Anthropic’s decision to throw open the doors of Project Glasswing to roughly 150 new organizations is not just another “AI plus cybersecurity” press release – it is a glimpse of what cyber defense will look like when powerful offensive capabilities are only an API call away.

In early April, Anthropic quietly started testing the waters with about 50 initial partners, giving them access to a special frontier model called Claude Mythos Preview. Those partners pointed Mythos at some of the most important software on the planet – from open source libraries to critical infrastructure systems – and almost immediately started turning up serious issues. Across those early deployments, Mythos helped uncover more than 10,000 high or critical vulnerabilities, many in code bases relied on by governments and major companies worldwide. That early result is what set the stage for this week’s big expansion.

Now, Anthropic says it is extending Project Glasswing access to around 150 additional organizations spread across more than 15 countries. This new cohort includes operators of power, water, healthcare, communications, and hardware systems, along with vendors and nonprofits that maintain core software used as building blocks all over the world. The common thread: if attackers ever compromised these code bases at scale, it would be catastrophic. Anthropic estimates that a major attack on “most partners” could affect more than 100 million people, with knock-on effects for both national and global security.

That framing matters. This is not about catching a few extra bugs in a SaaS dashboard. It is about using an AI system that can already autonomously hunt for zero-day vulnerabilities to harden the software skeleton of modern society – before similar models end up in the hands of less careful actors.

Anthropic’s own language around this is unusually blunt for a big AI lab. In its Glasswing update, the company argues that “cheap, fast AI models with powerful cyber capabilities are around the corner,” and warns that within 6 to 12 months, other AI vendors are likely to have Mythos-class models as well, potentially without equivalent safeguards. In that world, the company says, cyberattacks become more frequent and more unpredictable, and defenders will have to “adapt to maintain pace.”

If you zoom out, that warning lines up with what we are already seeing from the broader security ecosystem. CrowdStrike’s 2026 Global Threat Report, for instance, found an 89 percent increase in attacks carried out by AI-enabled adversaries, with attackers using AI tools to speed up reconnaissance, craft convincing social engineering, and automate parts of intrusion chains. A separate Anthropic analysis of 832 accounts banned for malicious cyber activity between 2025 and 2026 showed threat actors using AI not just for simple phishing text, but also for more complex tasks like lateral movement and tool development. Put simply, the offensive side of the equation is accelerating.

Project Glasswing is Anthropic’s attempt to move defense just as fast – and ideally, a bit faster.

At the heart of Glasswing is Claude Mythos Preview, a frontier model Anthropic is not making broadly available because of its ability to autonomously find and exploit software flaws. In Anthropic’s own testing, Mythos can scan vast code bases, flag likely vulnerabilities, and even propose exploit payloads for them – exactly the kind of capability that makes people nervous when they imagine what a state actor or criminal marketplace might do with it.

Inside Glasswing, though, Mythos is pointed in a different direction. Partners use it as a sort of hyper-charged static analyzer and code reviewer, pointing it at internal services, public-facing components, and widely used open source projects. The model generates vulnerability candidates, which are then triaged and verified by in-house teams, independent security firms, and open source maintainers.

So far, Anthropic says Mythos has scanned more than 1,000 open source projects, surfacing tens of thousands of issues, with over 6,200 categorized as high or critical severity. A chunk of those have already been validated as true positives and pushed upstream as patches and advisories. One widely cited example is CVE-2026-5194 in WolfSSL, a critical flaw that could have allowed attackers to forge certificates and impersonate legitimate services, which was identified as part of the Glasswing work.

Those are exactly the kinds of vulnerabilities you want defenders to find with AI before attackers get equivalent tools.

What is changing with this expansion is the shape of the partner network. The first 50 or so organizations included major tech firms, cloud providers, and large open source projects. The new intake is intentionally skewed toward critical infrastructure providers and vendors whose code is embedded deep in supply chains – power grid operators, water utilities, healthcare platforms, telecom and networking companies, hardware manufacturers, and big open source foundations that maintain widely reused components.

Anthropic emphasizes that every new partner has to meet specific security requirements before they touch Mythos, and the company is still positioning Glasswing as a controlled, invitation-only program rather than a product anyone can sign up for. Many of the organizations in this wave are not glamorous Silicon Valley names; they are the entities quietly running industrial control systems, hospital equipment, or backbone internet infrastructure.

Project Glasswing is also not just about “finding bugs faster.” Anthropic says its role is twofold. First, to “safely provide wide access to better models, tools, and common infrastructure” for defenders. Second, to gradually shift focus from discovery to the harder workflow steps: disclosure, patching, and deploying fixed software at scale.

