Project Glasswing to Expand After Pilot Found Over 10,000 High‑Severity Flaws

Anthropic will expand Project Glasswing to roughly 150 additional organizations after an early‑April pilot in which about 50 partners used Claude Mythos Preview to scan their codebases and reported more than 10,000 high‑ or critical‑severity security flaws. The pilot’s scale and findings prompted several weeks of close collaboration with partners, the security industry, open‑source maintainers, and the US government, and the expansion is presented as a practical step to address the heightened risk surface created by powerful, cyber‑capable AI.

Each prospective partner in the new cohort must satisfy the program’s security requirements before gaining access. The pilot process emphasized rapid sharing of practices and joint triage of findings with third parties, and Anthropic says those operational lessons shaped how Glasswing will be broadened to support defenders and reduce the chance that discovered flaws remain exploitable at scale.

The incoming cohort spans more than 15 countries and deliberately fills gaps from the initial pilot. New participants include organizations that provide critical public services and infrastructure across power, water, healthcare, communications, and hardware sectors, as well as vendors whose codebases are widely relied upon. Anthropic estimates that, for most partners, a successful major attack on their codebase could affect more than 100 million people, underscoring why the program targets entities with potentially catastrophic failure modes.

Project Glasswing aims to do two things at once: give the software industry safer, wider access to improved models, tools, and shared infrastructure, and push the community beyond mere vulnerability discovery toward coordinated disclosure, patching, and deploying fixes at operational scale. The stated goal is to adapt industry norms and incident‑response practices to the new threat dynamics introduced by increasingly capable AI assistance.

To support defenders, Anthropic is releasing Claude Security, a product that uses its public frontier models such as Claude Opus 4.8 to scan codebases and suggest patches, and says it will share internal tools on request with trusted security teams. The company also warns that Mythos‑class models may become more widely available within six to twelve months, which it presents as a timebound urgency for organizations to adopt stronger defensive practices and for the industry to refine norms for safe model use and coordinated remediation.