Skip to main contentSkip to navigation
Maverick AI - Artificial Intelligence for Business
Private Equity7 min readPublished on 2026-04-07

Project Glasswing and Private Equity: how AI is reshaping technological risk

Anthropic's Project Glasswing found critical vulnerabilities in every major operating system. For PE funds, this reshapes technological risk in portfolio companies and changes the approach to tech due diligence.

In a nutshell

Claude Mythos found critical flaws in Linux, OpenBSD, FreeBSD and FFmpeg — almost all still open at the time of publication. For PE funds, this means tech risk in portfolio companies needs reassessment: AI can help find these vulnerabilities during due diligence.

Every major operating system has undiscovered critical vulnerabilities

This is not a theoretical hypothesis. It is the result of research conducted by Anthropic in recent weeks.

Claude Mythos — Anthropic's frontier model — found a vulnerability in the Linux kernel that allows a regular user to take complete control of the system. A flaw in FreeBSD classified as Remote Code Execution. A bug in OpenBSD that had been there for 27 years. A bug in FFmpeg that survived five million automated tests for 16 years.

At the time the report was published, over 99% of the vulnerabilities found were still open.

The point is not the technology. The point is the premise on which almost all tech due diligence in Private Equity is based: that the software used by portfolio companies is reasonably safe if it is widely used, kept updated, and free of known CVEs. This premise is fragile.

What this means for those investing in technology-dependent companies

Almost every company in 2026 is technology-dependent, even if it is not a tech company. ERP, CRM, production system, cloud infrastructure, e-commerce site — if any of these stops or is compromised, EBITDA suffers.

Traditional tech due diligence looks for three things: that systems work, that they are scalable, and that they have no obvious technical debt. It is a correct but incomplete assessment. It does not measure exposure to unknown risks — exactly the category that Project Glasswing has shown to be significant even in the world's most mature and reviewed software.

For a PE fund, this translates into a concrete question: if we invest in a company with a proprietary codebase developed internally over the last ten years, what is the probability that it contains undiscovered critical vulnerabilities? The honest answer, in light of Anthropic's data, is very high.

How tech due diligence is changing

The problem with current tech due diligence is not the competence of those doing it — it is scale. A team of 3-4 people in 4 weeks can analyze architecture, code quality, documentation. They cannot do systematic vulnerability research on 500,000 lines of proprietary code.

AI changes this equation.

Claude can analyze entire codebases looking for known vulnerability categories: unsanitized input handling, use of libraries with open CVEs, risky authentication configurations. It is not equivalent to a full penetration test, but it is an order of magnitude more scalable.

The practical result is that during due diligence it is now possible to obtain a technology risk map that includes not just visible technical debt, but also categories of security risk that were traditionally ignored due to lack of time.

For teams already using Claude for document due diligence, adding a security analysis dimension is a natural extension of the existing workflow.

Reassessing tech risk in your portfolio companies?

30 minutes to discuss your specific case.

Book a call

AI to accelerate DD and portfolio monitoring

AI-enhanced tech due diligence does not end at the pre-closing stage. The value extends throughout the entire investment lifecycle.

During due diligence, Claude can analyze the target's proprietary codebase, map third-party library dependencies, and assess the maturity of the development team's security practices.

Post-closing, technological risk monitoring can be partially automated. Claude can periodically analyze security logs, monitor the emergence of new CVEs impacting the libraries used, and produce status reports for the management team.

Integration with existing systems — via MCP — allows Claude to access portfolio company data in a structured way without requiring manual information transfers.

The reputational and operational risk that is often underestimated

A security incident in a portfolio company is not just an operational problem. It has broader implications.

On the regulatory front, NIS2 — now in force in Europe — imposes significant obligations on companies in critical sectors. A non-compliant portfolio company exposes the fund to risks that do not always surface in standard due diligence.

On the exit front, a buyer doing post-incident due diligence will find the problem and use it as a negotiating lever on price. Resolving the problem before the exit — even partially — improves the quality of the process.