That second part gets less attention in AI hype cycles, but it is where most security efforts live or die. Anthropic’s own write-ups describe the bottleneck in modern cybersecurity as no longer finding vulnerabilities – Mythos-class models can generate far more leads than human teams can realistically review – but validating, disclosing, and patching them.

To help on that front, Glasswing partners have already started using Mythos not just to locate flaws, but also to draft patches and run pre-release checks to stop issues from landing in production code in the first place. The same capabilities can be re-used for penetration testing, automated threat detection and response, and even for modernizing legacy systems by translating unsafe code into memory-safe languages.

Alongside Glasswing, Anthropic has spun up Claude Security, a separate product that uses its publicly available frontier models (like Claude Opus 4.8) to scan code and propose fixes. The company is also offering some of the custom tools it built for Glasswing – things like vulnerability triage helpers and scanning pipelines – to trusted security teams on request. The message is clear: Mythos is the tip of the spear for highly sensitive environments, but the broader security ecosystem should not wait for that level of access to start experimenting with AI-assisted defensive workflows.

One interesting, and unresolved, question is how far this “frontier model for defenders” pattern can actually scale. Anthropic says that to tackle the coming wave of attacks, “hundreds of thousands of organizations, researchers, and maintainers” will ultimately need access to cutting-edge cyber capabilities. But the company is also candid that it does not yet have safeguards strong and precise enough to safely expose models like Mythos more generally, and notes that to its knowledge no other major AI lab does either.

That tension runs through the entire Glasswing expansion. On one hand, Anthropic is warning – in near-term, not sci-fi terms – that models capable of autonomously attacking “every major operating system and web browser” will exist outside of its walls before long. On the other hand, it is limiting full-strength access to a relatively small circle of pre-vetted partners, while nudging the rest of the industry toward safer public tools and new standards.

If you work in or around security, this will sound familiar. The field has long wrestled with dual-use tension: techniques that are essential for defense can also supercharge offense. What is new is the speed and scale AI introduces. CrowdStrike’s threat data points to a world where the fastest e-crime breakout times are measured in seconds rather than minutes, and where 82 percent of detections are already “malware-free” – meaning attackers are leaning heavily on credential theft, living-off-the-land techniques, and misused legitimate tools, including AI platforms.

In that context, Glasswing looks less like an experimental pilot and more like a dry run for how AI companies, governments, and infrastructure providers might coordinate around frontier capabilities in general. Anthropic has even launched a Cyber Verification Program, which it plans to scale alongside Glasswing to give vetted organizations Mythos-level access for specific defensive tasks. If that model works in cybersecurity, it is easy to imagine similar programs emerging in other sensitive domains where AI can be both powerful and dangerous – think biosecurity, industrial control, or autonomous systems.

There is also a geopolitical angle here. Anthropic notes that this expansion includes organizations in the US and overseas, and that it wants future rounds to widen that geographic spread further. Given how much critical infrastructure crosses borders, and how many open source components are maintained by small, globally distributed teams, an AI security capability that only protects US or G7 systems would always be incomplete. But sharing powerful models internationally also raises tricky questions around export controls, regulatory alignment, and the risk of accidental proliferation.

None of that gets solved by one initiative, and Anthropic does not pretend otherwise. Instead, Project Glasswing reads like a recognition that frontier-grade cyber models already exist, and that the responsible choice is to start learning how to integrate them into real-world defense before attackers force everyone’s hand.

If Glasswing succeeds, the long-term picture looks very different from today’s whack-a-mole patching culture. Defenders in critical sectors would have automated systems constantly sweeping their stacks for exploitable behavior, drafting mitigation plans, and nudging human operators toward fixes. Open source maintainers would not have to rely on scattered bug bounty reports to catch subtle flaws deep in their code. Regulators and standards bodies could build realistic assumptions about AI-augmented attack and defense into frameworks like MITRE ATT&CK or NIST guidelines.

If it fails – or if similar programs do not materialize elsewhere – then the scenario Anthropic is worried about becomes a lot more plausible: powerful offensive models leak or are built elsewhere without comparable guardrails, and the world’s most sensitive systems get caught flat-footed.

Right now, though, Project Glasswing is still in that rare phase where a frontier AI capability is being tested in a relatively small, controlled circle with a clearly articulated defensive mission. Expanding from 50 or so partners to roughly 200 is a big step, but it is still a far cry from opening an API to the public.

For people running security programs at utilities, hospitals, cloud providers, or major open source projects, the signal is hard to miss. The AI wave is already reshaping the threat landscape at the code level, and the question is less “if” than “how quickly” organizations can adapt. Anthropic is betting that putting Mythos-class tools into the hands of the right 150 organizations – and the next 150 after that – can tilt the balance, at least a little, in favor of defenders.