Anthropic Expands Glasswing: Frontier AI as Cyber Defense

Anthropic Project Glasswing — the controlled program that gives critical-infrastructure operators access to a frontier model built to hunt software vulnerabilities — expanded on June 2, 2026 to roughly 200 organizations across more than 15 countries, with partners collectively reporting over 10,000 high- and critical-severity flaws in under two months of operation.

The headline numbers are striking, but the more useful story for builders is the architecture underneath them. Anthropic now runs two distinct security products: the Mythos model, which is powerful enough that the company says it cannot yet release it to general access, available only inside Glasswing; and Claude Code Security, built on Claude Opus 4.8, which is in Enterprise beta and which any qualifying team can apply to use. Most coverage conflates the two. They are not the same thing, and the difference is the entire point.

This guide separates what was actually announced from what was forecast, lays out the access ladder from public beta to Glasswing-only Mythos, explains why financial-market infrastructure joining is a genuine first, and ends with a practical view of what engineering and security teams should do this quarter. Every figure below is sourced to Anthropic, the partner organizations, or mainstream reporting, with vendor-stated benchmarks marked as such.

Project Glasswing launched in early April 2026 with approximately 50 initial partner organizations, each given access to Claude Mythos Preview to scan their critical software for vulnerabilities. On June 2, 2026, Anthropic announced an expansion of roughly 150 additional organizations in more than 15 countries, bringing total membership to around 200 organizations. The day before, on June 1, Anthropic had separately announced Glasswing access for the European Union.

The expansion deliberately widened the sector mix. The original cohort skewed toward technology, with named major partners including Apple, Nvidia, Microsoft, CrowdStrike, and Palo Alto Networks. The June 2 wave added sectors that were under-represented at launch: power, water, healthcare, communications, and hardware. New partners must meet security requirements before gaining access to Mythos. Anthropic did not disclose every organization joining in the expansion.

Other named partners across the program include Okta in the US; Samsung, SK Hynix, and SK Telecom in South Korea; and — notably — the first inter-governmental bodies confirmed in the program: NATO and the EU's cybersecurity agency, ENISA. Countries with confirmed access span Australia, Canada, France, Germany, Italy, Switzerland, the Netherlands, Spain, Belgium, Sweden, India, Japan, New Zealand, South Korea, and the United States.

The single most important distinction in this story is one that most reporting blurs. Anthropic operates two separate security offerings with very different access models, and confusing them leads teams to either overestimate what they can buy today or underestimate the capability gap they are planning around.

Claude Mythos Previewis the frontier model announced April 7, 2026 alongside the first Glasswing cohort. It is available only inside Project Glasswing, to vetted critical- infrastructure operators. Anthropic has been explicit that it cannot yet release Mythos to general access because it has not finished building the safeguards required to prevent misuse of the model's offensive cyber capabilities.

Claude Code Security is the publicly accessible defensive product, built on Claude Opus 4.8 rather than Mythos. It scans codebases for vulnerabilities, runs multi-stage verification to filter false positives, assigns severity ratings, and proposes patches — but requires human approval before any fix is applied. It is available now in a limited research preview to Enterprise and Team customers, and open-source maintainers can apply for free expedited access. This is the version a normal engineering organization can actually adopt.

Putting the offerings side by side answers the question every security and engineering lead is asking right now: which of these can my organization actually use, and under what conditions? The table below maps the four tiers, from the publicly available product to the future general release that has no confirmed date.

The practical reading: only one row on that ladder is something a typical organization can act on today, and it is the top one. If your team wants AI-assisted vulnerability discovery on your own code in 2026, Claude Code Security is the door that is open. Mythos is a signal of where the capability is heading, not a product you can procure. If you are weighing how to fold this into your own security program, our AI transformation engagements start with exactly this kind of capability-versus-readiness mapping.

Two June announcements make financial-market infrastructure a Glasswing first. Intercontinental Exchange (NYSE: ICE) — the parent of the New York Stock Exchange, multiple clearinghouses, data services, and the ICE Mortgage Technology platform — announced it has joined Project Glasswing and is deploying Claude Mythos Preview across those systems. This category matters because clearinghouses and exchange infrastructure sit at the intersection of financial stability and critical infrastructure, where a single unpatched vulnerability could carry systemic consequences.

The second financial-sector signal is more subtle. Cloud data management and security platform Rubrik (NYSE: RBRK) announced on June 4, 2026 that it is among the new Glasswing partners, using Mythos Preview to identify and patch vulnerabilities across its enterprise platform and product suites. Rubrik sells cyber resilience and data protection. A security vendor using a frontier AI model to harden its own product before attackers can use equivalent models is a new kind of arms race — a meta-level one, where defenders must adopt the same offensive capability they are defending against.

ICE's own framing is that Mythos lets the company detect vulnerabilities at scale across the backbone of global financial markets. Neither ICE nor Rubrik published specific counts of flaws found in their own systems, and we are not inferring any — the meaningful signal here is sector adoption, not a leaderboard of internal bug counts.

