Expanding Access to Project Glasswing
Anthropic has announced the expansion of its Project Glasswing program, adding approximately 150 organizations in 15 countries. This move follows an initial cohort of roughly 50 partners that were announced when Anthropic first unveiled the initiative.
The new group covers sectors that were underrepresented in the first wave, including power, water, healthcare, communications, and hardware. Many of the new partners are vendors whose codebases underpin critical infrastructure systems. Although the company did not give any further details on what companies or organizations were part of the new cohort, sources indicate that NetSkope and Rubrik, which specialize in cloud security and data management, are part of the group given access in this latest round.
Discovering Vulnerabilities with Mythos Preview
The restricted Claude Mythos Preview model has already surfaced more than 10,000 high- or critical-severity software vulnerabilities since the program launched in early April. The scale of what Mythos Preview has already found is drawing attention across the security industry. For example, Cloudflare identified 2,000 bugs across its critical-path systems, including 400 rated high or critical, with a false-positive rate the company described as better than that of human testers.
Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing the model, more than 10 times the number found in a previous Firefox version using an earlier Anthropic model. Several other partners reported that their rates of bug discovery increased more than tenfold after deploying the model.
Scanning Open-Source Projects
Anthropic also used Mythos to scan more than 1,000 open-source projects, flagging 23,019 potential vulnerabilities, 6,202 of them estimated as high or critical. Of 1,752 high- or critical-rated findings independently reviewed, over 90% were confirmed as valid.
Challenges in Cybersecurity
The findings have shifted what Anthropic describes as the central issue in cybersecurity. Despite the enhanced ability to discover flaws, the company admits there are challenges with verifying, disclosing, and patching them before attackers can take advantage. According to Anthropic,
“The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them,”
A joint report from the Cloud Security Alliance, the SANS Institute, and OWASP concluded that organizations are “likely to be overwhelmed” in the near term by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them.
Release of Claude Security
Anthropic has said it will not release Mythos-class models to the general public, citing the absence of safeguards sufficient to prevent serious misuse. In the interim, it has released Claude Security, a product using its publicly available Claude Opus 4.8 model that has been used to patch more than 2,100 vulnerabilities in three weeks.
The program’s expansion comes as the Trump administration signed a scaled-back executive order on AI security. The order, which was signed hours after Anthropic’s announcement, sets up a voluntary framework requiring AI developers to submit advanced models to a government review up 30 days before public release.
- Cloudflare identified 2,000 bugs across its critical-path systems, including 400 rated high or critical.
- Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing the model.
- Anthropic used Mythos to scan more than 1,000 open-source projects, flagging 23,019 potential vulnerabilities.
Source: CyberScoop