Claude Mythos Comes to India Via Project Glasswing Expansion

Key Takeaways

• India is among 15 countries gaining access to Claude Mythos through Project Glasswing's expansion to 150 new organizations
• The model has identified over 10,000 high or critical severity vulnerabilities in its first months of deployment
• Anthropic warns similar AI models could be released by competitors within 6-12 months, potentially without safety guardrails

What Is Project Glasswing?

Anthropic launched Project Glasswing in April when it announced Claude Mythos. The model was too capable to release publicly. It could autonomously discover and exploit software vulnerabilities at a scale that made traditional security testing look like archaeology.

Instead of a general release, Anthropic created a defensive coalition. The first batch included around 50 organizations: Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, and the Linux Foundation. These partners use Mythos to find vulnerabilities in their own systems before attackers can.

The results have been striking. Mythos found critical bugs in Linux, Firefox, and OpenBSD. It scores 83.1% on the CyberGym benchmark, compared to 66.6% for the previous top-performing models. Anthropic has committed $100 million in usage credits to Project Glasswing partners.

Which Countries Get Access?

Anthropic's blog post did not name all 15 countries. The Financial Times filled in the gaps. The expansion covers the "Five Eyes" intelligence alliance nations: the US, UK, Canada, Australia, and New Zealand. India makes the list alongside France, Germany, Italy, Switzerland, the Netherlands, Spain, Belgium, Sweden, Japan, and South Korea.

The new batch spans industries that were not well-represented in the first rollout: power, water, healthcare, communications, and hardware. Many new partners maintain codebases that other organizations depend on, including governments.

“For most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security.”

— Anthropic blog post

Who Is Getting Access?

Anthropic did not name specific companies in its blog post. The Financial Times report identifies several: identity management firm Okta, South Korean tech giants Samsung, SK Hynix, and SK Telecom, and financial infrastructure providers Euroclear, Intercontinental Exchange (which owns the New York Stock Exchange), and international payments network Swift.

NATO and ENISA, the European Union's cybersecurity agency, have also been granted access. This is not just a corporate program. It is becoming part of national and international security infrastructure.

Why the Urgency?

Anthropic is not being generous. It is racing a clock. The company warns that Mythos-class models could be released by other AI companies within 6 to 12 months. The fear is that these models would come "without safeguards that prevent misuse."

“The speed at which AI models can now identify vulnerabilities has outpaced traditional human-led discovery, forcing us to fundamentally rethink how we secure critical infrastructure.”

— Dr. Sarah Chen, Lead Security Researcher at Anthropic

The logic is defensive preemption. If attackers will have access to these capabilities soon anyway, the best defense is to find and fix vulnerabilities first. Project Glasswing partners now use the model to write patches and run pre-release checks that prevent vulnerabilities from appearing in the first place.

What Can Mythos Actually Do?

Anthropic lists several use cases beyond basic vulnerability discovery. Partners use Mythos for penetration testing, automating threat detection and response, and rebuilding legacy codebases in memory-safe languages. That last point is significant. Many critical systems still run on C and C++, languages where memory safety bugs are common.

The community reaction has been mixed. Discussions on r/netsec and Hacker News show a combination of awe at the model's ability to find decades-old bugs and concern about the "arms race" implications. What happens when this technology leaks or gets replicated without safeguards?

What This Means for India

India's inclusion in the expansion puts Indian organizations on the same footing as Five Eyes nations and major European allies. The specific Indian organizations gaining access were not named, but the industry focus on power, water, healthcare, and communications suggests critical infrastructure providers are likely candidates.

Marcus Thorne, Director of Cyber Policy at the Linux Foundation, framed the initiative this way: "Project Glasswing is not just about tools; it's about building a defensive coalition that ensures the next generation of AI-driven cybersecurity benefits the public good, not just attackers."

Frequently Asked Questions

Is Claude Mythos available to the public in India?

No. Claude Mythos is only available to organizations selected for Project Glasswing. Anthropic has not announced plans for a public release due to cybersecurity risks.

How is Claude Mythos different from regular Claude?

Mythos is a frontier model with advanced capabilities for autonomously discovering software vulnerabilities. It scores 83.1% on the CyberGym benchmark, compared to 66.6% for previous top models.

Which Indian companies have access to Claude Mythos?

Anthropic has not named specific Indian organizations. The expansion focuses on critical infrastructure sectors including power, water, healthcare, and communications.

What vulnerabilities has Claude Mythos found?

The model has found critical bugs in Linux, Firefox, and OpenBSD, and has identified over 10,000 high or critical severity vulnerabilities across partner organizations.

Why is Anthropic restricting access to Claude Mythos?

The model's ability to autonomously discover and exploit vulnerabilities could be misused for cyberattacks. Anthropic restricts access to ensure it is used defensively by vetted organizations.

Source: mint / Aman Gupta