Anthropic Expands Project Glasswing to About 150 Critical-Infrastructure Organizations Across 15+ Countries

An AI model that can find thousands of zero-day vulnerabilities is a gift to whoever holds it. The whole question behind Project Glasswing's expansion is whether defenders can be handed that gift faster than attackers build their own.

SAN FRANCISCO — Anthropic said on June 2, 2026 that it is expanding Project Glasswing — its initiative to secure the world's most important software using its Claude Mythos model — to roughly 150 new organizations across more than 15 countries, a significant scaling-up of a program that began in early April with about 50 partners, according to the company's announcement and reporting by TechCrunch, CyberScoop and SecurityWeek.

(Disclosure: The CyberSignal is produced using Anthropic's Claude models. We have applied extra scrutiny to this story accordingly and report Anthropic's figures and characterizations as the company's own claims.) The new cohort is weighted toward critical-infrastructure operators — power, water, healthcare, communications and hardware — and toward vendors whose code is relied upon by many other organizations and governments. Anthropic says each partner must meet its security requirements before getting access, and that for most of them, a successful attack on their codebase could affect more than 100 million people.

What Happened

In a June 2 announcement, Anthropic said Project Glasswing — which it describes as a collaborative effort to secure the world's most important software — is moving beyond its initial group of roughly 50 partners to about 150 new organizations. The company said the expansion followed several weeks of work with existing partners, the security industry, open-source maintainers and the US government, and that the new organizations span more than 15 countries. Per reporting by TechCrunch, that group includes organizations in U.S.-friendly countries such as Australia, Canada, France, Germany, Italy, Switzerland, the Netherlands, Spain, Belgium, Sweden, India, Japan, New Zealand and South Korea. Anthropic said the cohort covers industries that were not well represented before — power, water, healthcare, communications and hardware — and includes many vendors whose codebases are depended upon by other organizations and governments worldwide.

At the center of the program is Claude Mythos Preview, a restricted-access model Anthropic characterizes as its most capable for vulnerability discovery. The company says partners have used it to surface more than 10,000 high- or critical-severity software flaws since early April, and that the present bottleneck has shifted from finding vulnerabilities to verifying, disclosing and patching them — a problem it says Mythos can also help with by writing patches, running pre-release checks, performing penetration testing, and rebuilding legacy code in memory-safe languages. Anthropic also pointed to Claude Security, a separate product built on its public frontier models (such as Claude Opus 4.8) that scans codebases and suggests patches, and said it is releasing some of the Glasswing tooling on request to trusted security teams. All of these figures and capability descriptions are Anthropic's own.

The Defender's-Advantage Bet

Anthropic's stated rationale is a race. It argues that cheap, fast AI models with strong offensive cyber capabilities are 'around the corner,' that within 6 to 12 months other companies will field Mythos-class models, and that some may release them without safeguards against misuse — a world in which cyberattacks become more frequent and less predictable. Project Glasswing is its attempt to get comparable defensive capability into vetted hands first, so the industry can adapt before that happens. That framing is consistent with what security leaders themselves have been saying; it echoes the warning The CyberSignal covered when Mandia, Stamos and Adamski said the next two years would be 'insane', and it builds on Glasswing's own earlier results, including the original launch in which Mythos-class scanning surfaced its first large batches of flaws and the Mythos run that uncovered 271 security flaws in Firefox. Whether the defender's-advantage bet pays off is the open question — it depends on patching keeping pace with discovery, which Anthropic concedes is now the harder half of the problem.

The Dual-Use Problem Anthropic Names Itself

The most important caveat comes from Anthropic, not its critics. The company is explicit that the same model that finds 10,000 vulnerabilities for defenders would be devastating in an attacker's hands, and that it wants to release Mythos-level capability widely but has not yet built safeguards strong and precise enough to prevent misuse — adding that, to its knowledge, no other AI developer has either. That is a remarkable admission to anchor a product expansion on: the capability is being rationed precisely because it is dangerous, and the vetting of each partner is the safeguard standing in for technical controls that do not yet exist. For defenders evaluating the news, that reframes Glasswing from a straightforward good-news story into a managed-risk one. The benefit is real and large; so is the reason access is restricted.

Concentration, and the Scrutiny It Invites

There is a structural concern that sits alongside the technical one: a single company currently decides who gets a tool capable of mapping the soft spots in the software that runs power grids, hospitals and banks. Anthropic's answer is vetting, U.S.-government collaboration, and a stated intent to widen access over time through further Glasswing expansions and a Cyber Verification Program. But the concentration is real, and it has attracted policymaker attention — including a closed congressional briefing and a planned House hearing on Mythos and its cyber risks. None of that means the program is reckless; it means the stakes are high enough that 'trust the vendor's vetting' is not, by itself, a satisfying long-term governance answer, and that the same expansion can be read two ways: as responsible stewardship of a dangerous capability, or as private control over critical-infrastructure security that deserves public oversight. Both readings are defensible, and a careful reader should hold them together.

