Anthropic will give ENISA, the EU’s cybersecurity agency, access to its Mythos AI model through Project Glasswing, making it the first EU institution to access the system that discovered 10,000+ zero-day vulnerabilities. The decision ends weeks of contentious negotiations.TL;DR
Anthropic has agreed to give the European Union’s cybersecurity agency, ENISA, access to Claude Mythos, the AI model that has autonomously discovered more than 10,000 high- and critical-severity zero-day vulnerabilities across every major operating system and web browser. The decision, communicated to the European Commission over the weekend, makes ENISA the first EU institution to join Project Glasswing, Anthropic’s controlled-access cybersecurity initiative.
The move ends a weeks-long standoff that had become one of the most visible flashpoints in the transatlantic AI relationship. Euro-area finance ministers, the European Central Bank, and multiple EU member states had demanded access after learning that Mythos had found vulnerabilities in systems that European banks, governments, and critical infrastructure providers rely on daily, while no European institution could see the findings.
Mythos is not a conventional cybersecurity tool. Launched in April 2026 as Claude Mythos Preview, the model can autonomously identify security flaws in complex codebases, generate working exploits on the first attempt in more than 83% of cases, and execute attack simulations that would traditionally require teams of human researchers working for months. In its first month inside Project Glasswing, the model discovered over 10,000 zero-day vulnerabilities across the world’s most critical software.
Anthropic partnered with more than 50 major technology organisations, including Microsoft, Apple, Google, and Cloudflare, to deploy Mythos against highly targeted codebases. The model’s strength in cybersecurity is a direct result of its broader capability: an AI system that can deeply understand and modify complex software is also one that can find and fix its vulnerabilities.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Until now, access has been restricted to approximately 40 vetted US companies and select government entities, plus recent access granted to UK financial institutions. OpenAI has launched its own competing initiative, Daybreak, aimed at finding software vulnerabilities and generating patches, but Mythos remains the benchmark after its unprecedented zero-day discovery rate.
The path to EU access was contentious. Anthropic and the Commission held four to five meetings starting shortly after Mythos was announced, but progress stalled. Commission officials flew to San Francisco last week to press the case in person. An ENISA spokesperson told reporters, “It’s been offered but the conditions are still being agreed,” confirming that the decision to grant access had been made but the specific terms remained under negotiation.
The sticking points have not been disclosed publicly but are likely to include data sovereignty provisions, restrictions on how findings can be shared with EU member states, and the scope of systems ENISA will be permitted to test. The standoff had already prompted BNP Paribas and Mistral to begin developing a European alternative, an effort that will continue regardless of ENISA’s access to the original.
The Mythos access crisis exposed a structural vulnerability in Europe’s digital security posture. The EU AI Act, which enters full enforcement in August 2026, regulates how AI models can be deployed within Europe. But it has no mechanism to compel an American company to share its most powerful model with European regulators, regardless of how consequential the model’s findings are for European security.
The 10,000-plus zero-day vulnerabilities Mythos has identified include flaws in software that runs European banking systems, government networks, and critical infrastructure. Every day that European security agencies could not see those findings was a day they could not assess whether their own systems were affected or begin remediation.
The ECB convened euro-area banks to discuss the cybersecurity implications after learning that Mythos had found vulnerabilities in financial software widely used across the eurozone. That pressure, combined with the finance ministers’ demand and the Commission’s direct engagement, appears to have shifted Anthropic’s position.
ENISA joining Project Glasswing does not resolve the broader issue. EU member states will want their own national cybersecurity agencies to access Mythos findings, and the financial sector will push for direct access rather than relying on ENISA as an intermediary. The episode has reinforced European concerns about dependency on American AI infrastructure for critical security functions, an argument that will strengthen the case for sovereign AI capabilities in cybersecurity.
Anthropic’s Mythos is priced at $25 per million input tokens and $125 per million output tokens for Glasswing participants, accessible via the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry. Whether ENISA’s access will be on commercial terms or under a government-to-government arrangement is among the details still being finalised. The European Commission confirmed it had “several productive meetings” with Anthropic, but declined to elaborate on the terms.
Get the most important tech news in your inbox each week.