The considerations on AI due diligence in PE apply here too: AI does not eliminate risk, but it lowers the cost of identifying it before it becomes a problem.

How Maverick AI works with Private Equity funds

Maverick AI is the reference implementation partner in Italy for the Anthropic ecosystem. We work with PE funds on two main fronts.

In tech due diligence, we support deal teams in building Claude workflows for analyzing target codebases, identifying risky dependencies, and producing security risk reports that can be integrated into standard investment memos.

In portfolio monitoring, we help build systems for supervising technological risk in portfolio companies that integrate with existing reporting processes.

We have active clients in M&A advisory and a pipeline in PE. If you are reassessing tech risk in your portfolio companies or want to understand how to integrate Claude into due diligence, contact us.

Reassessing tech risk in your portfolio companies?

Maverick AI works with PE funds and M&A advisory firms in Italy and the UK to integrate Claude into tech due diligence and portfolio monitoring. If you're reassessing tech risk in your portfolio companies, get in touch.

Let's discuss your portfolio

Domande Frequenti

It is relevant for any company that uses software — which means practically all of them. The vulnerabilities found by Claude Mythos are in operating systems, libraries, and infrastructure components that underlie every modern technology stack. A manufacturing company with an ERP, a service company with an internally-developed CRM — all depend on software with the risk profile described by Project Glasswing.
In addition to the traditional analysis of architecture and technical debt, an updated technology DD should include: analysis of third-party library dependencies and their exposure to known CVEs, assessment of the development team's security practices, incident response maturity assessment, and for significant proprietary codebases an AI-assisted analysis of the most common vulnerability categories.
AI does not slow things down — it accelerates them. Claude can analyze a codebase in parallel with other due diligence activities, producing an initial risk report in days rather than weeks. The human technical advisor uses that report as a starting point for in-depth analysis of the critical points that emerged, instead of starting from scratch.
Risk is highest where data is sensitive and operational continuity is critical: finance, healthcare, connected industrial infrastructure, logistics. In these sectors a vulnerability is not just a technical problem — it is a compliance, business continuity, and reputational issue with clients.
Maverick AI is not a cybersecurity company and does not offer penetration testing. Our role is to build and implement Claude workflows that support the technology due diligence process. For specialized security assessments, we work with technical partners. The goal is to bring visibility into technological risk at a cost accessible for the mid-market operations typical of Italian PE.

Want to learn more?

Contact us to find out how we can help your company with tailored AI solutions.

Anthropic implementation partner in Italy. We work with companies in PE, pharma, fashion, manufacturing and consulting.

Book an introductory callWrite to us

Stay informed on AI for business

Get updates on Claude AI, business use cases and implementation strategies. No spam, just useful content.

Related articles

Private Equity

Claude AI for Private Equity: due diligence, portfolio and value creation

How Private Equity funds use Claude AI to accelerate due diligence, optimize portfolio companies and maximize value creation throughout the investment cycle.

Private Equity

Claude AI for M&A and Due Diligence: Accelerating Deal Execution

How Claude AI is transforming M&A processes: deal screening, financial and legal due diligence, commercial analysis, post-merger integration, and value creation. A practical guide for investment banks, PE funds, and corporate development teams.

News

Project Glasswing: Anthropic and big tech join forces for software security

Anthropic launched Project Glasswing with AWS, Google, Microsoft, Apple, Nvidia and other big tech companies to protect critical global software with AI. What it is, how much is being invested, and why it matters for businesses.

Technology

Claude Mythos Preview: what it means for companies using Claude

Anthropic has developed Mythos Preview, its most powerful model. It is not yet publicly available. Here is what it can do, what changes for current Claude users, and what it means for businesses.

Private Equity

Interim AI Transformation Officer: Accelerating Value Creation in Private Equity

How an interim AI Transformation Officer accelerates digital transformation in PE portfolio companies: process analysis, AI roadmap, deployment, and team upskilling.

Back to resources
Get in Touch
AI and Private Equity Technological Risk 2026: Tech Due Diligence with Claude | Maverick AI | Maverick AI