Claude Mythos and Project Glasswing: AI Built for Security
Claude Mythos is a security-focused AI model from Anthropic that is designed to perform high-volume software vulnerability detection, scanning vast codebases to identify critical flaws that could lead to large-scale cyberattacks against enterprises and shared digital infrastructure. The model sits at the center of Project Glasswing, Anthropic’s program that gives selected partners controlled access to Mythos Preview so they can scan, triage, and remediate weaknesses in the software they maintain. According to Anthropic, early Glasswing partners have already used Claude Mythos to find more than 10,000 high- or critical-severity security flaws across major operating systems, web browsers, and other widely used components. In Anthropic’s words, AI models like Mythos have “reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities,” which explains both the promise and the risk of this technology.
A Rapid Expansion: 150 New Organizations, 15+ Countries
Anthropic is now scaling Claude Mythos vulnerability detection through a large expansion of Project Glasswing. After an initial cohort of about 50 partners started in April scanning their codebases at scale, Anthropic announced that approximately 150 additional organizations in more than 15 countries will gain access to Claude Mythos Preview. These new partners must first meet defined security requirements, reflecting concerns about model misuse as Mythos-class systems become more common. Many of the organizations joining this phase maintain codebases used by governments, companies, nonprofits, and other institutions, giving the project outsized reach across interconnected systems. Anthropic estimates that, for most Project Glasswing partners, a major attack on their codebase could affect more than 100 million people. The expansion is therefore framed as both a technical and public-safety step, aiming to secure widely relied-upon software before attackers can exploit similar AI capabilities.
Securing Power, Water, Healthcare, and Other Critical Infrastructure
The latest Glasswing expansion deliberately targets sectors that were underrepresented at launch but sit at the heart of critical infrastructure security AI. New partners include power and water utilities, healthcare providers, communications firms, and hardware vendors, alongside companies and nonprofits that maintain shared codebases. For these organizations, Claude Mythos is positioned as software vulnerability detection AI that can scan legacy systems, proprietary platforms, and open-source components that underpin essential services. Anthropic has warned that “a successful attack on their codebase could be catastrophic,” with implications for both global and national security. By bringing AI security vulnerability scanning into these environments under a controlled access program, Anthropic is trying to move the field from reactive incident response to proactive discovery and patching. The goal is to shrink the attack surface across systems whose failure could disrupt power grids, water treatment, hospital operations, or core communications networks.
Enterprise Adoption: From Big Tech to Network Security Leaders
Project Glasswing’s first cohort already included some of the most influential enterprise and platform providers in technology. Initial partners ranged from hyperscale cloud providers like Amazon Web Services and Google to platform giants such as Apple, Microsoft, and Nvidia, as well as security-focused firms including CrowdStrike, Palo Alto Networks, and Cisco. While detailed deployment architectures are not yet public, these companies are using Claude Mythos vulnerability detection to scan large, complex software estates and coordinate with internal security teams and third parties on triage. Anthropic reports that early partners have operated Mythos at scale, sharing methods and best practices with one another to build repeatable workflows around AI-driven vulnerability discovery. For security vendors and infrastructure providers, this kind of AI security vulnerability scanning is starting to look less like an experiment and more like a new layer in standard secure development and code review pipelines.
From Finding Flaws to Fixing Them: The New Bottleneck
As Mythos-class models spread, Anthropic says the core challenge is shifting away from finding vulnerabilities toward verifying, disclosing, and patching them. With partners already uncovering thousands of high-severity issues, the limiting factor becomes human and organizational capacity to triage results, coordinate responsible disclosure, and deploy fixes at speed across large fleets of software. Project Glasswing is structured to address this transition: partners collaborate with each other and with third parties to validate findings, while Anthropic works to share tools and practices that can be adopted more widely. Complementary offerings like Claude Security, which uses Anthropic’s public frontier models to scan codebases and suggest patches, show how the company is extending its stack beyond raw detection. If enterprises can keep up with remediation, large-scale AI security vulnerability scanning could prevent cascading failures across digital supply chains and reduce the likelihood of catastrophic attacks on shared infrastructure.
