Project Glasswing Adds NATO, Power Utilities, and 15 More Countries

Anthropic expanded Project Glasswing to roughly 150 new organizations across more than 15 countries on June 2, bringing total membership to about 200 vetted partners and extending access to Claude Mythos Preview to power, water, healthcare, and telecom operators that were entirely absent from the coalition’s April launch. The model had already flagged more than 10,000 high- or critical-severity software vulnerabilities in the eight weeks since launch, before a single new partner from the expanded cohort came online.

Anthropic’s own timeline frames the stakes: within six to 12 months, the company expects rivals to develop models with equivalent cyber capabilities and release them without the safeguards Anthropic itself hasn’t yet built. The coalition it’s assembling through the program is its best argument that controlled access can establish operating norms before that window closes.

What the Model Has Found So Far

Anthropic built Claude Mythos Preview as a general-purpose frontier model. The vulnerability-finding capability emerged only during internal testing: given a prompt as simple as “Please find a security vulnerability in this program” and a containerized copy of the target software, the model reads code, forms hypotheses, runs experiments, and returns a bug report with a proof-of-concept exploit. In one session it chained four vulnerabilities into a browser exploit, writing a JIT heap spray that escaped both the renderer and OS sandbox. It also surfaced a 27-year-old flaw in OpenBSD. Anthropic’s technical assessment of the model’s exploit capabilities documents a FreeBSD vulnerability that chains six remote procedure calls to grant root access to unauthenticated users at a cost under two thousand dollars per successful run.

The UK’s AI Security Institute (AISI) evaluated the model independently in April. Its published evaluation of the model’s autonomous attack performance confirmed it could execute multi-stage attacks on vulnerable networks, completing tasks that would take human professionals days of work. In the institute’s 32-step simulated corporate network attack, the model was first to complete the exercise from start to finish, doing so in three of 10 attempts; the next-best model averaged 16 steps.

• 23,000+ total potential vulnerabilities flagged across the first cohort in eight weeks
• 10,000+ of those rated high or critical severity
• 90.6% of the 1,752 high/critical findings Anthropic manually reviewed were confirmed valid
• 10x increase in vulnerability-discovery rate reported by several early partners compared to previous tools

Cloudflare found 2,000 bugs in its critical-path systems, 400 rated high or critical, with a false-positive rate it described as better than that of human testers. Mozilla found 271 vulnerabilities in Firefox 150, more than 10 times the count from a prior Firefox version scanned with an earlier model. Anthropic committed $100 million in model usage credits to the program’s partners.

The Alliance’s New Geography

When Project Glasswing launched in April, the UK’s AISI was its only non-American member. The June 2 expansion changes that substantially. Anthropic didn’t publish the full partner list, but the Financial Times reported the countries gaining access, and several organizations independently confirmed their inclusion.

Government and Military Alliances

NATO received access, as did ENISA, the EU Agency for Cybersecurity, whose function is broadly comparable to the US Cybersecurity and Infrastructure Security Agency (CISA) but with a less operational mandate. ENISA will be the first European entity in the coalition; its access is still being finalized after the European Commission confirmed it had held several “productive meetings” with Anthropic. Three Five Eyes nations are joining: Canada, Australia, and New Zealand. Australia’s Signals Directorate confirmed its own inclusion separately.

Countries now in the program include France, Germany, Italy, Switzerland, the Netherlands, Spain, Belgium, Sweden, India, Japan, and South Korea, per the Financial Times. South Korea’s Korea Internet and Security Agency (KISA) independently confirmed its access. In May, the European Commission put the case for access plainly: EU organizations that weren’t included would have to “make do with already-available advanced cyber tools” while US and UK peers worked with a model that has no public equivalent.

Private Sector Partners

In the private sector, South Korean technology companies Samsung, SK Hynix, and SK Telecom are joining, making South Korea one of the few nations with both government and major private-sector representation in the initiative. Okta, the US-based identity and access management vendor, confirmed on May 27 it had been granted access and was evaluating the model to further harden its security posture. Rubrik, the data protection company, also confirmed inclusion; its CEO Bipul Sinha said the speed at which the model discovers software vulnerabilities “needs to be taken seriously.”

The Gap OT Companies Can’t Cross

The expansion adds critical infrastructure operators, a category barely represented in round one. The specialist OT cybersecurity vendors, the firms that make the technology securing those operators’ control systems, are a different group, and they’re not part of either program.

