An initiative by

The internet belongs to everyone. So does its defense.

Project Lacewing is the European, open answer to AI-driven vulnerability research — by DIVD, transparent and non-profit.

Get involved Learn more

Named after the lacewing (Chrysopidae) — like the glasswing butterfly, but a natural predator of pests.

Background

Glasswing is a step forward — but for whom?

On April 7, 2026, Anthropic launched Project Glasswing — a large-scale initiative using AI to find and fix vulnerabilities in critical software. Sounds great. And it is, partly.

But look who's at the table: Amazon, Apple, Microsoft, Google, NVIDIA, JPMorgan, Cisco — and the Linux Foundation. The decisions about what gets investigated, what gets fixed, and who benefits are largely in the hands of a small group of American tech companies and investors. After the preview period, access to the underlying model costs $25–$125 per million tokens.

DIVD has something no Glasswing partner has: a track record of independent, non-profit, responsible disclosure — with no agenda other than making the internet safer.

Our proposal

Project Lacewing: a European answer

No closed club. No proprietary models we depend on. Instead, targeted use of AI to find and fix vulnerabilities in critical software.

Build AI capacity

Raise funds to invest in AI tokens and locally running open-source models — including the hardware to run them on.

Automated research

Deploy AI for vulnerability research at the scale DIVD can handle, but smarter and faster than ever.

Open collaboration

Companies contribute money, hardware, people, or codebase access — and commit to fixing what we find.

Responsible Disclosure

Everything we find and learn, we share — but responsibly. The affected party first, then the world. As always.

The urgency

Why now

The barrier to finding vulnerabilities is structurally dropping. What Glasswing demonstrates is that AI is already better than most humans at finding bugs that have sat undetected in critical software for ten, twenty, sometimes thirty years. That's not going to reverse.

If we do nothing, the answer in two years will be: a handful of American companies, a few Asian state actors, and the criminals catching up with them.

The question isn't whether these capabilities are coming. The question is who has them.

DIVD can be a third way — transparent, independent, European.

DIVD by numbers

A proven track record

189 volunteers
193 cases handled
1.4M vulnerable IPs notified

What we're doing

Sub-projects

Project Lacewing is made up of focused sub-projects, each with a defined scope and timeline. Together they form the roadmap from initiation to operational AI-driven vulnerability research.

Active 7 May 2026 – ongoing

Project Initiation

Finding the right partners, getting the ecosystem together, and defining the roadmap for the remainder of the project.
Proposed TBD

Open Source Models

Investigation into the possibilities of using open source AI models in vulnerability research.
Proposed TBD

Closed Source Models

Investigation into the claims made by closed source model providers about their capabilities in vulnerability research.
Proposed TBD

Investigation of Software

AI-powered vulnerability research on software that is critical, but not covered by Project Glasswing.
Proposed TBD

Data Leak Discovery

Automated detection of sensitive data unintentionally exposed in publicly accessible locations such as cloud storage buckets and source code repositories.

Proposed TBD

Vulnerable Configuration Research

Automated discovery of common misconfigurations in internet-facing systems and services that create exploitable attack surfaces — before attackers find them.

Latest

Blog

  1. Launching Project Lacewing: a European answer to AI-driven vulnerability research Today DIVD launches Project Lacewing — a European, open, non-profit initiative to use AI for vulnerability research. Here is why we built it, and what...

All posts →

Our partners

Partners

Organisations supporting Project Lacewing with funding, hardware, people, or codebase access. Listed in order of appearance.

DIVD

DIVD — Dutch Institute for Vulnerability Disclosure — is a non-profit organisation of volunteer security researchers that scans the internet...

Schuberg Philis

Schuberg Philis is a Dutch IT company focused on mission-critical systems, known for its commitment to quality, security, and open...

Your logo here...

Become a partner of Project Lacewing and help build a safer, independent internet — from Europe, for everyone.

View all partners →

Get involved

What we need

This project cannot succeed without substantial funding — on a scale DIVD has not been able to reach before, because running and training AI models is not cheap. But the alternative is watching others set the standard.

Technical

Help think through the technical setup: which models, which hardware, which targets.

Sign up

Fundraising

Help with fundraising: finding and approaching grants, partners, and donors.

Sign up

Champion

Help lead and champion this effort — give it a face and voice outward.

Sign up

The internet belongs to everyone. Let's make sure its defense does too.

Support Project Lacewing Get in touch