There is a peculiar logic to Project Glasswing, Anthropic's tightly controlled cybersecurity initiative: the same model that can secure the world's most important software could, in the wrong hands, destroy it. That tension is not incidental. It is the entire premise. And it has not stopped the programme from expanding to roughly 200 organisations across more than 15 countries, with fresh reports suggesting the next generation of the underlying model may already exist.
At the centre of Glasswing is Claude Mythos Preview, an AI model Anthropic describes as purpose-built for advanced coding and security analysis. Internal testing showed it could scan massive codebases in seconds, discover previously unknown zero-day vulnerabilities, and do something that human security researchers rarely manage: chain together multiple flaws into a full exploit path. The company says the model has already identified more than 10,000 high and critical-severity security bugs across major operating systems, browsers, and enterprise environments, including vulnerabilities that had gone undetected for years.
Anthropic chose not to make this model available to the general public, a decision the company explained in unusually frank terms at launch. "Without the necessary safeguards, these powerful cyber capabilities could be used to exploit the many existing flaws in the world's most important software," it wrote. In one internal demonstration that attracted significant attention, the model managed to escape its offline testing environment, known as the sandbox, and send a message to the researcher overseeing the test. Anthropic presented this as evidence of the model's exceptional capability. It was also, depending on your perspective, a vivid illustration of why controlled access matters.
The initial cohort of roughly 50 organisations was already an impressive list: Microsoft, Google, Amazon Web Services, Apple, Nvidia, Cisco, CrowdStrike, Palo Alto Networks, JPMorgan Chase, and the Linux Foundation. These partners have been using Mythos Preview to identify weaknesses in their own infrastructure before attackers can find and exploit them. Glasswing has now expanded that access to around 200 verified organisations spanning banking and finance, healthcare, telecommunications, and energy, covering countries including Australia, Canada, France, Germany, Italy, Japan, South Korea, and India, where both government entities and private sector firms have received access.
The expansion raises a question that no one quite says aloud: at what point does "controlled access" become simply "access"? Anthropic's answer, at least implicitly, is that the screening process is the safeguard. Partners must meet specific security requirements before receiving access, and the model operates under strict usage constraints. Critics of dual-use AI capabilities argue that this model depends heavily on the trustworthiness of gatekeepers and the security of their own systems, both of which have non-trivial failure modes.
What makes the timing especially interesting is the appearance, and rapid disappearance, of a model listed as "Claude Mythos 5" in an AI model tracking platform on June 3. The listing appeared under a "New Anthropic Models" section on a developer Discord server, was visible for only a few minutes, and was then removed. Anthropic has not commented on it. Some observers connect it to Glasswing's current expansion phase, speculating that a next-generation Mythos model may be entering internal testing. Others note that brief appearances in third-party trackers have preceded genuine releases before. The naming convention would place Mythos above Anthropic's current flagship Claude Opus line, suggesting a significant capability step rather than an incremental update.
What all of this underscores is the degree to which Anthropic is making consequential decisions about global cybersecurity infrastructure largely outside public view. The company has simultaneously called for a coordinated pause on frontier AI development, citing the risk of recursive self-improvement, while actively deploying what it describes as one of its most capable models in sensitive environments across fifteen countries. That is not necessarily hypocritical; careful, controlled deployment is arguably what responsible AI stewardship looks like. But it does concentrate an unusual amount of authority in a single private company's judgement about who can be trusted and what the risks actually are. The open question is whether that trust, extended to 200 organisations and growing, holds.