An AI model has now found more than ten thousand critical software flaws, and Anthropic just handed it to NATO, the EU's cybersecurity agency, and the companies that run the power and water for fifteen countries. That is either the most consequential cyber-defense deployment of the decade or the largest concentration of offensive capability ever placed in one model's hands, depending on who you ask. On June 2, Anthropic decided the defensive case wins.
What Actually Happened
Anthropic expanded Project Glasswing, extending access to its cybersecurity-focused model, Claude Mythos, to roughly 150 new organizations across more than 15 countries. The new cohort is dominated by critical-infrastructure operators in power, water, healthcare, and telecommunications, the systems whose failure cascades into everything else. Anthropic says the program has already surfaced over 10,000 high or critical-severity vulnerabilities since it launched in early April, a discovery rate that no human red-team operating at any realistic budget could match in the same window.
The roster of participants reads like a map of Western institutional power. Newly granted access includes the identity-security firm Okta; South Korean industrial giants Samsung, SK Hynix, and SK Telecom; the military alliance NATO; and the European Union's cybersecurity agency, ENISA. The participating countries, among them Australia, Canada, France, Germany, Italy, the Netherlands, Spain, Sweden, India, Japan, New Zealand, and South Korea, share one defining trait: each is considered friendly to the United States. This is not a neutral commercial rollout. It is an alliance, drawn along geopolitical lines.
Anthropic framed the expansion as the product of weeks of coordination with the security industry, open-source software maintainers, and the US government, a deliberate, vetted release rather than an open launch. Yet the company was unusually candid about the limit of what it is shipping. Finding flaws, it admitted, is no longer the hard part. The bottleneck now is human: the capacity to triage, verify, responsibly disclose, and design and deploy patches before an attacker exploits the same weakness. The model has outrun the people who must act on what it finds.
The choice of launch partners is itself a strategic statement about where the risk concentrates. Okta sits at the identity layer that thousands of other companies authenticate through, so a flaw found there protects a long downstream chain. Samsung and SK Hynix build the memory and chips inside data centers and devices worldwide, while SK Telecom runs national-scale connectivity. By seeding Mythos at these chokepoints rather than at random enterprises, Anthropic is targeting the nodes whose compromise would cascade furthest, the supply-chain and identity layers that a single exploited flaw can turn into a continent-wide incident. It is triage applied to the global attack surface, decided by which failures hurt the most.
Why This Matters More Than People Think
For thirty years, offense has held the advantage in cybersecurity for a simple structural reason: a defender must secure every door, while an attacker needs only one unlocked. Claude Mythos is the first serious attempt to invert that asymmetry by giving defenders a tool that can scan vast codebases and surface critical flaws faster than human attackers can find and weaponize them. If the defensive side can now discover and close vulnerabilities at machine speed, the centuries-old math of the attacker's edge begins to shift. That is the genuine promise behind the 10,000-flaw number, and it is why governments are paying attention rather than just enterprises.
The same capability is precisely what makes the deployment fraught. A model that can find ten thousand critical vulnerabilities in defensive hands can find them just as well in offensive ones, and the only thing separating the two uses is who is holding the keys. Anthropic's decision to gate Mythos behind a vetted, allied-nations program is an admission that the technology is dual-use at its core. The careful country list, the coordination with the US government, the absence of an open release: these are the actions of a company that knows it is shipping something that could be a weapon if it leaked, and is trying to manage that risk through access control rather than capability limits.
The bottleneck Anthropic named is the part most coverage will miss, and it is the most important. Discovering 10,000 flaws is useless if an organization can patch only a few hundred a quarter, because an unpatched-but-known vulnerability is arguably more dangerous than an undiscovered one: it sits in a report, waiting for the disclosure window to leak or for an insider to act. AI just industrialized the finding of flaws without industrializing the fixing of them, and that imbalance creates a new and uncomfortable category of risk, a growing backlog of known, unpatched, critical holes in the systems that run modern life.
The Competitive Landscape
Anthropic is not alone in pointing frontier models at security, but the structure of this program sets it apart. Google has pushed Big Sleep and its Project Zero research toward AI-assisted vulnerability discovery, and OpenAI has shipped models with strong cyber capabilities, with GPT-5.5 variants reaching European customers under their own access controls. Microsoft folds security copilots into its enterprise stack. What none of them has matched is a coordinated, alliance-scale deployment that puts a dedicated cyber model directly into the hands of NATO, a national-grid operator, and a chip manufacturer at the same time, under one vetted program.
That structure is the competitive moat, not the model itself. By organizing Glasswing around critical infrastructure and allied governments, Anthropic positions itself as the trusted security partner to the Western alliance, a status that is far stickier than any benchmark lead. Once NATO and ENISA build processes around Mythos, switching to a rival model means re-vetting, re-coordinating, and re-certifying across dozens of institutions and countries. Anthropic is converting a model capability into an institutional relationship, and institutional relationships in national security are measured in decades, not product cycles.
The historical parallel is the founding of computer emergency response teams after the 1988 Morris worm, the first incident that forced governments to treat software vulnerability as a national-security matter rather than an engineering nuisance. That moment created the coordinated-disclosure infrastructure, the CERTs and the responsible-disclosure norms, that still governs how flaws are handled today. Project Glasswing looks like an attempt to build the AI-era successor to that infrastructure, with Anthropic as its private operator. The open question is whether the world is comfortable with a single commercial lab occupying the coordinating role that, last time, was built as public infrastructure.
