Anthropic expands Mythos access to critical infrastructure

Anthropic said in a company blog post that it is expanding Project Glasswing, the controlled program that pairs vetted partners with its restricted Claude Mythos Preview to scan codebases for vulnerabilities, to approximately 150 new organizations across more than 15 countries. The expansion targets sectors that were underrepresented in the first wave, including power, water, healthcare, communications, and hardware, along with vendors whose code is relied upon by other organizations and governments. Anthropic said a successful attack on any of these partners' codebases "could be catastrophic," and estimated that for most partners a major attack could affect more than 100 million people, with implications for both national and global security.

According to Anthropic and corroborating coverage, the program began in early April with an initial cohort of roughly 50 partners, reported to include Amazon Web Services, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. TechCrunch, citing the Financial Times, reported that the expanded group includes Okta, Samsung, SK Hynix, SK Telecom, NATO, and the EU cybersecurity agency ENISA, among others. Independent security-trade outlets including Cybersecurity Dive and CyberScoop reported the same headline figures of about 150 organizations across 15-plus countries.

Anthropic wrote that partners using the Claude Mythos Preview have surfaced more than 10,000 high- or critical-severity software vulnerabilities since the program launched. Tech reporting describes Mythos as unusually effective at reasoning about exploit chains and identifying previously unknown (zero-day) flaws, and TechCrunch and CNBC summarized Anthropic's claim that the model identified thousands of such vulnerabilities in partner testing. In coverage from 9to5Mac and Forbes, Anthropic signaled it expects to make Mythos-class capability available to a broader set of customers in the coming weeks, while cautioning that models at this capability level require stronger cyber safeguards before any general release.

As a general industry pattern, models that can rapidly discover and chain software vulnerabilities change the operational dynamics of security teams and third-party risk management. Infrastructure operators typically depend on a small set of external vendors and open-source maintainers, so discovery of high-severity flaws at systemic scale can force compressed patching cycles, emergency incident response, and broader disclosure coordination among dependent parties. The same capability that strengthens defense inside partner organizations also concentrates a powerful offensive tool among a small group of vetted actors, which is why access controls, logging, and coordinated vulnerability disclosure are central to how such programs are judged.

Indicators to monitor include whether Anthropic publishes detailed partner security requirements and disclosure timelines, whether public advisories or CVEs follow at higher rates for dependencies maintained by the newly added partners, and whether independent audits of the scanning process are released. Security teams should watch for third-party notices, accelerated patch cycles, and unusual exploit activity tied to listed vendors, while product and governance teams track how Mythos-assisted scans are access-controlled and logged as the capability moves toward wider availability.