Claude Mythos Preview, announced on April 7, 2026, represents something genuinely new in the AI arms race: a model that can outperform most humans at discovering zero-day vulnerabilities across various operating systems.

Until now, Mythos has been kept under remarkably tight wraps. Access has been restricted to roughly 50 partners, almost entirely US-based firms, through an initiative Anthropic calls Project Glasswing. The partner list includes Amazon, Apple, Microsoft, Nvidia, and JPMorgan Chase. The stated goal is defensive cybersecurity testing, letting these organizations probe their own systems for weaknesses before bad actors find them first.

The EU’s cybersecurity agency, ENISA, has been in discussions with Anthropic since at least 2025 about gaining access. EU officials had planned meetings in San Francisco as recently as late May 2026 to push the conversation forward. No formal agreement with ENISA has been confirmed as of late May 2026.

The dual-use tension is exactly why Anthropic kept the initial rollout so narrow. Limiting access to 50 vetted partners is a reasonable precaution when your AI can essentially pick locks that nobody knew existed.

The situation was complicated further in April 2026, when Anthropic investigated unauthorized access claims regarding the model. OpenAI has offered access to its own cybersecurity-focused model for European users.

Companies inside the Project Glasswing circle gain a meaningful advantage. If your organization can run Mythos against your own codebase and infrastructure, you’re finding vulnerabilities that your competitors, who lack access, cannot. Amazon, Apple, Microsoft, Nvidia, and JPMorgan Chase aren’t just getting a cybersecurity tool. They’re getting early access to a capability that offers outsized returns to early adopters.

Granting ENISA access raises new questions: Will ENISA share findings with EU member states? Will European companies eventually get direct access? And what conditions will Anthropic attach to the arrangement?