Anthropic expands Claude Mythos security program to critical infrastructure

Anthropic says it is expanding a security programme built around its Claude Mythos model to roughly 150 new organisations across more than 15 countries, according to TechCrunch. The rollout, dubbed Project Glasswing, broadens from an initial group of about 50 partners that included the US government into sectors such as power, water, healthcare, communications and hardware. The company is pitching the model as a way to scan critical codebases for vulnerabilities and security flaws, and says a successful attack on any partner could be “catastrophic” given how widely their software is reused.

The timing matters. TechCrunch reports the expansion was announced a day after Anthropic filed confidentially for an IPO, a step that tends to harden marketing claims into statements that investors, regulators and litigants can later scrutinise. The same week, the company is effectively asking utilities and infrastructure maintainers to treat a private vendor’s model as a security instrument, while much of the detail about who is in the programme and what access they receive remains opaque. The Financial Times, cited by TechCrunch, reported that the expanded group includes organisations in US-friendly countries including Sweden, and named partners such as Okta, Samsung, SK Hynix, SK Telecom, Nato and the EU cybersecurity agency ENISA, citing a person familiar with the matter.

Anthropic’s argument is that the scale of modern software supply chains makes concentrated scanning power a public good: many of the new partners maintain code that other companies and governments depend on, and a compromise of one upstream library can cascade. But the same concentration cuts the other way. A model that can identify “thousands of zero-day vulnerabilities” over weeks also creates a high-value target for espionage and coercion, and it centralises knowledge about weaknesses in systems that underpin services people cannot easily opt out of. TechCrunch notes Anthropic expects rivals to build similarly capable models soon, framing Glasswing as a race to install safeguards before the capability becomes commonplace.

The competitive dynamic is already visible. TechCrunch reports that since Mythos, OpenAI has released a cybersecurity-focused model called GPT-5.5-Cyber and rolled it out to a large group of partners for testing. That pushes infrastructure owners toward a new kind of vendor lock-in: not just which cloud runs their workloads, but which model family becomes embedded in their security workflow, incident response playbooks and audit trails. In practice, the organisation that controls the tooling can also shape what gets measured, what gets reported, and how quickly a “fix” is deemed sufficient.

Anthropic’s list of target sectors—power, water, healthcare, communications—reads like a map of where outages become political crises. The programme’s expansion will be easier to track than its results: each new partner is a public relationship, while the vulnerabilities found, the patches shipped and the breaches avoided are mostly invisible.

For now, the clearest concrete change is that more critical operators in more countries are being asked to route their security assurance through the same private model, just as its maker moves toward public markets.