what attackers are really after.
That is why protecting and recovering data sits at the center of staying resilient. Keeping attackers out is the first line of defense. Being able to get your data back, clean and fast, is the line that saves you when the first one fails.
In practice, strong data protection comes down to a few simple ideas. Keep backup copies of your important data that attackers cannot reach or change, even if they get inside. Make sure those copies are recent and complete. And most importantly, test that you can actually restore from them quickly, before a real crisis rather than during one. A backup you have never tested is a promise you have not kept.
This is also why Rubrik joining Project Glasswing is worth a second look. Rubrik's whole business is protecting and recovering data. When a company like that turns the most advanced AI available onto its own software, it is telling you where it thinks the risk is going. The vendor you would count on to recover your data is working to make itself harder to attack in the first place.
For executives, this is less a tech problem than a strategy problem. A few moves matter most.
Ask for recovery numbers, not just prevention numbers. Most security updates focus on what was blocked. That is helpful, but it does not tell you whether you can recover. Start asking simple questions. If we were hit today, how fast could we get critical systems and data back? Do we know our backups are clean and safe? Have we actually tested it?
Plan as if a breach will happen, and fund recovery before you need it. This is not being negative. It is just the math. The companies that come through the next few years in good shape are the ones that built fast, trusted recovery ahead of time, not the ones building it in the middle of an attack.
Hold your vendors to a higher standard. Rubrik joining Project Glasswing sets a new bar. It is fair to ask any company that holds your data or runs your key systems a plain question: what are you doing to protect your own software against AI-driven attacks? Strong answers will start to sound like Rubrik's. Weak answers should give you pause.
Treat resilience as something you practice, not something you buy. Tools help, but they are not the whole answer. Being resilient is something a company works at and tests, the same way a team trains for conditions it hopes never to face. Buying the product is the easy part. Making sure recovery is fast and certain when it counts is the real work.
The companies that come out of this shift strongest will not be the ones with the most security tools. They will be the ones that accepted, early, that they cannot stop every attack, and made sure they could protect their data and recover fast when one gets through.
Rubrik reading the landscape and acting on it is a useful sign. The bigger question is whether your own company is reading the same landscape. At Arctiq, this is the conversation we are having with leadership teams now: not how to chase a shrinking patch window, but how to protect your data and build the kind of recovery that makes that window matter far less.
The ground is shifting fast. The companies that prepare for it, instead of reacting to it, are the ones still standing when the conditions turn.
How prepared is your organization to recover from a cyberattack? As a leading Rubrik and data protection partner, connect with Arctiq to assess your cyber resilience strategy, validate recovery capabilities, and ensure your data remains protected in an AI-accelerated threat landscape.