The European Union is close to securing access to Anthropic's frontier AI model, Mythos. Following weeks of discussions regarding inclusion in Project Glasswing—a controlled initiative providing select organizations with access to the model for security research—the EU cybersecurity agency ENISA will utilize the technology to advance vulnerability discovery and system defense.
European Commission spokesperson for Tech Sovereignty Thomas Regnier confirmed the productive discussions regarding ENISA's involvement. "I can confirm that the European Commission had several productive meetings with Anthropic," Regnier stated. "We welcome the latest developments on potential future access."
Claude Mythos Preview is an Anthropic AI model capable of detecting software vulnerabilities and autonomously developing proof-of-concept validation sequences at significant speed and scale. Anthropic reports that the model has identified thousands of vulnerabilities in widely used software, including a 27-year-old flaw in OpenBSD and a 17-year-old vulnerability in FreeBSD. Security professionals recognize that tools like Mythos lower the barrier for discovering and validating software flaws, potentially allowing threat actors to automate sophisticated unauthorized access attempts faster than organizations can currently patch.
A shared challenge for global security
Regnier described the access agreement as the result of the Commission's strong bilateral cooperation with Anthropic. He noted that evaluating Mythos is "of utmost importance to get a clear picture on the potential risks" associated with AI-assisted vulnerability discovery.
The concern regarding the dual-use capabilities of AI tools extends beyond a single model. "Mythos is not a one-off — a new wave of powerful models are coming to the market," Regnier said. "This is a shared challenge, and we are intensifying our discussions with like-minded partners, including the United States."
Project Glasswing and proactive defense
In April, Anthropic announced it would make the capabilities of Mythos available to a vetted group of organizations to secure their products before unauthorized parties could identify flaws. The Project Glasswing initiative currently includes over 40 participants, such as Amazon, Apple, Microsoft, Google, the Linux Foundation, JPMorgan Chase, and NVIDIA. These organizations build critical software infrastructure and maintain widely used open-source projects. Anthropic committed $100 million in usage credits to support these organizations in their security research.
While the terms governing how ENISA will interact safely with the model are still being finalized, the agency will be the first European entity to access Mythos. ENISA serves a function broadly analogous to the US Cybersecurity and Infrastructure Security Agency (CISA), though with less of an operational role. The European Commission views this visibility as essential for understanding Mythos and for building the institutional capacity to assess future models.
John Gallagher, vice president at Viakoo, notes that ENISA adds a credible partner to the effort of preparing for a massive increase in vulnerabilities requiring remediation. Threat actors may soon possess similar capabilities, making the involvement of defensive organizations vital. "ENISA brings their extensive focus on critical infrastructure into Glasswing, and, most importantly, brings their track record of actively coordinating operational responses to threats across Europe," Gallagher said.
Assessing global participation
CISA’s current status within Project Glasswing remains unconfirmed. Gene Moody, field CTO at Action1, observes that if the primary US civilian cybersecurity authority is excluded, it suggests a shift in strategic alignment.
"While access is intentionally limited, the exclusion of the United States' primary civilian cybersecurity authority suggests a growing divergence in strategic priorities," Moody explains. "European regulators appear focused on strengthening defensive posture through controlled AI deployment, while US policy signals have increasingly blurred the line between sanity and offensive cyber-reality."
Moody warns that reduced access to advanced defensive tooling, combined with shifting policy emphasis, could leave public and private sector stakeholders with diminished visibility into emerging threats, potentially affecting the reliability of US cyber threat intelligence.
Because Anthropic has not released the full list of Project Glasswing participants, it remains possible that CISA is involved. At the time of reporting, neither Anthropic nor CISA have publicly clarified the agency's status.
About the original author: This reporting was originally authored by Jai Vijayan, an Illinois-based technology journalist with over 25 years of experience covering information security, AI risk, and enterprise technologies. He holds a Master’s degree in statistics from Bangalore University and studied broadcasting and electronic communication at Marquette University.