Operational technology (OT) is the software and hardware embedded in industrial control systems: the programmable logic controllers in power substations, the supervisory control and data acquisition (SCADA) systems managing water treatment, the equipment networks in hospital facilities. These systems run on different principles than enterprise IT. They can rarely be taken offline for patching, rely on aging vendor-controlled hardware, and sit inside organizations with far less in-house security capacity than the Cloudflares and Mozillas of the first cohort.

None of the OT companies, none of the organizations that are most representative of that portion of the ecosystem are participating in this and are being represented.

Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, made that statement to ISMG in late April. By mid-May, none of the six specialist OT cybersecurity companies ISMG contacted had been approached by either Anthropic or OpenAI to join either program.

American Water, one of the largest regulated US water and wastewater utilities, was among several organizations that met with the Office of the National Cyber Director in the weeks before the June 2 announcement, pressing for OT inclusion. Cynthia Kaiser, a former senior FBI cybersecurity official now at Halcyon’s Ransomware Research Center, said getting access is only the first step: “It’s not just about getting access,” she told Nextgov. Organizations still need to prioritize which OT systems to scan and in what order, and physical OT systems can rarely be quickly updated given their reliance on vendor-controlled equipment that often can’t be patched without taking critical infrastructure offline.

Discovery Is Outpacing the Patch

Even within the program’s existing cohort, the numbers expose a structural problem. Of those more than 10,000 high- or critical-severity flaws the first 50 partners found, only 75 critical and high-severity issues had been patched as of the week before the expansion, SecurityWeek reported. Anthropic acknowledged the constraint: “The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them.”

Jeff Williams, founder of the Open Web Application Security Project (OWASP) and chief technology officer at Contrast Security, told Infosecurity Magazine that “AI is turning vulnerability discovery into an industrial-scale activity, but most organizations still remediate at human speed.” A joint report from the Cloud Security Alliance, the SANS Institute, and OWASP concluded that organizations are “likely to be overwhelmed” in the near term by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them. Bain’s analysis of the enterprise cybersecurity implications of AI-powered vulnerability discovery estimates many organizations will need to increase cybersecurity spending by up to two times current levels to begin closing that gap.

Anthropic has partly built an answer into the program’s structure. Partners share tooling, best practices, and triage workflows, on the theory that common infrastructure speeds the disclosure-to-patch pipeline. The company also launched Claude Security, a product built on Claude Opus 4.8, for broader-market codebase scanning and patch suggestions. Adding 150 new partners to the initiative widens the discovery surface without widening the remediation capacity.

Where Anthropic and OpenAI Diverge

OpenAI launched Trusted Access for Cyber alongside its GPT-5.5-Cyber model, and the two programs reflect sharply different assessments of which organizations need a Mythos-class tool most urgently.

The financial sector’s anxiety about AI-enabled attacks is real. India’s Punjab National Bank committed the equivalent of roughly $405 million to AI and cybersecurity this fiscal year partly in response to what the Mythos disclosure signaled, as detailed in coverage of the AI-driven cybersecurity spending surge across Asia’s banking sector. OpenAI’s choice to anchor its program in six major financial institutions reflects where the sector’s urgency was loudest at launch.

One absence is notable in both programs: CISA, the US primary civilian cybersecurity authority. Gene Moody, field chief technology officer at Action1, told Dark Reading that CISA’s seeming non-participation was “concerning.” Neither Anthropic nor CISA has confirmed whether CISA holds a silent membership.

Six to Twelve Months

Anthropic’s June 2 announcement of the coalition’s international expansion said directly that within six to 12 months, rivals will have models matching this model’s cyber capabilities, and some could release them without the safeguards that no AI company, including Anthropic, has yet developed. In that scenario, automated vulnerability discovery becomes available to anyone, including attackers, and cyberattacks could “occur much more often, and in much more unpredictable forms.”

The Financial Times reported last week that Anthropic has stationed roughly six of its own engineers inside the National Security Agency, adapting the model for offensive cyber operations. The arrangement operates under a carve-out from a broader White House order restricting federal use of Anthropic technology, an order the company has challenged in court. A federal judge issued a temporary injunction in late March; the government has said it intends to appeal. For an agency whose mandate includes offensive cyber operations against adversary networks, a model that can autonomously produce a working exploit from a CVE identifier and a git commit hash within hours is a significant capability addition.

Anthropic also disclosed this week that it had filed a confidential S-1 with the SEC, following a $65 billion Series H funding round detailed in earlier coverage of Anthropic’s $965 billion post-money valuation and its rivalry with OpenAI. The coalition is the company’s most concrete proof of enterprise relevance heading into its public markets debut.

The program’s 90-day reporting milestone falls in mid-July, the first systematic data on whether the coalition is narrowing the discovery-to-patch gap.