Anthropic Builds Mythos Cyber Net for 150 Firms 2026

Anthropic just handed roughly 150 new organizations across more than 15 countries access to an AI model that hunts for software vulnerabilities better than most human red teams. The expansion of Project Glasswing, announced June 2, quietly turns a frontier lab into something closer to a national security utility. The companies already inside the program have surfaced over 10,000 high and critical severity flaws, and the list of new sectors reads less like a customer roster and more like a target map for any adversary: power, water, healthcare, communications, and hardware.

What Actually Happened

On June 2, Anthropic said it would extend Project Glasswing to approximately 150 additional organizations spread across more than 15 countries. Project Glasswing is the company's program for giving vetted partners access to Claude Mythos, the model variant Anthropic has positioned as unusually capable at discovering software vulnerabilities. The original cohort was concentrated in cybersecurity, with marquee names like Apple, Nvidia, Microsoft, CrowdStrike, and Palo Alto Networks. This wave deliberately reaches beyond security vendors into the operators of physical infrastructure.

The numbers attached to the program are the part worth pausing on. Anthropic says partners have already revealed more than 10,000 high or critical-level security flaws since launch, a volume that would take traditional human teams months or years to reproduce. Access is not open. Each new organization must clear a set of security requirements before it can touch Mythos, a gate designed to keep a vulnerability-finding engine out of the wrong hands. The expansion followed several weeks of coordination with the security industry, open-source maintainers, and the United States government.

The framing matters as much as the mechanics. Anthropic is describing this as preparation for an era in which AI-powered offensive tools are cheap and abundant, and in which defenders need equally capable AI to keep pace. Project Glasswing is being pitched not as a product launch but as a defensive buildout, with Anthropic acting as the gatekeeper deciding which institutions are trusted enough to receive a tool that, pointed the other way, would be a weapon. That is an extraordinary role for a private company to assume, and it is doing so without a formal mandate.

The sector mix in this wave is the tell. Power, water, healthcare, communications, and hardware are precisely the systems whose failure cascades into the physical world, and they are also among the least mature in software security practice. Many run decades-old industrial control systems never designed to face an internet-scale threat model. Pointing a frontier vulnerability-discovery engine at that estate will surface an avalanche of findings, which is both the promise and the danger. The promise is that long-buried flaws finally get seen; the danger is that the same map of weaknesses now exists, and its safety depends entirely on Anthropic's access controls holding.

Why This Matters More Than People Think

The conventional read is that Anthropic is doing public-interest work, hardening critical infrastructure before bad actors weaponize the same capabilities. That is true, but it understates the structural shift. By becoming the entity that decides who gets a vulnerability-discovery model, Anthropic is positioning itself as an arbiter of national cyber-defense readiness. Governments spend decades building institutions to perform that function. A frontier lab just assumed a slice of it through a partner program, and the 150 new organizations now depend on Anthropic's judgment about access, throughput, and disclosure timing.

There is also a commercial flywheel hiding inside the public-good language. Every flaw Mythos finds is training signal and credibility. The 10,000 vulnerabilities already surfaced become a moat: Anthropic can now claim, with receipts, that its model finds real bugs in real production systems at a scale rivals cannot easily match. Expanding to power, water, and healthcare operators embeds Claude into the procurement pipelines of the most regulated, highest-switching-cost buyers on earth. Once a water utility builds its vulnerability-management workflow around Mythos, ripping it out is a board-level decision, not a vendor swap.

For defenders, the asymmetry is the real story. The same generative capabilities that let Mythos find flaws let an attacker's model write the exploit. Anthropic is implicitly betting that distributing the defensive version to trusted institutions, fast, beats waiting for regulation that may never arrive in time. The bet reshapes who holds leverage in cybersecurity: not the largest security vendor, but the lab that controls the most capable model and the access list around it. That concentration of capability is the part the celebratory coverage tends to skip.

The timing also lands inside a policy vacuum. The Trump administration's recent AI executive order leaned on voluntary model review and a federal cyber clearinghouse rather than binding rules, which leaves a gap that private programs naturally fill. When the state signals it will coordinate rather than mandate, the most capable private actor becomes the de facto standard-setter. Glasswing is that standard-setting in action: while legislators debate frameworks, Anthropic is already shipping the capability, writing the access rules, and accumulating the operational track record that any future regulation will have to be measured against.

Consider what the expansion does to the economics of an attack. The reason ransomware crews and state-aligned groups have thrived is that finding exploitable flaws was labor-intensive and scarce, which favored well-resourced attackers over thinly staffed defenders. A vulnerability-discovery model distributed to 150 defenders begins to flip that math, raising the cost and lowering the payoff of probing those specific systems. The catch is that the advantage only holds for organizations inside the club. Everyone outside it now operates in a world where the offensive version of this capability is proliferating while the defensive version is rationed, which widens the gap between the protected and the exposed rather than closing it.

The Competitive Landscape

Anthropic is not alone in pointing frontier models at security. OpenAI has shipped security-focused tooling and government-oriented offerings, Google has folded AI vulnerability discovery into its Project Zero lineage and its Big Sleep research, and Microsoft has woven Copilot into its sprawling Defender and Sentinel security stack. What separates Glasswing is the deliberate gating plus the breadth of non-security sectors. Microsoft sells security to everyone; Anthropic is curating a vetted club and reserving the most dangerous capability for members who pass a bar.

