Anthropic Expands Project Glasswing to Defend Critical Infrastructure With AI
Anthropic expanded Project Glasswing to about 150 organizations across 15-plus countries, using a frontier model to find vulnerabilities before attackers do.
In early June 2026, Anthropic expanded Project Glasswing, a program that uses an advanced AI model to find and fix software vulnerabilities in critical infrastructure. The expansion brings the effort to roughly 150 organizations across more than 15 countries, spanning sectors like energy, water, healthcare, communications, and technology. It is one of the most concrete examples yet of frontier AI being aimed squarely at defense.
Quick answer
In early June 2026, Anthropic expanded Project Glasswing to roughly 150 organizations across more than 15 countries, putting a gated frontier model (Claude Mythos Preview) in the hands of critical-infrastructure operators in energy, water, healthcare, communications, and hardware. Since launching in April 2026 the model has surfaced more than 10,000 high or critical vulnerabilities, and early partners like Cloudflare (2,000 bugs) and Mozilla (271 Firefox fixes) acted on thousands of them. Anthropic says the bottleneck is no longer finding flaws but human capacity to triage, disclose, and patch them.
Key takeaways
- Anthropic added about 150 organizations across more than 15 countries, broadening Glasswing into power, water, healthcare, communications, and hardware sectors.
- The program runs on Claude Mythos Preview, a gated, unreleased frontier model unusually capable at finding software flaws.
- Since launching in early April 2026, the model has surfaced more than 10,000 high- or critical-severity vulnerabilities.
- Early partners reported striking results: Cloudflare found 2,000 bugs (400 high or critical) and Mozilla fixed 271 vulnerabilities in Firefox while testing the model.
- Anthropic says the real bottleneck is now human capacity to triage, disclose, and patch the flaws the model finds.
What happened
Project Glasswing pairs Anthropic with critical-infrastructure operators and major technology companies to test next-generation AI tools for defensive cybersecurity. The June expansion widened both the number of participating organizations and the sectors involved, deliberately reaching into areas underrepresented in the first wave, including power, water, healthcare, communications, and hardware. Many of the new partners are vendors whose codebases underpin critical infrastructure systems.
At the center is a gated research-preview model Anthropic refers to as Claude Mythos Preview, an unreleased frontier model the company says is unusually capable at finding and exploiting software flaws. Since the program launched in early April 2026, the model has surfaced more than 10,000 high- or critical-severity vulnerabilities. In one effort, Anthropic said the model scanned more than 1,000 open-source projects and flagged over 23,000 potential vulnerabilities, with several thousand rated high or critical. Of a sample reviewed independently, the company said more than 90% were confirmed as valid.
Note
A "zero-day" is a vulnerability that defenders do not yet know about and have not patched. Finding them first lets defenders fix the hole before attackers can use it; finding them second usually means cleaning up after a breach.
The details
Early partner results give a sense of scale. Cloudflare said the model identified 2,000 bugs across its critical-path systems, including 400 rated high or critical. Mozilla reported finding and fixing 271 vulnerabilities in Firefox 150 while testing the model, more than ten times the number found in a previous Firefox version. Those are not abstract figures; they represent real flaws in software that millions of people rely on every day.
| Partner / effort | Reported result | Why it matters |
|---|---|---|
| Cloudflare | 2,000 bugs found, 400 high or critical | Flaws in critical-path edge systems |
| Mozilla (Firefox 150) | 271 vulnerabilities fixed | More than 10x a prior Firefox version |
| Open-source scan | 23,000+ potential flaws across 1,000+ projects | 90%+ of a reviewed sample confirmed valid |
| Program total (since April 2026) | 10,000+ high or critical findings | Scale no manual team could match |
Anthropic is candid about the limiting factor. As the company put it, the bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them. An AI that surfaces thousands of valid flaws only helps if organizations can act on the findings, which is why the program emphasizes coordination with vendors rather than dumping vulnerability lists into the open.
