The San Francisco-based artificial intelligence company is adding around 150 organisations to Project Glasswing, its gated initiative for defensive use of a frontier model that has drawn intense attention from technology companies, banks, public agencies and national security officials. The expansion takes the programme beyond its initial group of roughly 50 partners and extends it across more than 15 countries.
Mythos Preview is not being released for general public use. Anthropic has described the model as its most capable frontier system to date for vulnerability discovery, with the ability to read large codebases, identify weaknesses and, in some cases, work out exploit chains without close human steering. Access is being limited to organisations that meet security requirements, reflecting concern that the same capability could be misused if deployed without controls.
Project Glasswing is aimed at software that underpins critical services, including healthcare, power, water, communications, hardware, cloud platforms and open-source infrastructure. Anthropic has said a successful attack on some participating organisations could affect more than 100 million people, underscoring why the rollout is being framed as a defensive effort rather than a conventional product launch.
The expansion follows several weeks of testing in which Glasswing partners and Anthropic’s own teams identified more than 10,000 high- or critical-severity security flaws. Some partners reported that their rate of bug discovery rose more than tenfold, while Cloudflare found about 2,000 bugs across critical-path systems, including 400 classed as high or critical severity. Mozilla’s testing of Firefox 150 led to the discovery and fixing of 271 vulnerabilities, far above the number found in the previous comparable test cycle using Claude Opus 4.6.
Anthropic has also used Mythos Preview to scan more than 1,000 open-source projects that support internet services and enterprise systems. The model estimated 6,202 high- or critical-severity vulnerabilities among 23,019 findings across all severity levels. Of the 1,752 high- or critical-rated findings assessed by outside security researchers or Anthropic staff, 90.6% were found to be valid true positives, while 62.4% were confirmed as high or critical severity.
The figures point to a sharp shift in the economics of cyber defence. Finding vulnerabilities has become faster and cheaper, but confirming, reporting and fixing them remains labour-intensive. Maintainers are already dealing with a flood of low-quality AI-generated bug reports, and Anthropic has acknowledged that some open-source teams have asked it to slow disclosure so they have time to assess and patch issues. On average, a high- or critical-severity bug found by Mythos Preview takes about two weeks to patch.
The programme has produced examples in widely used systems. Mythos Preview identified a 27-year-old flaw in OpenBSD, a 16-year-old flaw in FFmpeg and chains of Linux kernel vulnerabilities that could allow privilege escalation. It also detected a vulnerability in wolfSSL, a cryptography library used by billions of devices, which could have allowed attackers to forge certificates for convincing fake websites. Those examples highlight the defensive value of large-scale automated review, but they also explain why governments and financial institutions have treated the model with caution.
Independent cyber evaluations have shown that Mythos Preview represents a step up from earlier frontier models. It has performed strongly on capture-the-flag tests and multi-step simulated attack ranges, including a corporate network scenario in which it was the first model to complete the full chain in some attempts. Those tests were conducted in controlled environments and do not prove that the model could compromise well-defended live systems, but they strengthen the case that AI-assisted cyber operations are moving beyond code suggestions into sustained vulnerability discovery and exploitation workflows.
Anthropic’s approach reflects a broader debate over how to handle frontier AI systems that can both protect and threaten digital infrastructure. Banks and technology companies want access so they can harden their systems before rivals, criminals or state-linked actors obtain similar tools. Security specialists, meanwhile, warn that wider release could create a race in which patching teams struggle to keep pace with automated discovery.
The company has committed up to $100 million in usage credits for Mythos Preview and $4 million in direct donations to open-source security organisations. It has also said it does not plan to make Mythos Preview generally available, although it aims to enable customers to deploy Mythos-class models with additional safeguards. That distinction is important: Anthropic is trying to build a pathway for defensive adoption while delaying unrestricted access to a capability it believes could spread through other AI systems within months.
The new Glasswing partners include government organisations and companies across major economies, though Anthropic has not named the full list. South Korea’s participation includes the Korea Internet & Security Agency, with major technology groups linked to the national rollout. The wider country list includes several advanced software and infrastructure markets, including the United States, Canada, Australia, New Zealand, France, Germany, Japan and South Korea.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
