Anthropic Scales AI-Powered Vulnerability Detection to 150 New Organizations Across 15 Countries

Anthropic has expanded Project Glasswing, its collaborative cybersecurity initiative launched in early April, to approximately 150 new organizations across more than 15 countries. The expansion follows the discovery of more than 10,000 high- or critical-severity security flaws by the initial cohort of roughly 50 partners using Claude Mythos Preview to scan their codebases.

The new partners represent a significant shift in sectoral coverage, bringing organizations from power, water, healthcare, communications, and hardware industries that were underrepresented in the initial deployment. Many of these organizations maintain codebases relied upon by other entities worldwide, including governments. Anthropic estimates that a major attack on most Project Glasswing partners could affect more than 100 million people.

Critical Infrastructure Focus

The expanded partner roster reflects Anthropic's deliberate targeting of infrastructure dependencies rather than standalone applications. Unlike traditional penetration testing or static analysis tools that organizations deploy internally, Claude Mythos Preview operates within a collaborative framework where vulnerability discoveries can inform broader ecosystem hardening.

Each new organization must meet Anthropic's security requirements before gaining access to Claude Mythos Preview. The company has not disclosed specific criteria, but the vetting process appears designed to balance access expansion with operational security for the AI system itself.

The initial Project Glasswing cohort included the U.S. government among its partners, establishing precedent for public-sector participation in what amounts to a coordinated vulnerability disclosure program powered by large language models.

Methodology and Scale

Partners have been using Claude Mythos Preview to scan codebases since the project's April launch. Anthropic's Frontier Red Team has documented the system's approach to discovering, reproducing, and patching real-world vulnerabilities, with the full writeup available at red.anthropic.com/2026/mythos-preview. The complete evaluation methodology, capability results, and safety testing are detailed in the Claude Mythos Preview system card.

The 10,000-plus vulnerability count represents findings accumulated over roughly two months of scanning across the original partner set. This rate suggests Claude Mythos Preview is identifying security flaws at a pace that would be difficult to match with traditional security auditing approaches, though Anthropic has not provided comparative metrics against human security teams or existing automated tools.

Looking at the broader implications here, we are witnessing a familiar technology adoption pattern from previous infrastructure shifts. When static analysis tools first emerged in the late 1990s, they initially found thousands of issues in codebases that had previously passed manual review—not because the code had suddenly become worse, but because the new tools could examine it with different systematic rigor. The current Claude Mythos Preview results follow this pattern, likely surfacing vulnerabilities that existed but remained undetected through conventional security practices.

Open Source Considerations

Anthropic is in discussions with third parties about scaling the review and patching of vulnerabilities in open-source software. This development could address one of the more complex aspects of large-scale vulnerability discovery: the coordination challenge when security flaws are found in widely-distributed open-source components.

The company has not specified whether Claude Mythos Preview scans open-source repositories directly or encounters open-source vulnerabilities through partner codebases that incorporate these dependencies. Either scenario presents coordination complexities, as open-source maintainers typically operate under different disclosure timelines and resource constraints than enterprise security teams.

Industry and Government Response

Project Glasswing and Claude Mythos Preview capabilities have generated conversations within the software industry and with governments about AI's role in cybersecurity. These discussions likely center on both the defensive applications demonstrated by Project Glasswing and the dual-use implications of AI systems capable of automated vulnerability discovery.

The 15-country geographic spread of new partners suggests international interest in AI-assisted security capabilities, though Anthropic has not disclosed which specific countries or regions are represented. The multinational scope could complicate coordination protocols, particularly for vulnerabilities discovered in software components used across different regulatory jurisdictions.

Technical Architecture Questions

While Anthropic has published documentation on Claude Mythos Preview's methodology, several technical questions remain about the system's architecture and limitations. The relationship between Claude Mythos Preview and Anthropic's general-purpose Claude models is not clearly defined in available materials. Whether Mythos Preview represents a specialized fine-tune, a different model architecture, or a toolchain wrapped around existing capabilities could affect both its current performance characteristics and future development trajectory.

The system's approach to false positive management—a persistent challenge in automated security scanning—also remains largely undocumented. High false positive rates have historically limited the practical utility of automated vulnerability detection tools, particularly in large codebases where security teams must triage thousands of flagged issues.

Scaling Challenges Ahead

The expansion from 50 to 200 total partners represents a 4x scaling test for both the technical infrastructure supporting Claude Mythos Preview and the operational processes around vulnerability coordination. If the current discovery rate of high-severity vulnerabilities maintains pace across the larger partner set, Anthropic and its partners will need to manage significantly higher volumes of security issue disclosure and remediation.

The company's discussions about open-source vulnerability scaling suggest recognition that the current partner-focused model may not be sufficient for ecosystem-wide security improvement. Open-source components typically propagate through multiple organizations simultaneously, meaning vulnerability discoveries could require coordinated disclosure across dozens or hundreds of downstream users.

This coordination challenge has historical precedent in major open-source security incidents, but AI-powered discovery at the scale suggested by Project Glasswing results could stress existing disclosure protocols. The software industry may need to develop new frameworks for managing AI-discovered vulnerabilities, particularly when they affect widely-used infrastructure components.

The June 2nd expansion announcement positions Project Glasswing as both a defensive cybersecurity initiative and a test case for AI system deployment in high-stakes infrastructure environments. The results from this larger cohort will likely inform both Anthropic's future AI safety approaches and broader industry practices around AI-assisted security tooling.