Anthropic Expands Mythos to Global Critical Infrastructure

Agentic AI , Artificial Intelligence & Machine Learning , Critical Infrastructure Security

The initial batch of 50 partners for Anthropic's Project Glasswing software defense initiative drew heavily from the technology and cybersecurity sectors in the United States.

See Also: Cloud NGFW for Azure

The San Francisco-based artificial intelligence giant seeks to remedy that imbalance by extending access to Claude Mythos Preview to approximately 150 new organizations based in more than 15 countries. The new cohort covers several critical infrastructure sectors not well represented in Anthropic's initial group of partners including power, water, healthcare, communications and hardware, the firm said.

"What each partner has in common is that a successful attack on their codebase could be catastrophic," Anthropic wrote in an announcement Tuesday. "For most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security."

Companies first accepted to Project Glasswing back in early April included tech titans like AWS, Apple, Broadcom, Google and Microsoft as well as cyber behemoths Palo Alto Networks and CrowdStrike. That's in sharp contrast to OpenAI, which focused on financial heavyweights like Bank of America, Black Rock, BNY, Citi, Goldman Sachs and Morgan Stanley in its Trusted Access for Cyber pilot program (see: OpenAI Courts Banks in Trusted Access for Cyber Partner Push).

Bringing Mythos Preview Outside the United States

When Anthropic launched Claude Mythos Preview, it largely limited access to organizations based in the United States, with the United Kingdom's AI Security Institute being the only known non-U.S. group with access to the model, The Financial Times reported. A European Commission leader said in May that organizations would have to make do with "already-available advanced cyber tools" to scan systems.

"They have invited us to have access and we are looking at the way the potential access would work - the conditions and so on," European Union cybersecurity agency ENISA spokesperson Laura Heuvinck told ISMG Monday.

New countries to be granted access to Mythos include countries in the Five Eyes intelligence alliance such as Canada, Australia and New Zealand, the Financial Times reported. Other nations gaining access to Mythos include France, Germany, Italy, Switzerland, the Netherlands, Spain, Belgium, Sweden, India, Japan and South Korea, a person familiar with the matter told The Financial Times (see: Europe Edges Closer to Claude Mythos Access).

NATO, the U.S.-led military alliance headquartered in Brussels, has also been given access, along with ENISA, people familiar with the matter told The Financial Times. In the private sector, U.S.-based identity sector vendor Okta and data protection vendor Rubrik gained access to Mythos, along with South Korean companies Samsung, SK Hynix and SK Telecom, The Financial Times reported.

"While others bolted on recovery as an afterthought, we natively built a unified architecture -- with preemptive recovery as the foundation -- to provide immutable, air-gapped protection for data, identity and AI," wrote Rubrik CEO Bipul Sinha. "Claude Mythos Research Preview doesn't break our approach; it validates that the speed of discovery of software vulnerabilities is a risk that needs to be taken seriously."

Okta said on May 27 that it has been granted access to Claude Mythos Preview and is evaluating Mythos with the goal of using it to further harden our security posture. Anthropic didn't respond to an ISMG request for comment.

Critical Utilities No Longer Left in Cold

None of the half dozen specialist OT cybersecurity companies questioned by ISMG in late April had been approached by either Anthropic or OpenAI to join Project Glasswing or Trusted Access for Cyber. None have been listed in public disclosures either. In addition to large platform providers, Trusted Access for Cyber has disclosed access to specialized code security vendors like Synk, Sempgrep and Socket (see: OT Cybersecurity Frozen Out by Frontier Labs).

"None of the OT companies, none of the organizations that are most representative of that portion of the ecosystem are participating in this and are being represented," Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, told ISMG in late April.

Within six-to-12 months, Anthropic expects many other AI companies will have Mythos-class models, and could release them without safeguards that prevent misuse. Within the first weeks of Project Glasswing, Anthropic said members began using Mythos Preview at large scale, sharing information and best practices with other partners, and working with third parties to triage the model's findings.

Anthropic said it is working as quickly as it can to safely release Mythos-level capabilities in general access. To do so, Anthropic said it'll need highly robust safeguards that prevent the model's cyber capabilities from being misused, which don't yet exist. Because cybersecurity has both helpful and destructive uses, making safeguards that are both strong and precise enough is a major challenge.

Future expansions of Project Glasswing will prioritizing additional essential infrastructure providers, maintainers of critical open-source software, and safety testers in the United States and overseas, according to Anthropic.