Why gate a defensive tool behind invitation and vetting at all? The answer is the capability profile Anthropic disclosed in its Mythos research. Using Mythos Preview, Anthropic's internal red team reported finding thousands of zero-day vulnerabilities across every major operating system and every major web browser. The oldest was a 27-year-old vulnerability in OpenBSD; another was a 17-year-old remote-code-execution flaw in FreeBSD's network file system.

The capability jump over the prior generation is what makes the controlled rollout coherent. On a Firefox JavaScript exploit-development task, Anthropic reports that its earlier Opus 4.6 model produced 2 successful exploits from several hundred attempts, while Mythos produced 181 — a step-change rather than an increment. These figures are vendor-stated and have not been independently replicated, so we treat them as directional evidence of a large gap, not precise public benchmarks.

The most important safety point Anthropic makes is about howthe capability emerged. The company says Mythos's exploit-finding skill was a downstream consequence of general improvements in code, reasoning, and autonomy — it did not explicitly train the model for exploit development. That is the uncomfortable implication for the whole field: general frontier progress produces offensive cyber capability as a side effect, whether or not anyone intends it.

Anthropic ties this directly to a timeline. The company has stated that within 6 to 12 months, many other AI companies will have Mythos-class models, and that they could release them without safeguards that prevent misuse. That forecast is the stated rationale for the controlled Glasswing rollout: get defensive capability into critical-infrastructure hands before equivalent offensive capability proliferates broadly.

On the question of when Mythos itself goes wide, the record needs care. Around its May 28 Series H announcement, Anthropic indicated it plans to bring Mythos-class models to all customers, framed as aspirational and pending safeguard development. As of June 4, 2026 there is no confirmed general-release date, and Anthropic has said plainly that the necessary safeguards have yet to be developed. Treat a wide Mythos release as intended, not imminent.

Here is the part of the story most coverage buries. If frontier AI can surface vulnerabilities faster than ever, the constraint shifts from discovery to remediation. Anthropic itself has noted that over 99% of Mythos-discovered vulnerabilities remained unpatched at the time of its research publication, with the lab using cryptographic hash commitments to time the eventual public release of findings. Discovery is racing ahead of fixing.

Practitioners reacting to the expansion landed on the same point. The actionable insight is not that AI can find more bugs — it is that your existing patch cadence was never designed for the volume and velocity of advisories this capability can generate.

The same theme runs through the infrastructure framing. In critical sectors, an exposed vulnerability rarely affects only one company, which is why faster discovery raises the stakes on coordinated, rapid remediation rather than lowering them. The expansion gives more essential sectors a chance to prepare for a phase where finding vulnerabilities is the easy part and reducing real-world risk — by actually shipping fixes — is what separates resilient operators from exposed ones.

For everyone outside the 200 Glasswing organizations, Claude Code Security is the practical takeaway. It runs on Claude Opus 4.8 — the generally available frontier model, not Mythos — and brings a structured workflow: scan the codebase, run multi-stage verification to filter false positives, assign severity ratings, and suggest patches, with a human in the loop required to approve any fix before it lands.

The capability is credible because Anthropic has shown a related result publicly: using the earlier Opus 4.6 model, its team reported finding over 500 previously unknown zero-day vulnerabilities in production open-source codebases, some of which had gone undetected for decades. Claude Code Security makes that class of scanning available to Enterprise and Team customers, with open-source maintainers able to apply for free expedited access.

For most agencies and engineering teams, the sequence is: pilot Claude Code Security on a contained set of repositories, measure the true-positive rate and the review burden it creates, and — in parallel — pressure-test whether your remediation pipeline can keep up. The tool is only as valuable as your ability to act on what it surfaces, which is exactly why the patch-cadence work matters before, not after, you turn on AI-assisted discovery.

The Glasswing expansion is not an abstract policy story for security teams — it is a near-term operational signal. Anthropic's own 6-to-12-month forecast for copycat models means the prudent posture is to assume AI-assisted vulnerability discovery becomes widely available, on both sides, within a year. Here is how we'd sequence the response.

Our read on the trajectory: the labs will keep widening defensive access — Anthropic's EU and Glasswing expansions, plus other vendors signaling cybersecurity-focused models, point to a market where AI-assisted vulnerability work becomes table stakes rather than a differentiator. Reporting around the June 2 expansion noted that at least one other major lab is moving in the same direction with a security-focused offering, though the specifics of that product are not yet independently confirmed. The competitive dynamic Anthropic warned about appears to be underway either way.

Projecting forward, the organizations that come out ahead will not be the ones with the most sophisticated scanner. They will be the ones whose remediation machinery can keep pace with discovery. That is a decidedly unglamorous conclusion — invest in patch throughput, not just detection — but it is the one the evidence supports. If you're building AI into security or developer workflows, our web and application development engagements and agentic systems work are built around exactly this discipline: capability paired with the operational pipeline to use it. For the financing and market context behind this push, see our coverage of Anthropic's $65 billion Series H raise at a $965 billion valuation; for the model itself, see Claude Mythos Preview, the model driving Glasswing; and for the adjacent risk surface, our framework for prompt injection and AI-enabled attack vectors.