In just a few weeks, the first cohort of Anthropic's Project Glasswing partners uncovered more than 10,000 high- and critical-severity security flaws across systems used by hundreds of millions of people every day. On June 2, Anthropic announced it is expanding the program to 150 new organizations in more than 15 countries — including NATO, the EU's ENISA, Okta, Samsung, SK Hynix, and SK Telecom.
A Model Built for Security Work
Claude Mythos is not a public product. Anthropic calls it its most capable model to date, built specifically for cybersecurity: scanning codebases for zero-day vulnerabilities, writing patches, running penetration tests, and translating legacy code into memory-safe languages. Fifty partners — including parts of the U.S. government — received preview access in April 2026. The expansion brings the total to roughly 200 organizations.
Project Glasswing's logic is direct: equip defenders with AI before attackers get equivalent tools.
150 New Partners Across 15 Countries
The new wave covers sectors underrepresented in the first round — power, water, healthcare, telecommunications, and hardware manufacturing. Named publicly: Okta (U.S.), Samsung, SK Hynix, and SK Telecom (South Korea), plus NATO and ENISA (Europe). The full country list — Australia, Canada, France, Germany, Italy, Switzerland, Netherlands, Spain, Belgium, Sweden, India, Japan, New Zealand, South Korea, and the U.S. — maps almost exactly onto a Western security alliance. Anthropic notes this explicitly.
10,000 Flaws Found in the First Phase
The number that stands out from Phase 1: more than 10,000 high- or critical-severity vulnerabilities, discovered by just the initial 50 partners. Anthropic estimates that for most of them, a successful attack could affect over 100 million people, with consequences reaching national and global security.
Partners use Mythos not just to find bugs — they write patches, pre-screen releases before deployment, and port legacy systems to memory-safe languages. That last part matters: it eliminates entire categories of vulnerability, not just individual instances.
The 6–12 Month Window
"Cheap, fast AI models with powerful cyber capabilities are around the corner," Anthropic warned, pointing to a 6–12 month timeline. The concern: rivals may ship comparable tools without equivalent safety guardrails. Arming defenders first is the core argument behind Project Glasswing.
Next steps include a public Mythos release with "robust safeguards" against misuse, help for open-source maintainers handling vulnerability report backlogs, and broader geographic expansion. A separate Claude Security product for scanning public repositories is already live.
The Bigger Question
Granting access through a list of U.S.-aligned nations is both a security decision and a geopolitical one. As Mythos-grade tools become standard for Western governments and tech companies, the question of who sits outside that perimeter — and on what basis — will only get louder.
