Tom Hundley
On June 2, 2026, Anthropic announced that Project Glasswing โ the coalition initiative it launched in April to find and fix vulnerabilities in "the world's most critical software" using its unreleased Claude Mythos Preview model โ was getting dramatically bigger. The company said it was adding roughly 150 new organizations across more than 15 countries, and pushing the program deliberately into critical-infrastructure sectors that the original cohort had barely touched: power, water, healthcare, communications, and hardware.
The number in the headline does most of the talking, so it is worth getting the arithmetic right immediately. Glasswing launched in April with about 50 organizations in its initial cohort (12 named launch partners plus "over 40 additional" participants). The June 2 announcement added ~150 new organizations to that base โ it did not reset the total to 150. The coalition now stands at roughly 200 organizations in all. If you take away one thing from the coverage, take away that math: ~50 initial + ~150 new โ ~200 total.
What follows is a careful read of what Anthropic actually said on June 2, what the press has reported on top of it, and what participants have claimed about their own results โ kept strictly separate, because on this story the difference between those three categories is the whole game.
Anthropic's own announcement is notably spare on names. Here is what the company stated directly:
And here is the part that matters most for everything below: Anthropic named none of the new participants. The company described categories of organizations โ utilities, hospitals, telecom carriers, hardware manufacturers, open-source maintainers โ but it published no roster. CyberScoop, reporting on the expansion, put it plainly: Anthropic "did not give any further details on what companies or organizations were part of the new cohort." Every specific organization name attached to this story in the press therefore comes from journalists and their sources, not from Anthropic's page.
This is where readers, and a lot of secondary coverage, get sloppy. Because Glasswing involves real, recognizable institutions, the named-participant lists have circulated as if Anthropic confirmed them. It did not. Here is the careful version, attributed to the specific outlets that reported each name.
Reported by the Financial Times (relayed by TechCrunch): Okta, Samsung, SK Hynix, SK Telecom, NATO, and ENISA (the European Union Agency for Cybersecurity). TechCrunch presented these as FT reporting and noted that it had "reached out to Anthropic to confirm" โ i.e., these were not Anthropic-stated even at the moment of publication.
Reported by CyberScoop (citing its own sources): Netskope and Rubrik. CyberScoop framed these as "sources tell CyberScoop," and paired them with the explicit caveat that Anthropic disclosed no roster of its own.
Those are the names this article will stand behind as press-reported โ because they trace to a named outlet making a specific claim. Some other names have floated through aggregated search results and second-hand summaries (various financial-market institutions, for instance) without a clean line back to a named outlet's direct reporting; we are deliberately leaving those out rather than launder a search-engine summary into a fact. The discipline here is simple: a name earns a place only if a named publication reported it, and it gets labeled as that publication's reporting, never as Anthropic's confirmation.
On geography, the same care applies. Anthropic's primary, stand-behind figure is "more than 15 countries." Press reporting has filled in many specific country names, but no single named-outlet list cleanly enumerates them, so that detail should not be read as a complete or confirmed map. The honest summary is: Anthropic says 15-plus countries; the press has filled in many of the specific names without a single clean named-outlet list.
Two participant-stated outcomes have done a lot of work in the coverage, and both deserve a clear label: vendor-reported, self-stated, not independently audited.
Cloudflare, per CyberScoop, "identified 2,000 bugs across its critical-path systems, including 400 rated high or critical, with a false-positive rate the company described as better than that of human testers." Note the construction โ "the company described." That is Cloudflare characterizing its own experience with the model, not Anthropic or a third party verifying it.
Mozilla, again per CyberScoop, "found and fixed 271 vulnerabilities in Firefox 150 while testing the model, more than 10 times the number found in a previous Firefox version using an earlier Anthropic model." Once more, this is the participant's own account of its own testing.
CyberScoop added that "several other partners reported that their rates of bug discovery increased more than tenfold after deploying the model" โ a striking claim, and one delivered in exactly the register that should make a careful reader reach for the "self-reported" stamp.
None of this means the numbers are wrong. It means they are unverified by anyone other than the organization announcing them, and that distinction is the difference between a vendor press line and an audited result. Anthropic's own program-wide "more than 10,000 high- or critical-severity flaws" sits in a slightly different bucket โ it is the initiative operator's aggregate claim โ but it, too, is a stated figure rather than an externally certified one.
Strip away the name-dropping and the June 2 move tells a coherent strategic story.