The historical parallel is the early management of cryptography. For decades, strong encryption was treated as a controlled munition, with governments deciding who could export or deploy it. Anthropic is improvising a similar regime for vulnerability-discovery AI, except the controlling entity is a private company rather than a state, and the rulebook is a partner agreement rather than export law. That arrangement is faster and more flexible than government licensing, and it concentrates discretionary power in a way the cryptography wars never quite did, because no single firm then held the equivalent of the master key.

The competitive risk for rivals is being locked out of the trust narrative. If Anthropic establishes Mythos as the model that critical infrastructure relies on, every future government procurement and insurance underwriting conversation starts from that reference point. CrowdStrike and Palo Alto Networks are partners today, but partnership can curdle into dependency. The vendors that built billion-dollar businesses on human-led threat research now have to decide whether to ride Anthropic's model or fund their own, and most lack the frontier-scale compute to build a credible alternative in time.

The cyber-insurance industry is the quiet third party in this contest. Insurers have struggled for years to price systemic cyber risk, and a model with a documented record of finding real flaws gives underwriters a new lever: discounts for Glasswing participants, surcharges for everyone else. That dynamic would do more to entrench Mythos than any sales team, because it converts Anthropic's access list into an actuarial fact. Once premiums reflect membership, the program stops being optional for serious operators, and Anthropic gains pricing power that compounds with every quarter the loss data improves.

Hidden Insight: The Lab Is Becoming the Regulator

The non-obvious angle is that Project Glasswing inverts the usual relationship between AI labs and the state. For two years the dominant narrative has been governments scrambling to regulate labs. Here, a lab is effectively regulating access to a capability that governments cannot yet match in-house. When Anthropic decides which water utility in which country qualifies for Mythos, it is making a sovereignty-adjacent decision, allocating defensive capacity across borders based on its own criteria. That is governance, performed by a company, dressed as a partner program.

This creates a dependency that is far stickier than any SaaS contract. Critical infrastructure operators that route their vulnerability management through Mythos are not just buying software; they are outsourcing a piece of their threat model to Anthropic's roadmap. If Anthropic changes pricing, throttles throughput, or reprioritizes which sectors get the newest model, the downstream effect lands on hospitals and power grids. The 150 new organizations are gaining a powerful defensive tool and simultaneously accepting a single point of failure they did not have before, all governed by terms a private board controls.

The uncomfortable truth is that this may be the most efficient available option, and that is precisely the problem. Government cyber agencies move slowly, lack frontier compute, and struggle to hire model talent. A lab can ship a vulnerability-finding capability to 150 institutions in 15 countries in a matter of weeks. Efficiency is seductive, and it is exactly how informal power becomes permanent. The institutions that depend on Glasswing today will lobby to keep it tomorrow, and the muscle that public agencies might have built atrophies because the private substitute already works.

There is a deeper signal here about where frontier value migrates next. The first wave of AI value was raw capability, the second was distribution, and this is the third: trusted, gated access to capabilities too dangerous to release openly. Whoever owns the trust layer and the access list captures durable rents, because the alternative to trusting them is building a frontier lab of your own. Anthropic is quietly staking a claim to that layer in the single domain, national cyber defense, where the willingness to pay is effectively unlimited.

It also reframes Anthropic's safety branding as a business strategy rather than a constraint. The company has long marketed caution as a differentiator, and Glasswing shows how that posture converts into commercial advantage: only a lab trusted to gate dangerous capabilities responsibly can credibly run a program like this. Caution becomes the product. Rivals that release more openly cannot easily replicate a vetted-access club, because the entire value proposition rests on the discipline of saying no to most applicants. Anthropic has turned its slowest-mover reputation into the moat that lets it move first where it matters most.

What to Watch Next

Over the next 30 days, watch for the first disclosures stemming from the expanded cohort and whether Anthropic publishes aggregate metrics on flaws found by sector. A spike in critical vulnerabilities reported in power and water systems would confirm the program is producing real defensive value, and would also reveal just how exposed those systems were. Watch, too, for any government, particularly outside the United States, that objects to a US company gatekeeping access for its domestic infrastructure operators.

Over 90 to 180 days, the indicators to track are pricing and exclusivity. Does Anthropic begin charging differentiated rates for Mythos access, and does it sign sector-exclusive arrangements that lock competitors out of, say, the energy vertical? Watch whether OpenAI or Google announce competing vetted-access programs, which would signal the market is fragmenting into rival trust clubs. Also watch for the first reported incident in which a Glasswing partner's access is revoked, because the revocation criteria will reveal how much discretionary power Anthropic actually holds.

The bear case, however, is straightforward and worth holding onto: critics argue that concentrating a vulnerability-discovery model in one company's gated program creates exactly the single point of failure it claims to solve, and that a breach of Anthropic's access controls, or a coerced disclosure to a hostile state, would convert the world's best defensive tool into a shared offensive playbook. Skeptics also point out that 10,000 flaws found is not the same as 10,000 flaws fixed, and that surfacing vulnerabilities faster than overstretched infrastructure teams can patch them may simply lengthen the window attackers can exploit.

Anthropic did not just expand a security program, it quietly appointed itself the gatekeeper of who gets to defend the world's critical infrastructure.

---