🧭 Project Glasswing: Claude Mythos Preview Uncovers 10,000+ Critical Vulnerabilities in One Month

One month after Claude Security entered public beta, Anthropic has published the first results from Project Glasswing — its initiative to use Claude Mythos Preview, an unreleased frontier model optimised for vulnerability discovery, to scan critical software infrastructure. The headline figure: more than 10,000 high-or-critical-severity vulnerabilities identified across partner systems in the first month alone. That total includes both enterprise partner codebases and a sweep of over 1,000 open-source projects.

Partner-by-partner highlights

• Cloudflare: ~2,000 bugs discovered in internal systems, of which roughly 400 were classified high or critical severity. Cloudflare noted the AI-assisted sweep produced fewer false positives than conventional human-led penetration testing
• Mozilla: 271 vulnerabilities identified and fixed in Firefox 150 during the Mythos Preview testing window
• Palo Alto Networks: accelerated patch release cadence significantly during the testing period, releasing substantially more patches than typical over the same timeframe

Open-source sweep: 6,200 valid high/critical findings

The open-source component scanned more than 1,000 projects and identified approximately 6,200 estimated high-or-critical-severity vulnerabilities. Of the subset assessed by independent security firms, 90.6% proved to be valid findings, with 62% confirmed at high or critical severity — a significantly lower false-positive rate than most automated scanning tools achieve.

The new bottleneck: patching, not discovery

The most consequential observation in the update is structural: the bottleneck in software security has shifted. AI dramatically accelerates vulnerability discovery, but human-dependent triage, disclosure coordination, and patching pipelines remain slow — averaging roughly two weeks per critical bug. Anthropic is working with partners to develop AI-assisted patch drafting workflows to close that gap.

🧭 Five Enterprise Security Vendors Launch Claude Compliance API Integrations on the Same Day

On May 21, 2026, five major enterprise security and governance vendors simultaneously announced integrations with Anthropic's Claude Compliance API — the REST endpoint that gives Enterprise plan administrators programmatic access to Claude activity data for continuous monitoring and policy enforcement. The coordinated launch signals that Anthropic is treating the Compliance API as a cornerstone of its enterprise go-to-market strategy, with a growing ecosystem of SIEM, DLP, CASB, and identity-governance tools plugging directly into Claude activity streams.

The five integrations at launch

• Netskope (SASE/CASB): connects Claude Enterprise directly to the Netskope One platform, enabling full asset, identity, and activity visibility with DLP policy enforcement and security posture management across Claude chat, Claude Code, Cowork, and Office agents
• SailPoint (identity governance): provides visibility and automated governance over which users have access to Claude features, and flags anomalous usage patterns against identity risk models
• Cloudflare CASB: consumes the Compliance API endpoint to surface security findings inside Cloudflare One, with detection and remediation workflows and support for scanning Claude Projects shared across organisations
• Proofpoint (DLP + compliance): applies existing DLP policies and behavioural risk models to Claude interactions, with digital communications governance for legal supervision workflows and eDiscovery
• Concentric AI (Semantic DLP): audits Claude Platform activity for data classification violations, enabling organisations to enforce data-handling rules over Claude-generated content without manual review

What the Compliance API exposes

The API provides security visibility into prompts, responses, uploaded files, Projects, and administrative actions — everything that flows through Claude Enterprise and Claude Platform. Data is streamed in near-real-time to connected tools, with a 90-day history available for forensic investigation and audit trails.

🧭 Anthropic Publishes "2028: Two Scenarios for Global AI Leadership" — What It Signals for the AI Development Ecosystem

On May 14, Anthropic published a policy research essay titled 2028: Two Scenarios for Global AI Leadership, arguing that the decisions made in 2026 will substantially determine which actors shape global AI governance norms by 2028. The paper is notable less for its geopolitical argument than for what it reveals about Anthropic's strategic assumptions — assumptions that directly affect what frontier models get built, when they ship, and how they are distributed.

The two scenarios in brief

• Scenario A (democratic lead maintained): democracies sustain a 12–24 month frontier model lead by enforcing semiconductor export controls, closing distillation-attack loopholes, and actively deploying the US AI stack globally. In this scenario, Anthropic sees safety-focused development norms becoming the de facto standard
• Scenario B (compute gap narrows): export controls erode through smuggling or policy rollback, or domestic chip production in competitor states accelerates. In this scenario, frontier AI is no longer concentrated among safety-oriented actors, which Anthropic argues creates structural pressure to deprioritise alignment research

The key technical argument: distillation attacks

One of the more technically substantive claims in the paper is that "distillation attacks" — training a new model by having it predict the outputs of an existing frontier model at scale — represent a meaningful transfer of capability that current export control regimes do not adequately address. Anthropic recommends that this be legally clarified as a form of IP theft and treated accordingly under existing or new legislation.