First, the target shifted from software vendors to operators of physical systems. The April cohort skewed toward the technology and security industry โ the kinds of companies that ship code other people run. The June expansion is explicitly about power grids, water authorities, hospitals, telecom carriers, and chip and hardware makers. That is a move from "secure the supply chain" toward "secure the systems whose failure shows up as a blackout, a contaminated water supply, or a hospital going dark." The 100-million-person framing is Anthropic's way of saying the blast radius is now measured in populations, not products.
Second, it is a vendor-leverage play. Anthropic repeatedly emphasized that many new partners are organizations whose codebases are relied upon downstream by many others. Fixing a bug in one widely-deployed component protects everyone who depends on it. That is the most defensible theory of impact in the whole program โ concentrate the (still-scarce, still-gated) Mythos capability where a single fix propagates the furthest.
Third โ and this is the quiet tension โ finding is not fixing. Anthropic's own framing concedes that the binding constraint is human capacity to triage, report, and deploy patches. An expansion that multiplies discovery across 200 organizations and 15-plus countries multiplies the backlog just as fast as it multiplies the finds. A program-wide "10,000+ high/critical flaws" headline is only good news to the extent those flaws get patched, and the disclosure economics of doing that at machine scale remain the hardest unsolved part of the entire Glasswing thesis. The expansion makes the discovery engine bigger; it does not, by itself, make the world's remediation pipelines any faster.
Fourth, the geography is a governance signal. Reaching into NATO, ENISA (if the FT reporting holds), and operators across Europe and Asia is not just a sales footprint โ it is Anthropic positioning a withheld, dual-use frontier capability as something it extends to vetted allied defenders rather than sells on the open market. That posture is coherent with the rest of Glasswing's design, where Mythos is deliberately not released for general availability. The June expansion is the clearest expression yet of who Anthropic considers a legitimate "defender."
The verifiable spine of June 2 is small and solid: ~150 new organizations, ~200 total, more than 15 countries, five named sectors, a 100-million-person stakes estimate, and a program-wide claim of 10,000-plus high-or-critical flaws found since April โ all of that from Anthropic directly. Everything more specific than that โ which company, which agency, which country, how many bugs at Cloudflare or Mozilla โ is reporting layered on top by the Financial Times, TechCrunch, and CyberScoop, or self-stated by the participants themselves. The expansion is real and it is large. The roster is press-reported, and the headline per-vendor results are unaudited. Hold those two truths at once and you have read the story correctly.
How many organizations are in Project Glasswing after the June 2026 expansion?
Roughly 200. Glasswing launched in April with about 50 organizations (12 named launch partners plus over 40 others). The June 2 announcement added approximately 150 new organizations on top of that base, bringing the coalition to about 200 in total โ not 150 total. The "150" in the headlines is the size of the expansion, not the size of the program.
Which sectors did the expansion target, and why?
Power, water, healthcare, communications, and hardware โ sectors Anthropic said were underrepresented in the initial, tech-heavy cohort. The logic is reach: many new partners maintain codebases or operate infrastructure that large populations depend on, which is why Anthropic estimated that "a major attack could affect more than 100 million people."
Did Anthropic confirm that Okta, Samsung, NATO, or ENISA are participants?
No. Anthropic named no participating organizations in its June 2 announcement and, per CyberScoop, "did not give any further details on what companies or organizations were part of the new cohort." Okta, Samsung, SK Hynix, SK Telecom, NATO, and ENISA were reported by the Financial Times (via TechCrunch); Netskope and Rubrik were reported by CyberScoop citing its own sources. All of these are press-reported, not Anthropic-confirmed.
Are the Cloudflare and Mozilla bug-count figures verified?
No. Cloudflare's reported ~2,000 bugs (about 400 high or critical) and Mozilla's reported 271 vulnerabilities fixed in Firefox 150 are vendor-reported, self-stated results โ each organization's own account of its own testing, relayed by CyberScoop. They have not been independently audited. Anthropic's program-wide figure of "more than 10,000 high- or critical-severity flaws" is the operator's own aggregate claim, not an externally certified count.
How many countries does the expansion cover?
Anthropic's stated figure is "more than 15 countries." Press reporting has filled in many specific country names, but no single named outlet provides a clean, complete list, so those names are press-reported detail and should not be treated as a confirmed or complete map.
What does the expansion actually signal about Anthropic's strategy?
A deliberate shift from securing software vendors toward securing operators of physical critical infrastructure, a bet on vendor leverage (fix a widely-used component once, protect everyone downstream), and a governance stance in which a withheld, dual-use frontier model is extended to vetted allied defenders rather than sold openly. The unresolved tension is throughput: scaling discovery across ~200 organizations multiplies the unpatched-bug backlog as fast as it multiplies the finds, and remediation โ not detection โ remains the program's hardest open problem.
Discover more content:
