cryptobriefing.com via Reddit

Anthropic Opens Mythos to EU Cybersecurity Agency

6 sources tracking this story
anthropic eu ai act cybersecurity safety ai-security geopolitics

Key insights

  • Glasswing now spans 200 organizations across 15+ countries, with NATO, Okta, Samsung, SK Hynix, and SK Telecom among newly added partners.
  • 23,000+ potential vulnerabilities found across 1,000 open-source projects, but only 75 critical/high-severity issues patched, pointing to a remediation bottleneck that outpaces discovery.
  • Anthropic's first-party benchmarks place Mythos Preview at 83.1% on CyberGym versus Claude Opus 4.6 at 66.6%, quantifying the capability gap that justifies restricted access.

Why this matters

Anthropic's Glasswing expansion now covers 200 organizations across 15+ countries, including NATO, Samsung, and ENISA, ending a weeks-long EU standoff over access to a model benchmarked at 83.1% on CyberGym vulnerability reproduction. The 23,000+ potential vulnerabilities identified against only 75 patched points to a verification-and-remediation bottleneck that outlasts the discovery phase. ENISA's entry is the first formal non-US, non-UK public-institution access, resolving a gap that The Next Web reports exposed Europe's structural lack of mechanisms to compel AI capability sharing from American companies. Anthropic's simultaneous IPO trajectory, per TechCrunch, means the cybersecurity program's expansion is now entangled with commercial and allied-nation security motives simultaneously.

Summary

ENISA, the EU's official cybersecurity agency, is gaining access to Claude Mythos Preview through Anthropic's Project Glasswing, the first time an EU agency has accessed an AI system at this capability level before broader rollout. Mythos, announced in early April 2026, can autonomously identify nearly 10,000 severe software vulnerabilities and run complex attack simulations that would traditionally take months of human security research. The deal followed four to five meetings between the European Commission and Anthropic as of May 11, 2026. Essentially: (Anthropic, ENISA) a European public institution now holds access alongside existing partners Amazon, Apple, Microsoft, and JPMorgan Chase. - Mythos extends to DeFi infrastructure including bridge vulnerabilities, protocol-level weaknesses, and systemic risks in composable DeFi architectures. - European firms had raised competitive disadvantage concerns, citing delayed access versus US organizations by months or years. - An April 2026 unauthorized access incident tied to a third-party vendor triggered a formal Anthropic investigation into Mythos access controls. OpenAI announced a competing cybersecurity-focused model the same day, making May 11 a visible inflection point for geopolitical competition over frontier AI security access.

Potential risks and opportunities

Risks

  • The April 2026 third-party unauthorized access incident remains an unresolved supply chain liability: if Anthropic's investigation is still open, extending Mythos to ENISA could introduce new exposure vectors into EU public sector infrastructure.
  • European firms and financial institutions outside Project Glasswing face deepening competitive gaps versus US-based Mythos partners Amazon, Apple, Microsoft, and JPMorgan Chase, who already hold established access.
  • OpenAI's parallel cybersecurity model announcement on May 11 creates fragmented-standard risk: EU agencies that onboard both systems face compounded integration complexity and potentially conflicting vulnerability disclosure obligations.

Opportunities

  • EU critical infrastructure operators and financial institutions can now lobby ENISA for downstream access to Mythos vulnerability findings, potentially accelerating disclosure timelines across EU member states.
  • OpenAI's simultaneous cybersecurity model launch creates a competitive procurement window: EU institutions can now negotiate access terms against two frontier providers, improving leverage on pricing and data-sovereignty clauses.
  • DeFi infrastructure security teams gain a concrete public-sector partnership argument: Mythos' coverage of bridge vulnerabilities, protocol-level weaknesses, and composable DeFi systemic risks aligns directly with EU digital finance regulation and MiCA enforcement priorities.

What we don't know yet

  • Whether ENISA's Project Glasswing access operates under the same contractual terms as US-based partners or under a separate EU-specific regulatory framework.
  • The current status of Anthropic's April 2026 investigation into unauthorized Mythos access via a third-party vendor, and whether it has been resolved prior to ENISA onboarding.
  • Which EU member states or regulated critical infrastructure operators will benefit from ENISA's access, and whether national-level bilateral agreements with Anthropic are planned.

What others are reporting

Coverage cluster as of 24h after publish

  1. Anthropic Read →

    First-party source confirming benchmark scores, named launch partners, specific vulnerability examples including the 27-year-old OpenBSD flaw, and the full financial breakdown.

    The vulnerabilities it has spotted have in some cases survived decades of human review and millions of automated security tests.
  2. TechCrunch Read →

    Places the expansion within Anthropic's IPO trajectory and competitive race against OpenAI's cybersecurity model, adding business and strategic context beyond the access grant.

    What each partner has in common is that a successful attack on their codebase could be catastrophic.
  3. The Next Web Read →

    Frames the deal as resolving a structural EU vulnerability gap and argues the standoff will accelerate European sovereign AI development regardless of the outcome.

    Every day that European security agencies could not see those findings was a day they could not assess whether their own systems were affected or begin remediation.
  4. SecurityWeek Read →

    Focuses on the remediation gap: 23,000 vulnerabilities found but only 75 patched, raising questions about whether discovery is outrunning organizational capacity to fix.

    Only approximately 50 companies have had access to Mythos until now and they have found thousands of vulnerabilities in their products.
  5. Cybersecurity Dive Read →

    Surfaces Anthropic's stated future challenge: adding safeguards robust enough for eventual public release to hundreds of thousands of organizations without enabling misuse.

Originally reported by cryptobriefing.com

Read the original article →

Original headline: Anthropic Grants EU Cybersecurity Agency ENISA First Non-US Access to Claude Mythos Through Project Glasswing