Visa Open-Sources VVAH: AI-Powered Vulnerability Discovery Tool Built on Anthropic's Project Glasswing
Key Takeaways
- ▸Visa releases VVAH, an open-source AI-powered framework for autonomous vulnerability discovery backed by Anthropic's Project Glasswing
- ▸Multi-model architecture supports Anthropic Claude, OpenAI, and other compatible providers with no vendor lock-in
- ▸Focuses on Mean Time to Adapt (MTTA)—triage efficiency rather than discovery speed—addressing the real bottleneck in AI-assisted vulnerability management
Summary
Visa has released Visa Vulnerability Agentic Harness (VVAH), an open-source framework for autonomous vulnerability discovery built on Anthropic's Project Glasswing initiative. The tool leverages frontier AI models (with default support for Anthropic Claude, plus OpenAI and other providers) to systematize the lifecycle from AI-discovered security weaknesses to validated fixes in production.
VVAH's architecture reflects a fundamental insight from Project Glasswing: the bottleneck in AI-assisted vulnerability management is triage speed, not discovery speed. Rather than optimizing for raw finding volume, the system combines three design strategies—threat modeling before analysis, multi-agent deterministic voting to reduce false positives, and structured triage artifacts—to compress the Mean Time to Adapt (MTTA). The pipeline consists of nine stages across three phases, each combining deterministic controls with frontier-model reasoning to produce exploit-validated findings.
The tool is multi-model by design, with no single provider as a dependency. Each pipeline stage is implemented as a composable, reusable skill that can be independently tuned, versioned, or replaced. VVAH accepts standardized inputs (batch repositories, GitHub Enterprise metadata, CMDB records, CVE feeds) and outputs structured reports, SARIF artifacts, and API-ready findings. The project is open-source but not accepting external contributions; use is authorized only for code owned or explicitly permitted for testing.
- Composable pipeline of nine stages with deterministic controls plus frontier AI reasoning produces exploit-validated, human-reviewable findings
- Available immediately as open-source; installation via pip with support for CLI, SDK, and OpenAI-compatible backends
Editorial Opinion
VVAH represents a maturation of AI-assisted security tooling by shifting focus from raw detection volume to operational speed—a pragmatic move that could accelerate vulnerability response across enterprises. Visa's choice to build on Anthropic's Project Glasswing and support multiple AI providers signals confidence in the agentic approach while hedging against vendor dependency, a mature strategy for infrastructure that relies on frontier models.