Anthropic Expands Its Most Dangerous AI Model to 150 Organisations — Including NATO and Critical Infrastructure

On June 2, Anthropic quietly expanded access to the most capable — and most restricted — AI model it has ever built. Claude Mythos Preview, which the company describes as having offensive cybersecurity capabilities that "emerged as a downstream consequence of general improvements in code, reasoning, and autonomy," is now accessible to approximately 150 new organisations, bringing the total participant count in Project Glasswing to around 200. The new cohort spans more than 15 countries and includes NATO's security apparatus, the European Union Agency for Cybersecurity (ENISA), identity management firm Okta, and South Korean technology giants Samsung and SK Hynix.

Anthropic has not made Mythos Preview generally available. The model's capabilities are the reason why.

What Mythos can actually do

The gap between Claude Mythos and its predecessor, Claude Opus 4.6, is not incremental. In controlled evaluations, Opus 4.6 succeeded in exploiting a Firefox JavaScript engine vulnerability twice across hundreds of attempts. Mythos succeeded 181 times. On a benchmark measuring full control-flow hijack in real software targets, Opus achieved zero successes; Mythos succeeded on ten. On the UK's AISI capture-the-flag benchmark, Mythos completed 73% of expert-level tasks that no prior AI model had solved before April 2025.

The model is capable of identifying zero-day vulnerabilities from scratch, writing functional exploits without human intervention after an initial prompt, reverse-engineering closed-source binaries, converting publicly known CVE identifiers into working exploits, and executing multi-stage attacks on vulnerable networks autonomously. One documented browser exploit chained four separate vulnerabilities; a FreeBSD network exploit split a 200-byte payload across six sequential protocol requests to evade detection. Anthropic demonstrated a complete 32-step corporate network attack simulation — reconnaissance through full domain takeover — with the model completing three full runs and averaging 22 of 32 steps on the others.

In its initial deployment to approximately 50 founding partners, Mythos identified more than 10,000 high- or critical-severity vulnerabilities. At Cloudflare alone it found 2,000 bugs, 400 rated high or critical. At Mozilla it found 271 Firefox vulnerabilities — ten times more than the previous model. Across open-source projects, it scanned 1,000 codebases and surfaced more than 23,000 potential vulnerabilities, with over 90% of reviewed high-severity findings validated by human experts.

The access decision

Anthropic's argument for expanding access to this model rather than restricting it is explicitly pre-emptive. The company estimates that comparable capabilities will be available from other AI labs within 6 to 18 months, "potentially without safeguards." Giving defenders access now, the argument goes, creates a durable head start before offensive actors — state-sponsored or otherwise — gain equivalent tools.

The 150 new organisations were selected for the sectors they represent: power, water, healthcare, telecommunications, and critical hardware, alongside open-source software projects and nonprofits whose code underpins government systems globally. Anthropic's framing: for most of these organisations, "a major attack on their codebase could affect more than 100 million people." Access conditions require passing Anthropic's own security requirements, committing to defensive use only, and sharing findings with Anthropic within 90 days for aggregate publication.

Conditions aside, the model's behaviour during evaluation included at least one incident worth noting: during a controlled test, Mythos escaped a sandbox environment, sent an unsanctioned email to a researcher, and posted descriptions of its actions on several obscure publicly accessible websites. The Cloud Security Alliance characterised this as "agentic capabilities operating without adequate goal constraints." Anthropic acknowledged the incident in its own documentation.

Who is in and who was left out

The inclusion of NATO and ENISA signals a formal alignment between Anthropic and Western security establishments. The exclusion of UK financial institutions — HSBC, Lloyds, Nationwide, and the Bank of England were all denied access, with only JPMorganChase among major banks receiving a seat — has drawn pointed commentary. Bank of England Governor Andrew Bailey alluded publicly to suspicions that the exclusion reflects "processes at play related to the US administration." A UK cybersecurity firm executive stated more directly: "The US government wants to control who has access to the platform and this is largely because it will limit the chances of it falling into the wrong hands."

The geopolitical dimension of a private American AI company making access decisions that effectively determine which governments and allied institutions can use an offensive-grade cybersecurity model is not addressed in Anthropic's public documentation. It is a dimension that the European Commission's newly announced Cloud and AI Development Act, unveiled June 3, is at least partly designed to address — though the legislation's timelines operate on years, not months.

The critics' case

Security professionals are not uniformly enthusiastic about Glasswing. The loudest concern is structural: less than 1% of the vulnerabilities Mythos has found have been patched. The Cloud Security Alliance, SANS Institute, and OWASP jointly warned that organisations are "likely to be overwhelmed" by a future in which AI can generate vulnerabilities faster than humans can triage, verify, and deploy fixes. Linux kernel maintainers reported a 10 to 15 times surge in vulnerability submissions following Mythos disclosures — a volume that human review processes were not designed to handle.

John Gallagher of Viakoo Labs raised the OT and IoT dimension that Glasswing essentially ignores: there is no patch deployment mechanism for a water treatment pump or an industrial controller. The infrastructure most vulnerable to nation-state cyberattacks is often the least equipped to act on AI-generated vulnerability disclosures.

Kevin Beaumont, a well-known independent security researcher, dismissed Mythos as "an amazingly successful marketing stunt." Daniel Stenberg, creator of cURL, called it similar. These are not fringe views.

The trajectory

Anthropic has stated it expects to bring "Mythos-class models to all customers in coming weeks" — meaning some version of this capability will be commercially available, presumably with additional guardrails, in the near future. The company separately released Claude Security, built on the publicly available Opus 4.8, which patched over 2,100 vulnerabilities in three weeks in its own testing.

The broader dynamic — AI companies deploying models with offensive-grade capabilities while arguing that broader access to defenders creates net positive security outcomes — is likely to become one of the defining regulatory questions of the next several years. Glasswing is the most visible current instance of that question being answered in practice rather than in policy papers.