Tom Hundley
Anthropic's Project Glasswing has moved fast. In under two months it went from a roughly 50-organization coalition unveiled in early April to a partnership spanning some 200 organizations across more than 15 countries by the start of June β all of it built around Claude Mythos Preview, a frontier model the company has deliberately chosen not to release.
For anyone trying to make sense of the initiative, the chronology matters as much as the headlines. Two separate Anthropic posts, published nearly eight weeks apart, carry two very different vulnerability numbers, two different sets of partners, and two different framings of where this goes next. Read together and out of order, they invite double-counting and overstatement. Read in sequence, they tell a coherent β and unusually candid β story.
This is that story, milestone by milestone, with each claim tied to the post it came from. We write here as observers and analysts, not as a Glasswing participant; every figure below is drawn from Anthropic's own published statements.
Project Glasswing was announced on April 7, 2026. Anthropic framed it as a coalition initiative "to secure the world's most critical software," powered by an unreleased frontier model the company calls Claude Mythos Preview. (The April announcement carries no on-page publication date; the April 7 launch date is established in Anthropic's Frontier Red Team writeup, which was later edited on April 9.)
The launch cohort numbered roughly 50 organizations. Twelve were named as founding members of the coalition: Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Alongside those eleven partners and Anthropic itself, the company wrote that it had "also extended access to a group of over 40 additional organizations that build or maintain critical software infrastructure." Twelve named plus "over 40 additional" lands the initial cohort at approximately 50.
The premise was that Mythos had crossed a capability threshold in finding software flaws, and that the responsible move was to put that capability in the hands of defenders first, under restricted terms, rather than ship it to everyone.
The most-quoted number from the April post describes what Anthropic itself had already done with the model. "Over the past few weeks," the company wrote, "we have used Claude Mythos Preview to identify thousands of zero-day vulnerabilities (that is, flaws that were previously unknown to the software's developers), many of them critical." Elsewhere on the same page: "Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser."
Two things are worth pinning down here, because they are the most common sources of confusion about Glasswing.
First, this is a "thousands" claim, not a precise tally. Figures circulating in secondary coverage β a frequently repeated "23,019 vulnerabilities" with "6,202 high-critical" β do not appear in any Anthropic primary source. The company's own word is "thousands," and that is the figure we use.
Second, and more importantly: this April count describes vulnerabilities that Anthropic found, running the model itself. It is not the same as β and must not be added to β the larger number that arrives in June, which describes what the partners found. Same initiative, different finder, different date. We return to this distinction below because it is exactly where the timeline tends to collapse.
On June 2, 2026, Anthropic published a second post announcing a substantial expansion. The company said it was "extending the partnership to approximately 150 new organizations" across "more than 15 countries" β roughly quadrupling the coalition from its initial ~50 to around 200 in total.
The expansion was explicitly about widening the kinds of critical infrastructure represented. "The group covers several industries that weren't well represented in our initial cohort," Anthropic wrote, "such as power, water, healthcare, communications, and hardware." The stakes were framed bluntly: "For most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security."
This is the milestone where Glasswing shifted from a largely big-tech-and-finance roster toward the physical systems people depend on β the grid, water treatment, hospitals, telecom networks, and the hardware underneath all of it.
The June post also carried the largest vulnerability figure to date β and it belongs to the partners, not to Anthropic. Describing how participating organizations have been using the model, Anthropic wrote that "they've been deploying the model to scan their codebases for vulnerabilities," and noted that "these partners have so far found more than 10,000 high- or critical-severity security flaws."
Hold the two numbers apart:
These are distinct claims on distinct, separately dated pages with distinct finders. The April "thousands" did not "grow into" the June 10,000-plus, and the two should never be summed. The honest reading is that two different actors, working at two different times, each reported substantial findings β and the partner-reported figure is the cumulative one as of early June.
Across the two posts, Anthropic laid out a forward-looking agenda. A few commitments are worth tracking, because they give the timeline checkable future milestones.
