Anthropic lets Mythos partners share cyber findings with outsiders

TL;DR:

  • Anthropic has revised its earlier stance so that users of its Mythos cybersecurity model can now share vulnerability findings with parties outside the controlled Project Glasswing programme.
  • Glasswing partners include Amazon, Microsoft, Nvidia and Apple, who have access to the unreleased Claude Mythos Preview for defensive cybersecurity work.
  • Partners may now disclose to security teams at other companies, industry bodies, regulators, government agencies, open-source maintainers, the media and the public — subject to responsible-disclosure norms.

Anthropic confirmed on Monday that it has loosened the confidentiality protections that previously governed Project Glasswing, the controlled initiative giving select tech firms access to its Claude Mythos Preview cybersecurity model. The change means findings, best practices, tools and code developed inside Glasswing can now be shared outside the programme.

The protections were originally added at partner request, after companies expressed concern that being publicly named as Glasswing participants — and as recipients of unreleased frontier-AI cyber capabilities — could make them targets. Last week Anthropic began telling partners that they are generally free to disclose their participation and to share findings at their own discretion.

A pivot driven by defensive utility

“We fully support our partners sharing findings with each other and companies outside of Glasswing to triage vulnerabilities,” an Anthropic spokesperson said. “As the programme has matured, we’ve adapted them to ensure key information can be shared broadly — including outside the programme — for maximum defensive impact.”

Mythos, announced on 7 April, is recognised by experts as offering an unprecedented combination of capabilities: it can both identify vulnerabilities and devise exploitation paths. That dual nature is why Anthropic restricted distribution in the first place, and why responsible-disclosure terms have evolved so quickly. The Pentagon has been using Mythos to patch software vulnerabilities across US government systems even as it races to complete a transition away from the company.

The disclosure change sits alongside parallel news — covered by Resultsense yesterday — that Anthropic has agreed to brief the Financial Stability Board on Mythos-identified vulnerabilities in the global financial system, at the direct request of Bank of England Governor and FSB Chair Andrew Bailey.

Looking forward

For UK security teams, the change is operationally meaningful: Glasswing partners are now permitted to disclose vulnerabilities to the National Cyber Security Centre, sector-specific information-sharing organisations such as FS-ISAC, and the wider open-source community. That brings Mythos-derived findings within reach of UK firms that are not themselves Glasswing participants — which is most of them. The next test is how disclosure norms hold up in practice: whether partners actually exercise the new freedom, or whether commercial sensitivities and reputational concerns keep most findings inside the original circle. The widening of disclosure also re-opens questions about the Glasswing membership criteria — and whether UK organisations (Anthropic’s only confirmed UK-government engagement so far has been the BoE/FSB briefing) will gain direct access.