The most capable vulnerability hunter on the planet right now is not a person. It is a model named Claude Mythos, and on June 2 Anthropic handed it to roughly 150 more organizations across more than 15 countries. The detail that should make every security leader sit up: those organizations now include the operators of power grids, water systems, and hospital networks. The same machine that can harden a hospital network can, with a change of intent, map its single weakest point in the very same afternoon, and Anthropic is now the party deciding which side of that line every new partner stands on.
What Actually Happened
Anthropic announced an expansion of Project Glasswing, its program for putting Claude Mythos into the hands of vetted defenders. The new cohort adds approximately 150 organizations based in more than 15 countries, deliberately reaching into sectors that were thin in the first wave: power, water, healthcare, communications, and hardware. These are the parts of the economy where a single unpatched flaw does not cost money, it costs lives or lights. New partners must clear a security review before they are given model access, a gate Anthropic is using to keep the most capable offensive tool it has built from leaking into the wrong hands. The review is not a formality. It is the mechanism that turns a dangerous capability into a controlled one, and Anthropic has made clear that organizations who cannot meet its handling requirements simply do not get in.
Mythos is not a chatbot with a security personality bolted on. It is a model specifically tuned to read large codebases and surface exploitable weaknesses, and its track record is the reason this expansion is happening at all. Since the program began, Glasswing partners have collectively surfaced more than 10,000 high or critical severity vulnerabilities, the kind that earn CVE numbers and emergency patch cycles. That number is not a marketing estimate. It is the count of real defects in shipping software that human review and traditional scanners had missed. To put it in perspective, a strong human application-security team might surface a few hundred critical issues across a busy year. Mythos partners cleared five figures, which is the difference between auditing a codebase and continuously x-raying it.
The roster of existing partners explains how serious this has become. Anthropic counts Apple, Nvidia, Microsoft, CrowdStrike, and Palo Alto Networks among Glasswing participants, a list that spans the device makers, chip designers, and security vendors who sit at the center of global digital infrastructure. The company framed the move as collaboration with the security industry, open-source maintainers, and the US government, positioning Glasswing less as a product and more as a coordinated defense effort. The expansion lands the same week Anthropic confidentially filed for an IPO at a reported $965 billion valuation, so the security mission and the commercial story are now traveling together. The pairing is not an accident of timing. A company about to ask public markets for capital wants a narrative that frontier AI is not just a chatbot arms race but a load-bearing pillar of national security, and a program that has hardened the software inside Apple devices and Nvidia chips is exactly that narrative made concrete.
Why This Matters More Than People Think
For two decades the asymmetry in cybersecurity ran one direction. Attackers needed to find a single door left open; defenders needed to lock every door, on every system, forever. Mythos does not erase that asymmetry, but it changes the arithmetic. A model that can read a million lines of legacy C and flag the buffer overflow in minutes gives defenders something they have never had at scale: tireless, expert-level code review that runs continuously rather than once a year when a consultant shows up. The 10,000 flaw figure is what that looks like when you point it at the real world, and it implies a defect density in production software that most executives would rather not think about.
The sector targeting is the tell. By moving Mythos into water utilities and hospital systems, Anthropic is going after the soft underbelly of critical infrastructure, the places that run decades-old software with no security team and no budget to hire one. A regional water authority cannot afford a red team. It can, in principle, afford to run its control software through a model that a vendor has already vetted and gated. That is a different distribution model for security than the industry has ever used, and it is aimed precisely at the targets that nation-state attackers have spent years probing. The same systems that ransomware crews and state actors treat as easy marks are the ones that have historically been too small to defend economically. Mythos lowers the cost of defense enough to change that calculus.
There is a deeper signal here about where Anthropic thinks its moat lives. The company could have shipped Mythos as a self-serve API and booked the revenue. Instead it built a vetting gate, a partner program, and a government liaison function around it. That is a bet that the durable advantage in frontier AI security is not the model weights, which competitors will eventually match, but the trust apparatus: knowing who you can safely hand a cyber weapon to, and being the vendor that regulators and infrastructure operators call first. In an industry where capability gaps close in months, the relationship and the vetting record may be the only things that do not commoditize, and Anthropic is building them now while it still has a lead.
The Competitive Landscape
Anthropic is not alone in pointing language models at vulnerability discovery. Google has publicized its own work, including the first AI-discovered zero-day that was later mass-exploited, a reminder that the same capability cuts both ways. OpenAI has shipped GPT-5.5 Cyber into European markets while keeping its most aggressive offensive features restricted. Microsoft, itself a Glasswing partner, has woven agentic security tooling through Defender and its new MAI model stack. The frontier labs have quietly converged on the same conclusion: code-reading models are the most commercially defensible and least controversial application of their most dangerous capability, which is why all of them are racing to claim the defender's side of it.
The historical parallel is the responsible-disclosure era of the early 2000s, when bug bounty programs first formalized the relationship between hackers who found flaws and companies that needed to fix them. HackerOne and Bugcrowd turned a chaotic gray market into a managed pipeline. Glasswing is attempting the same institutional move one layer up: instead of coordinating human researchers, it coordinates access to a machine that out-produces all of them combined. Whoever owns that coordination layer owns a chokepoint in the security economy, the same way the bounty platforms became unavoidable intermediaries between researchers and the companies they reported to.