Why it matters
The premise behind Glasswing is a double-edged observation: AI has reached a point where it can find software vulnerabilities better than all but the most skilled human researchers. That capability is enormously useful for defense, but the same skill is exactly what an attacker would want. The pace at which exploited flaws now move from disclosure to attack is sobering, as seen in cases like the Cisco Unified CM SSRF flaw weaponized within 24 hours.
Anthropic frames the program as an attempt to get ahead of that shift. By putting a powerful vulnerability-finding model in the hands of defenders now, the company argues, critical systems can be hardened before similarly capable models become widely available, potentially without safety guardrails, to anyone including attackers. Anthropic has said it expects other AI companies to field comparable models within roughly 6 to 12 months.
For the operators involved, the appeal is practical. Power grids, hospitals, and telecom networks run on layers of software, much of it old and hard to audit. An AI that can systematically scan large codebases and surface the most serious flaws could find problems that manual review would take years to reach.
The risks and the debate
The flip side is unavoidable. A tool good enough to find thousands of real vulnerabilities is also a tool that, in the wrong hands, could accelerate attacks rather than prevent them. That is why Mythos is described as gated and limited to a controlled set of partners rather than released publicly. The same dual-use tension is driving governments to slow public releases of frontier models, as with OpenAI's restricted GPT-5.6 rollout.
Critics and supporters alike tend to agree on the core tension: powerful offensive-security capabilities are emerging whether or not any single company releases them, so the policy question is how to distribute the defensive version responsibly and quickly enough to matter. The broader category of AI-amplified attacks, including prompt injection against agents, is explored in our 2026 prompt injection defense playbook.
Warning
The same AI capability that helps defenders patch flaws first can help attackers find them first. The value of programs like Glasswing depends heavily on access staying controlled and defenders moving faster than adversaries.
What is next
Things to watch:
- Confirmed fixes, not just findings. The real measure is how many flagged vulnerabilities actually get patched across participating organizations.
- Independent validation. Outside review of the model's accuracy and false-positive rate will shape trust in the approach.
- The 6-to-12-month window. If comparable models reach the open market on that timeline, the race between offense and defense intensifies.
- Policy response. Governments may weigh in on how powerful vulnerability-discovery tools should be governed.
Frequently asked questions
What is Claude Mythos Preview?
It is an unreleased, gated frontier model from Anthropic, made available only to vetted Project Glasswing partners. Anthropic says it is unusually strong at finding and even exploiting software vulnerabilities, which is why access is tightly controlled.
How accurate are the model's findings?
In an independent review of a sample of its high- and critical-rated findings, more than 90% were confirmed valid. Real-world partners like Cloudflare and Mozilla also acted on thousands of flagged bugs, suggesting a meaningful signal rather than mostly noise.
Could this tool help attackers instead?
In principle, yes, which is why it is gated. A model capable of finding thousands of valid flaws would be dangerous if released openly. Anthropic's bet is that controlled defensive access lets operators patch before comparable models leak to attackers.
Why is patching the bottleneck?
Finding vulnerabilities is now faster than fixing them. Triaging, disclosing responsibly, writing patches, and deploying them across complex infrastructure all require human effort and time, which the AI does not remove.
For now, Project Glasswing is one of the most concrete examples of frontier AI being aimed at defense, and a preview of a security landscape where both attackers and defenders have far sharper tools.
Sources & further reading
- anthropic.com/news/expanding-project-glasswing
- techcrunch.com/2026/06/02/anthropic-scales-claude-mythos-to-critical-infrastructure-in-15-countries/
- helpnetsecurity.com/2026/06/03/anthropic-project-glasswing-expansion/
- cyberscoop.com/anthropic-project-glasswing-expansion-critical-infrastructure-claude-mythos/
- cnbc.com/2026/06/02/anthropic-mythos-ai-project-glasswing.html