Scope and Impact

The direct beneficiaries are the roughly 150 newly admitted organizations and, through them, the infrastructure and downstream software they secure. Because many of the new partners are vendors whose code is embedded across other organizations, the intended ripple effect is broad: fixing a vulnerability in a widely-used library or platform protects everyone who depends on it. The geographic reach — 15-plus countries, all described as U.S.-friendly — signals that this is being run as an allied-defense effort rather than a purely commercial one, and Anthropic says it intends to expand further, prioritizing essential-infrastructure providers, maintainers of critical open-source software, and safety testers.

For everyone outside the program, the practical scope is different and worth stating plainly: this does not yet help you directly. Mythos-class capability is restricted, so the typical organization cannot scan its own code with it today. What is available now is Claude Security, built on public frontier models, and the subset of Glasswing tooling Anthropic is releasing to trusted security teams on request. The more important near-term takeaway is anticipatory — Anthropic's own timeline says comparable offensive-capable models may be broadly available within a year, possibly without safeguards, so the planning assumption for defenders is that the cost of finding vulnerabilities is about to fall for attackers too.

Response and Attribution

For CISOs and security leaders, the actionable response is to treat Anthropic's 6-to-12-month timeline as a planning input rather than marketing. If AI-driven vulnerability discovery is about to get cheap and widespread, the bottleneck on the defensive side becomes the same one Anthropic flags: the capacity to verify, disclose and patch at volume. That argues for investing now in patch-management throughput, software bills of materials and dependency inventories (so you know what you run and can act fast when a widely-used component is found vulnerable), memory-safe rewrites of critical legacy code where feasible, and pre-release security checks in the development pipeline. Organizations that want hands-on capability today can evaluate Claude Security and similar AI-assisted code-scanning tools built on generally available models, while recognizing they are not equivalent to the restricted Mythos Preview.

For policymakers and the security community, the responsible posture is engaged skepticism rather than either alarm or applause. The defender's-advantage thesis is plausible and the early results are striking, but they are self-reported, the safeguards Anthropic says are needed do not yet exist, and the decision about who can wield a critical-infrastructure-scale vulnerability finder currently rests with one company. Those are exactly the conditions under which independent verification, congressional oversight, and clear norms for vulnerability disclosure matter most — and they connect this expansion to the parallel government move the same week to formalize AI-vulnerability sharing with critical-infrastructure operators, which The CyberSignal covers in its report on the new federal AI executive order. The story to watch is not just how many flaws Mythos finds, but whether the institutions around it — patching capacity, disclosure norms, and public oversight — mature fast enough to match it.

The CyberSignal Analysis

Signal 01 — The Bottleneck Moved From Finding to Fixing

The most consequential line in Anthropic's announcement is its admission that the hard part is no longer discovery. If a model can surface 10,000 critical flaws in two months, the constraint on actually improving security becomes the human and organizational work of validating, disclosing and patching them. That inverts a long-standing assumption — that finding vulnerabilities was the scarce skill — and it should reorder defender priorities accordingly. An organization that can find ten times more vulnerabilities but patch at the same rate has not become safer; it has just generated a longer backlog. The defenders who benefit from the AI-vulnerability era will be the ones who invested in remediation throughput, not just detection.

Signal 02 — Restricted Access Is the Real Safeguard, For Now

Anthropic is unusually candid that it cannot yet technically prevent misuse of Mythos-class capability, which means the vetting of each partner is doing the safety work that code cannot. That is a fragile arrangement by design, and it is the honest center of this story: the capability is gated because it is dangerous, not merely because it is commercially valuable. Defenders should read the restriction as a signal of how powerful the tool is, and policymakers should read it as a reason to build the oversight and verification structures that 'trust our vetting' cannot substitute for indefinitely. When the vendor itself says the safeguards do not exist yet, that is the part of the announcement to take most seriously.

Signal 03 — Plan for the Capability to Leak Downward

Even if Anthropic manages access perfectly, its own forecast is that the capability proliferates within a year, and not every future holder will be as cautious. The durable lesson for any organization is therefore independent of Glasswing's membership list: assume that the cost of discovering exploitable vulnerabilities in your software is about to drop sharply for attackers, and that the window between a flaw existing and being weaponized will compress. The defensive responses — aggressive patching, dependency hygiene, memory-safe code, and pre-release checks — are the same ones that pay off regardless of which vendor's model finds the bug first. The teams that start now are buying time against a deadline the technology, not any one company, is setting.

Sources