The competitive risk for Anthropic is that gated programs are slow and open ecosystems are fast. CrowdStrike and Palo Alto Networks are both partners today, but both also have every incentive to build or buy their own code-analysis models rather than remain dependent on a rival that just filed to go public. The security vendors did not survive three decades by renting their core capability from someone else. Glasswing buys Anthropic a head start and a reference customer list, but it does not lock anyone in, and the partner roster could become a competitor roster the moment the underlying model capability commoditizes. The lesson of every platform war is that today's integration partner is tomorrow's competitor once the dependency becomes strategic.
Hidden Insight: The Vendor That Decides Who Gets the Weapon
The quiet story inside Glasswing is not that Mythos finds bugs. It is that Anthropic has appointed itself the gatekeeper deciding which institutions on Earth are trustworthy enough to wield a tool that finds bugs faster than anyone can patch them. That is an extraordinary amount of soft power for a private company to accumulate, and it has happened with almost no public debate. The vetting requirement is sensible from a safety standpoint. It is also a position no government granted and no regulator approved, assumed by a firm that answers to its investors and is weeks away from answering to public shareholders too.
Consider what the gate actually controls. A model that reliably finds critical flaws in arbitrary code is, definitionally, dual-use. Pointed at your own software it is a defense. Pointed at someone else's it is reconnaissance for an attack. The only thing separating those two uses is the intent of whoever holds the access, which means the access decision is the entire safety control. Anthropic is now making that decision 150 times over, for organizations in 15 countries, under criteria it sets and does not fully publish. The company is, in effect, running a private export-control regime for offensive cyber capability, a function that for conventional weapons sits with governments and treaties.
The bear case follows directly, and skeptics point out that it is not hypothetical. The same Mythos capability that found 10,000 defects for defenders would find them just as efficiently for an attacker who obtained access through a compromised partner, a malicious insider, or a future jailbreak. Concentrating the world's best vulnerability finder behind a single vendor's vetting process creates one enormous target: breach Anthropic's gate, or simply replicate the capability, and you inherit an offensive tool of unprecedented reach. The 150-organization expansion widens the attack surface of the program itself, because every new partner is a new set of credentials, a new endpoint, and a new way in for an adversary patient enough to find the weakest link in the chain.
There is also a subtler dependency forming. Critical infrastructure operators who come to rely on Mythos for their security posture are outsourcing a core competency to a company whose primary business is not security and whose survival is not guaranteed. If Anthropic raises prices, restricts access, or stumbles after its IPO, a water utility that built its vulnerability management around Glasswing has no fallback. The history of security is littered with vendors who became single points of failure precisely because they were good enough that everyone stopped building the capability themselves. Mythos is good enough to create exactly that trap, and the organizations most likely to fall into it are the under-resourced utilities and hospitals the expansion was designed to help.
What to Watch Next
Over the next 30 days, watch whether any of the new infrastructure partners disclose what Mythos actually found in their environments. The 10,000 figure is aggregate and anonymized; the credibility of the expansion will rest on whether a named water utility or hospital system goes public with a concrete save. Also watch for the first published version of the vetting criteria. If Anthropic keeps the access rules opaque, expect pressure from civil-society groups and at least one congressional letter asking why a private firm is running cyber export control without public accountability.
In the 90-day window, the metric that matters is whether competitors respond with open access rather than gated programs. If Google, OpenAI, or an open-weight challenger ships a comparable vulnerability finder without the partner gate, Anthropic's trust-apparatus moat gets tested immediately, and the security vendors on its current roster will face a clear build-versus-rent decision. Watch CrowdStrike and Palo Alto Networks earnings calls for any mention of in-house code-analysis models, the earliest signal that partners are planning their exit and that the moat is thinner than it looks.
By the 180-day mark, the real question is regulatory. Governments have spent two years debating frontier model rules in the abstract. A private company gating offensive cyber capability to critical infrastructure across 15 countries is the concrete case that forces the issue. Expect the EU, which already moved on AI cyber tooling, to ask whether Glasswing needs oversight, and expect Anthropic to argue that its voluntary gate is safer than any rule a regulator would write. Whoever wins that argument sets the template for how AI security capability is governed for the next decade, and the IPO will put that debate in front of every institutional investor reading the prospectus.
Anthropic did not just build the best bug finder on Earth. It appointed itself the authority that decides who is allowed to use it.
Key Takeaways
- 150 organizations in 15+ countries gained access to Claude Mythos through the Project Glasswing expansion announced June 2.
- 10,000+ high or critical vulnerabilities have been found by Glasswing partners since the program launched.
- Power, water, healthcare, communications, and hardware are the newly targeted sectors, the soft underbelly of critical infrastructure.
- Apple, Nvidia, Microsoft, CrowdStrike, and Palo Alto Networks are existing partners, all of whom could become competitors.
- $965 billion is Anthropic's reported IPO valuation, filed the same week, tying the security mission to the commercial story.
Questions Worth Asking
- If one private company decides who can wield the world's best vulnerability finder, who decides whether that company is making the right calls?
- What happens to a water utility that builds its entire security posture on Mythos if Anthropic raises prices or restricts access after its IPO?
- Is your organization's most dangerous dependency a piece of software, or the vendor you have quietly let become irreplaceable?
