Omi Iyamu · Personal DossierVol. XVII · 2026 Edition
Omi Iyamu.
HomeProjects & ExperienceUser ManualBriefsBlogPressBooksInterestsContact
← All essays
2026 · 06 · 034 min read

Expanding Project Glasswing

Anthropic expanded Project Glasswing to about 150 additional organizations across more than 15 countries on June 2, widening access to Claude Mythos Preview — its most capable model, held in controlled research preview because of offensive cyber capabilities. New sectors include

# Anthropic just inverted the AI distribution race

Most AI labs are spending 2026 racing to widen distribution of their strongest models. Anthropic is moving in the opposite direction, and the more interesting one.

On Tuesday, the company expanded Project Glasswing — its critical-infrastructure cyberdefense program — to about 150 new organizations across more than 15 countries. The new members cover sectors that were underrepresented in the first wave: power, water, healthcare, communications, and hardware. Many of them are not household names. They are vendors whose codebases sit underneath software that hundreds of millions of people rely on. A successful attack on their code is the kind of incident that ends up in front of national security advisors, not just product post-mortems.

Each new partner gets gated access to Claude Mythos Preview, Anthropic's most capable model. Mythos is not generally available. It is held in controlled research preview because of its offensive cyber capabilities — the same capability profile that makes it useful for defense makes it dangerous to distribute widely. Partners have to meet security requirements before they get access.

The headline number is large enough to take seriously. Mythos has surfaced more than 10,000 high-severity or critical software vulnerabilities since the program launched in April. That is two months of work. I do not have an independent confirmation of the false-positive rate, and that matters — a 10,000-finding list with 30% false positives is a very different artifact from one with 3% — but the order of magnitude alone is the kind of contribution to upstream code hygiene that would have been impossible to ship a year ago.

What I find more instructive than the number is the structural choice.

Most foundation-model labs spent the last eighteen months operating from a thesis that distribution wins. Open the API, drop pricing, ship to every surface, and let the market sort the use cases. Anthropic is doing the opposite with Mythos. The most capable model is the one with the tightest access controls. The most strategic asset is the one that gets withheld, not the one that gets widely deployed.

This is capability gating, and it is a posture that is going to be tested.

For teams building in regulated domains, three concrete implications.

First, capability gating is becoming a vendor differentiator. If your security model depends on access to defensive tools that the rest of the market cannot get, you have a structural advantage that is harder to replicate than a feature gap. The flip side is the equivalent risk for vendors whose codebases sit upstream of millions of users — you are increasingly going to be benchmarked against scans run with tools you do not have. The asymmetry will get uncomfortable before it gets resolved.

Second, the line between defense and offense in code analysis is thinner than the marketing makes it sound. The reason Mythos is restricted is that the same capability that finds a vulnerability also describes how to exploit it. The Glasswing structure — gated access, signed agreements, security review for partners — is the working compromise. Expect every serious AI security vendor to adopt some version of this within the year. The teams that try to ship offensive-capability models with open access are going to learn the same lesson the hard way.

Third, the policy timing is striking. The same week Anthropic expanded Glasswing, the White House signed an executive order creating an AI cybersecurity clearinghouse for the federal government and critical-infrastructure operators. The two efforts are running on parallel rails. One is a private-sector program built on capability gating; the other is a public-sector coordination mechanism built on voluntary participation. The interesting test in the next year is whether they merge, compete, or quietly ignore each other.

A few things I would still want to read before I had a complete view.

A public version of the security requirements partners have to meet, and how those requirements get enforced over time. I want to know whether the gating is real, or whether it is the kind of light-touch agreement that erodes the first time a partner has a leak.

An honest false-positive rate on the 10,000 vulnerabilities. Not a marketing number. A breakdown by severity, by sector, and by whether the finding led to a shipped fix.

The cost structure for partners. Mythos is the most expensive Claude model to serve. Who pays — Anthropic, the partner, a government grant? The economics determine how durable this program is past its initial round.

The thing I keep coming back to is that this is one of the first programs from a frontier lab where the headline product is not the model, it is the program around the model. The gating, the partner selection, the security review, the disclosure pipeline. The capability is the foundation; the institution is the product.

Most labs are racing to build a better model. Anthropic is also racing to build a better way of distributing the model. The second race is the one that matters more for regulated domains, and it is the one that is finally getting a serious entrant.

Reply if you have visibility into the false-positive rates, or if you are running a similar program and want to compare notes on the gating mechanics. I would rather learn from your operational details than guess from the press release.

If this was useful, the weekly Brief covers shorter ideas like this every Wednesday.
Read the Briefs →
© Omi Iyamu · MMXXVIContact → · linkedin.com/in/omiiyamu