AI-driven security testing in the SDLC: are teams ready?

TL;DR: Anthropic says Project Glasswing, built around Claude Mythos Preview, found thousands of previously unknown zero-day vulnerabilities across major operating systems and browsers, including an OpenBSD bug reportedly missed for 27 years, according to Anthropic. Continuous AI-assisted testing is becoming a practical way to shift security earlier in the development lifecycle, but judgment and context still decide what gets fixed first.

NHIMG editorial — based on content published by Orca Security: Why AI-driven security testing in the development lifecycle could help teams reduce noise, deploy faster, and build safer software

Questions worth separating out

Q: How should security teams use AI-driven testing in the development lifecycle?

A: Security teams should place AI-driven testing inside normal development workflows so findings arrive before production, not after release.

Q: Why does earlier vulnerability discovery matter for release risk?

A: Earlier discovery matters because the cost and disruption of fixing a weakness rise as software moves closer to production.

Q: What do organisations get wrong about AI-assisted security testing?

A: A common mistake is treating better detection as a substitute for governance.

Practitioner guidance

• Embed security testing into delivery workflows Run vulnerability analysis during design, implementation, and release preparation instead of waiting for the final checkpoint.
• Govern the identities behind testing tools Inventory the service accounts, tokens, and API keys used by scanners, analysis agents, and remediation integrations.
• Separate detection from decision authority Allow automated discovery to surface findings quickly, but require explicit policy for what can be auto-remediated, what needs review, and what must stop the pipeline.

What's in the full article

Orca Security's full blog post covers the operational detail this post intentionally leaves for the source:

• How the development lifecycle changes when AI-assisted testing is embedded before deployment
• Why the article argues that continuous investigation reduces downstream security noise
• Where the author sees the balance between automation and human judgment in secure delivery
• What this approach means for teams trying to move faster without weakening assurance

👉 Read Orca Security's analysis of AI-driven security testing in the development lifecycle →

AI-driven security testing in the SDLC: are teams ready?

Explore further

View Full Forum →  |  NHI Foundation Course →