Anthropic is granting the EU Agency for Cybersecurity (ENISA) access to Claude Mythos, an AI model designed to detect software vulnerabilities at industrial scale. Unveiled on April 7, 2026, Mythos scanned over 1,000 open-source projects, identifying 23,019 vulnerabilities, including 6,202 classified as high or critical severity. The tool operates under Project Glasswing, a controlled rollout involving roughly 50 vetted partners including Amazon, Microsoft, Apple, Nvidia, and JPMorgan, backed by $100 million in usage credits. European access, however, remains unconfirmed, with negotiations still ongoing as of late May 2026.
In-Depth:
Anthropic is opening the door for the European Union Agency for Cybersecurity, known as ENISA, to access Claude Mythos, the company’s AI model built specifically to hunt software vulnerabilities at industrial scale.
Mythos was purpose-built to scan codebases and flag exploitable weaknesses. When Anthropic unveiled Claude Mythos Preview on April 7, 2026, the model can scan over 1,000 open-source projects and identify vulnerabilities at a pace and scale that no human security team could match.
What Mythos actually does, and why it matters
In its initial deployment, Mythos flagged approximately 23,019 total vulnerabilities across those projects. Of those, an estimated 6,202 were classified as high or critical severity.
To manage the risks of releasing something this powerful, Anthropic created Project Glasswing, a controlled rollout that restricted access to about 50 vetted partners. The roster includes Amazon, Microsoft, Apple, Nvidia, and JPMorgan among them.
Anthropic backed the initiative with $100 million in usage credits for partners and $4 million in donations directed at open-source security projects.
On May 18, 2026, Anthropic enabled its Glasswing partners to share Mythos-derived security findings with their own stakeholders, while direct access to the model itself stayed locked down.
Why Europe receives a seat now
European Commission officials had been planning meetings with Anthropic to discuss the model’s capabilities and nereceivediate potential access. However, as of late May 2026, no confirmed access arrangements for ENISA had been established. Various European Parliament members and national regulators, including Germany’s Bundesbank, have built official requests to Anthropic or U.S. authorities for broader access.
The competitive and investment landscape
Traditional vulnerability scanning tools rely on known signature databases, essentially checking code against a library of previously identified bugs. Mythos operates differently, applying reasoning capabilities to identify novel vulnerabilities that haven’t been catalogued yet.
For the roughly 50 firms inside Project Glasswing, the advantage is tangible. They’ve had weeks to assess and patch vulnerabilities in software they depfinish on, while competitors without access have been flying blind.
The $100 million in usage credits Anthropic committed to Glasswing partners signals how the company plans to monetize this technology long-term. The model also revealcases a dual-utilize capability that facilitates both the discovery of defensive vulnerabilities and the generation of offensive exploits. As access expands, the surface area for misutilize grows, and further EU rollout still hinges on the establishment of additional safeguards.
