Anthropic expands Mythos access to critical infrastructure

Anthropic said in a company blog post that it is expanding Project Glasswing, the collaboration that pairs vetted partners with the Claude Mythos Preview to scan codebases for vulnerabilities, to approximately 150 new organizations across more than 15 countries. Anthropic wrote that the initial cohort of about 50 partners has helped identify more than 10,000 high- or critical-severity security flaws. The expanded group, Anthropic said, includes organizations that provide power, water, healthcare, communications, and hardware services and many vendors whose codebases are relied upon by other organizations and governments. Anthropic wrote, "What each partner has in common is that a successful attack on their codebase could be catastrophic," and that for most partners it estimates a major attack could affect more than 100 million people.

Tech reporting places Claude Mythos at the center of Glasswing and describes the model as unusually effective at reasoning about exploit chains and identifying zero-day vulnerabilities. Gizmodo reported that Cloudflare told reporters Claude Mythos Preview was particularly adept at exploit chain construction. TechCrunch and CNBC summarized Anthropic's claim that Mythos identified thousands of zero-day vulnerabilities in partner testing. TechCrunch, citing the Financial Times, published a partial list of organizations that have or will receive access, naming Okta, Samsung, SK Hynix, SK Telecom, NATO, and the EU agency ENISA among others.

Editorial analysis: Models that can rapidly discover and chain software vulnerabilities change the operational dynamics of security teams and third-party risk assessment. Companies and infrastructure operators often rely on a small set of external vendors and open-source maintainers; industry-pattern observations show that discovery of high-severity flaws at that systemic scale can force rapid patching cycles, emergency incident response, and broader disclosure coordination across dependent parties. Editorial analysis: The asymmetry created by a small group of actors running high-capability security models, and the parallel emergence of rival cyber-focused models, such as OpenAI's GPT-5.5-Cyber reported by TechCrunch, makes governance, access controls, and coordinated vulnerability disclosure primary concerns for defenders and maintainers.

Anthropic's blog post appeared alongside other company announcements that the firm has confidentially submitted a draft S-1 to the U.S. Securities and Exchange Commission and related fundraising disclosures; those corporate items were presented as related content on Anthropic's site. 9to5Mac and other outlets also reported Anthropic saying it expects to make "Mythos-class" capability available to a broader set of customers in the coming weeks, while noting that models of this capability level "require stronger cyber safeguards before they can be generally released," a sentence attributed to Anthropic in coverage.

For practitioners: indicators to monitor include whether Anthropic publishes detailed partner security requirements and attack-surface scope, whether coordinated vulnerability disclosure timelines are shortened for Glasswing findings, and whether public advisories or CVEs follow at higher rates for dependencies maintained by the newly added partners. For security teams: watch for third-party notices, patch cycles, and unusual exploit activity on repositories tied to listed vendors. For product teams and auditors: pay attention to how access controls and logging for Mythos-assisted scans are implemented and whether independent third-party audits of the process are published.

Editorial analysis: The expansion of Project Glasswing operationalizes a high-capability vulnerability-finding model against organizations that underpin large populations. That increases both defensive coverage where the partners are engaged and the stakes of access control and disclosure policy across the industry. Practitioners should treat this as a material development in how AI is being integrated into offensive and defensive cybersecurity workflows.