The window between disclosure and weaponisation has collapsed.
Anthropic's Project Glasswing revealed that Claude Mythos Preview autonomously found thousands of zero-days across every major OS and browser — including a 27-year-old remote crash in OpenBSD that survived decades of human review and millions of fuzzer runs. Similar capabilities will arrive from other labs. They won't all be aimed at defence.
The defensive side hasn't kept up. Finding a CVE is fast. Deciding what to do about it in your codebase, without breaking production, still takes senior engineers hours — or days — per incident.
/ The Solution
Changes AI collapses that middle step.
Given a repo or a current venv, it produces a ranked set of remediation paths — each scored for exposure risk (how long you stay vulnerable) and breakage risk (how likely the upgrade is to break your application).
Yes, AI is what's making this necessary. Yes, AI is what Changes AI uses to help fix it. Irony noted and embraced.
/ How It Works
01
Point it at a repo or venv
GitHub URL or local site-packages path
02
Get a full version map
Every package — pinned, outdated, unknown — in one table
03
CVE scanning with severity flags
Severity-aware output, CI-ready exit codes via OSV
04
LLM-backed impact assessment
Ranked remediation paths scored for exposure risk and breakage risk