The economics of this asymmetry favor whoever moves first, which partly explains Anthropic's urgency. A defender who deploys Mythos across a codebase pays a fixed cost to surface its flaws once, while an attacker must now contend with a target that closes holes at machine speed. In theory that raises the cost of offense across the entire defended set. In practice the advantage only materializes if the patching keeps pace, and that is exactly the constraint Anthropic flagged, which means the first-mover edge is real but perishable, lasting only as long as defenders can convert discovery into remediation faster than adversaries can convert discovery into exploitation.
Hidden Insight: Anthropic Is Building a Private Cyber-NATO
Strip away the product framing and what Anthropic has assembled is a private security alliance, organized along the same geopolitical lines as the real one and sharing several of its members. The deliberate exclusion of countries outside the US-friendly sphere is the tell. This is not a company selling a security tool to whoever pays; it is a company curating which nations and institutions get to defend themselves at machine speed, and which do not. That curation is a form of soft power that, until now, only states have wielded, and Anthropic is exercising it as a corporate decision.
This is where the deployment stops being a cybersecurity story and becomes a governance story. A private company is now making sovereign-grade decisions about the distribution of defensive capability, deciding that Japan and Germany are inside the circle and that others are outside it. Those choices carry real consequence: a nation with Mythos-grade defense and a nation without it are not playing the same game, and the gap compounds as the model improves. We have quietly arrived at a moment where access to a corporate AI product is becoming a determinant of national security, allocated by a board in San Francisco rather than a treaty among states.
The bear case, however, is that the whole program could deepen the very insecurity it aims to fix. Critics argue that concentrating the world's most powerful vulnerability-discovery engine inside one company creates a single point of catastrophic failure: if Mythos itself, or the 10,000-flaw database it has generated, were ever compromised or leaked, the attacker would inherit a ready-made target list for the planet's most critical systems. The risk is not hypothetical. A repository of known-but-unpatched critical vulnerabilities across power grids and hospitals is the single most valuable document an adversary could steal, and Anthropic has just created and centralized exactly that.
There is a further uncomfortable truth the alliance framing obscures. By tying defensive capability to geopolitical alignment, Anthropic guarantees that adversary states will treat matching or exceeding Mythos as a national priority, accelerating the offensive arms race the program is meant to blunt. Skeptics point out that every defensive escalation in cyber history has provoked a proportional offensive response, and there is little reason to expect this one to break the pattern. The most likely outcome is not a durable defensive advantage but a faster, higher-stakes cycle in which both sides wield models that find flaws by the thousand, and the patching bottleneck Anthropic already flagged becomes the permanent weak point on every side.
The disclosure question deserves its own scrutiny over this period. Traditional responsible disclosure assumes a researcher finds a handful of flaws and gives a vendor 90 days to patch before going public. A model that generates flaws by the thousand breaks that norm entirely, because no vendor can absorb thousands of simultaneous disclosures on a fixed timeline. Watch whether Anthropic and its partners propose a new disclosure framework built for machine-scale discovery, because the old etiquette, designed for human-paced research, simply does not function at the volume Mythos produces, and the gap between the two is where attackers will operate.
What to Watch Next
In the next 30 days, watch the patch-versus-discovery ratio, the only metric that proves whether Glasswing improves security or just inventories its absence. If Anthropic or its partners can show that a large share of the 10,000 flaws are being remediated, not just catalogued, the defensive thesis holds. If the disclosure backlog grows faster than the patch rate, the program is manufacturing risk it cannot retire, and the bottleneck Anthropic itself named becomes the headline within a quarter.
By 90 days, watch for the first disclosed incident traceable to a Mythos-found vulnerability, in either direction. A defended critical-infrastructure operator that publicly credits the program with stopping an intrusion would validate the entire model. A leaked flaw from the database, or evidence that an adversary has reproduced comparable capability, would vindicate the critics. Watch too whether any excluded nation or bloc responds by funding a sovereign equivalent, the clearest sign that the alliance framing is triggering exactly the arms race skeptics predict.
Over 180 days, the governance question moves from theory to policy. Watch whether governments move to regulate or formalize Anthropic's coordinating role, through the US government that already collaborates on the program, through the EU where ENISA's participation invites scrutiny, or through new disclosure mandates. The decision that matters is whether the world accepts a commercial lab as the de facto operator of AI-era cyber defense, or insists that a role this close to national security be placed under public oversight. How that resolves will shape not just Anthropic, but the boundary between corporate and sovereign power in the AI age.
AI just industrialized the discovery of critical flaws without industrializing the fixing of them, and a backlog of known, unpatched holes in the power grid is more dangerous than an undiscovered one.
Key Takeaways
- Anthropic expanded Project Glasswing, giving its Claude Mythos cyber model to roughly 150 new organizations across 15+ countries, focused on power, water, healthcare, and telecom operators.
- The program has surfaced over 10,000 high or critical-severity vulnerabilities since launching in early April, a pace no human red-team can match.
- Participants include NATO, the EU agency ENISA, Okta, Samsung, SK Hynix, and SK Telecom, with access limited to US-friendly nations.
- Anthropic admits the real bottleneck is human capacity to triage, disclose, and patch, meaning AI now finds flaws far faster than organizations can fix them.
- The vetted, alliance-shaped rollout effectively makes a commercial lab the operator of AI-era cyber defense, raising governance questions states usually settle by treaty.
Questions Worth Asking
- If an AI can find ten thousand critical flaws but your team can only patch a few hundred, has your security improved or has your liability just been documented?
- Should a single private company decide which nations and institutions get machine-speed cyber defense and which are left outside the circle?
- If a centralized database of unpatched critical vulnerabilities is the most valuable target an adversary could steal, does creating it make the protected systems safer or more exposed?
