A month ago, Anthropic launched Project Glasswing — a large-scale initiative using AI to find and fix vulnerabilities in critical software. The ambition is real, and the technology is genuinely impressive. But the initiative is shaped by a small group of American technology companies and investors, and after the preview period, access to the underlying model comes at a cost that puts it out of reach for most of the world.

We think Europe deserves its own answer. Independent. Non-profit. Transparent. Driven by the security community, not by commercial interest.

That answer is Project Lacewing.

What we are building

Project Lacewing uses AI to find and fix vulnerabilities in critical software — at a scale and speed that DIVD’s volunteer researchers could not reach alone. Everything we find will be disclosed responsibly, as it always has been: the affected party first, then the world.

The project is organised into focused sub-projects, each with a clear scope:

• Project Initiation — building the partner ecosystem and defining the roadmap. Active now.
• Open Source Models — investigating how well open source AI models perform on vulnerability research tasks, so we are not permanently dependent on commercial providers.
• Closed Source Models — independently evaluating the claims commercial providers make about their models’ capabilities. We will publish the results openly, whatever they show.
• Investigation of Software — AI-assisted vulnerability research on critical software that commercial initiatives are unlikely to prioritise.
• Data Leak Discovery — automated detection of sensitive data unintentionally exposed in cloud storage buckets and source code repositories.
• Vulnerable Configuration Research — automated discovery of common misconfigurations in internet-facing systems before attackers find them first.

Who is already involved

DIVD provides the organisational backbone, the volunteer network, and the responsible disclosure infrastructure that makes this possible. We are proud to be joined from day one by Schuberg Philis — a Dutch IT company specialising in mission-critical systems — as our first external partner.

We are actively looking for more: organisations that can contribute funding, hardware, people, or codebase access. The internet’s defence belongs to everyone. So does building it.

Read more

For the full background on why we launched Project Lacewing, the urgency behind it, and how to get involved, read our press release or explore the sub-projects on this site.

If you want to contribute — as a technical expert, a fundraiser, or a champion — get in touch.

The internet belongs to everyone. Let’s make sure its defence does too.