A public report within 90 days. In the April post, Anthropic said that "within 90 days, Anthropic will report publicly on what we've learned." That report is the clearest near-term checkpoint for evaluating the initiative against its own claims.
Safeguards with an upcoming Claude Opus. Also in April: "We plan to launch new safeguards with an upcoming Claude Opus model." The general availability of Mythos-class capability is tied to safeguards of this kind β which is why broad release is described as a goal, not an imminent event.
A Cyber Verification Program. The April post introduced this as a path for legitimate security professionals affected by safeguards: "Security professionals whose legitimate work is affected by these safeguards will be able to apply to an upcoming Cyber Verification Program." By June, Anthropic described scaling that program β one "which would grant Mythos-class capabilities to many more organizations" β as part of expanding Glasswing further.
On the central question of release, Anthropic has been consistent and specific: it is not shipping this model to the public. "We do not plan to make Claude Mythos Preview generally available," the April post states, "but our eventual goal is to enable our users to safely deploy Mythos-class models at scaleβfor cybersecurity purposes." Claims that Mythos is "coming to the public in weeks" are not supported by either post; general availability is gated on safeguards the company says it has not yet finished building.
The most striking forward-looking statement is also the most self-implicating, and it appears in the June post. Anthropic does not frame the competitive landscape as "rivals will eventually catch up to us." It frames the entire field β itself included by implication β as heading toward the same capability on a short clock, and it names the risk directly.
The verbatim line: "within 6 to 12 months, we expect that many other AI companies will have Mythos-class models, and they could release them without safeguards."
That second clause is the point. The forecast is not a victory lap about being first; it is an argument for why restraint and safeguards matter now, precisely because the company expects comparable capability to become widespread soon, and expects that not everyone who builds it will hold it back. Read against the non-release decision and the safeguards-with-the-next-Opus commitment, the forecast is the load-bearing justification for the whole "find it, but don't ship the finder" posture.
That is where the public timeline stands as of early June 2026: a coalition tripled in size, a partner-reported tally past 10,000 high- and critical-severity flaws, a model still deliberately withheld, a 90-day report due, and a clock the company itself has put on the rest of the industry.
When did Project Glasswing launch, and when did it expand?
Project Glasswing was announced on April 7, 2026, with a cohort of roughly 50 organizations. Anthropic announced a major expansion on June 2, 2026, adding approximately 150 new organizations across more than 15 countries β bringing the coalition to around 200 in total.
How many vulnerabilities has the initiative found?
There are two distinct, separately reported figures, and they should not be combined. In the April post, Anthropic said it had used Claude Mythos Preview to identify "thousands of zero-day vulnerabilities" itself in the preceding weeks. In the June post, Anthropic said partner organizations scanning their own codebases had "so far found more than 10,000 high- or critical-severity security flaws." Different dates, different finders β the April "thousands" are Anthropic's; the June 10,000-plus are the partners'.
Who are the launch partners?
Anthropic named twelve founding members of the coalition: Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. It also extended access to "over 40 additional organizations," for an initial cohort of roughly 50.
Is Claude Mythos Preview available to the public?
No. Anthropic has stated it does not plan to make Claude Mythos Preview generally available. Its stated goal is to eventually let users safely deploy Mythos-class models at scale for cybersecurity purposes, but that is gated on new safeguards the company plans to launch with an upcoming Claude Opus model. There is no announced public-release date.
What has Anthropic committed to do next?
Anthropic committed to publish a public report on what it has learned within 90 days of the April launch, to launch new safeguards with an upcoming Claude Opus model, and to open a Cyber Verification Program for security professionals affected by those safeguards β a program it described in June as scaling to grant Mythos-class capabilities to many more organizations.
What does Anthropic expect from competitors?
In the June post, Anthropic forecast that "within 6 to 12 months, we expect that many other AI companies will have Mythos-class models, and they could release them without safeguards." The company frames this not as rivals catching up to it, but as a field-wide development β and uses the prospect of others shipping comparable capability without safeguards as part of the case for its own restraint.
Discover more content:
