The perimeter just shifted. Project Glasswing launched on April 7, 2026 with a partner list built from hyperscalers and cybersecurity vendors: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. That cohort represented the vendors who build enterprise software. The June 2 expansion targets the operators who run infrastructure that people depend on.
According to Anthropic, the program is expanding to approximately 150 new organizations across more than 15 countries. Anthropic says the expansion targets critical infrastructure providers in sectors including power, water, healthcare, and communications. Those figures come from Anthropic’s own announcement, they weren’t visible in the page excerpt available during verification, so treat them as attributed to Anthropic but pending full confirmation.
The Financial Times reported that newly onboarded organizations include NATO, Samsung, Okta, and the EU cybersecurity agency ENISA. Anthropic hasn’t confirmed these names, the full partner list hasn’t been published, and Anthropic has cited security concerns as the reason. That’s a meaningful distinction. NATO’s presence in any vulnerability-scanning program carries implications that go beyond a typical enterprise security partnership.
What the program has actually found. As of the May 22 progress report, confirmed by prior hub coverage, Glasswing partners using Claude Mythos Preview identified over 10,000 high- or critical-severity security flaws across active codebases. That figure was Anthropic’s own disclosure, corroborated by multiple secondary sources at the time. That’s the verified baseline. Secondary figures that have since circulated elsewhere conflict with it and come from a single downgraded source, don’t use them.
The part nobody mentions: Claude Mythos Preview capabilities in an offensive-adjacent context. Glasswing’s stated mission is defensive, find and disclose vulnerabilities before adversaries exploit them. Mythos’s specific capabilities haven’t been independently evaluated outside the program. The only capability data available is Anthropic’s own characterization. That’s an important epistemic gap when the model is being used to scan power grid and healthcare software.
Why this matters for security teams outside the program. If your organization operates in or adjacent to critical infrastructure and isn’t part of Glasswing, the program’s outputs still affect you. Vulnerability disclosures from Glasswing partners will flow through standard responsible disclosure channels, but the timing and scope of those disclosures are governed by Glasswing’s coordination framework, which Anthropic controls.
Unanswered Questions
- Who governs Glasswing's vulnerability disclosure timeline, Anthropic, the affected vendor, or a coordinating body?
- What regulatory notification obligations apply when Glasswing identifies flaws in critical infrastructure codebases?
- How are organizations in adjacent sectors notified of flaws in shared dependencies?
What to watch
Glasswing’s disclosure governance is the next story. As the program expands to include national infrastructure operators and defense entities, the question of who decides what gets disclosed, when, and to which regulators becomes a policy question, not just a security one.
TJS synthesis: This is where agentic AI security stops being a vendor capability story and starts being a governance story. Anthropic now coordinates vulnerability disclosure across entities that include, reportedly, a NATO agency and a national power infrastructure operator. The AI isn’t the risk surface here, the coordination architecture is. Organizations in adjacent sectors should monitor Glasswing disclosures closely and assess their own exposure to codebases being scanned.