Anthropic grants the EU cybersecurity agency ENISA access to Mythos AI.

      Anthropic has agreed to provide the European Union’s cybersecurity agency, ENISA, with access to its Claude Mythos AI model through Project Glasswing. This makes ENISA the first EU institution to utilize the system that has autonomously identified over 10,000 high- and critical-severity zero-day vulnerabilities across major operating systems and web browsers. This decision follows several weeks of intense negotiations.

      This agreement was communicated to the European Commission over the weekend, concluding a prolonged stalemate that had highlighted tensions in the transatlantic AI relationship. Euro-area finance ministers, the European Central Bank, and multiple EU member states had sought access after discovering that Mythos had uncovered vulnerabilities in systems critical to European banks, governments, and infrastructure, without any European entity being privy to these findings.

      Mythos is an advanced cybersecurity tool, having been launched in April 2026 as Claude Mythos Preview. It can independently detect security weaknesses in complex software, successfully generate working exploits on the first attempt in over 83% of cases, and carry out attack simulations that would typically involve teams of human researchers for extended periods. In its initial month within Project Glasswing, it identified more than 10,000 zero-day vulnerabilities across vital software globally.

      Anthropic collaborated with over 50 major tech companies, such as Microsoft, Apple, Google, and Cloudflare, to implement Mythos on highly targeted codebases. The model’s efficacy in cybersecurity stems from its advanced capabilities; an AI system that thoroughly understands and modifies intricate software is also proficient in identifying and rectifying its vulnerabilities.

      Previously, access to Mythos had been limited to around 40 vetted US companies and selected government entities, along with recently granted access to UK financial institutions. Although OpenAI has launched a competing initiative called Daybreak, aimed at identifying software vulnerabilities and generating patches, Mythos currently maintains its status as the benchmark due to its unmatched discovery rate of zero-day vulnerabilities.

      The discussions regarding EU access were contentious, with Anthropic and the Commission engaging in four to five meetings shortly after the announcement of Mythos, but negotiations reached a standstill. Commission officials traveled to San Francisco the previous week to pursue the issue in person. An ENISA spokesperson confirmed that while the access had been offered, specific conditions remained under negotiation.

      Details surrounding the negotiation hurdles have not been publicly disclosed but likely involve issues such as data sovereignty, limitations on sharing findings with EU member states, and the extent of systems ENISA is allowed to assess. The impasse had prompted organizations like BNP Paribas and Mistral to initiate the creation of a European alternative, an effort that will persist regardless of ENISA's access to Mythos.

      This crisis highlighted a fundamental weakness in Europe's digital security framework. The EU AI Act, which will be fully enforced in August 2026, regulates the deployment of AI models in Europe but lacks a mechanism to require an American firm to share its most powerful model with EU regulators, despite the model's significant findings for European security.

      The vulnerabilities identified by Mythos include issues in software utilized by European banking systems, government networks, and critical infrastructure. Each day that European security agencies had no insight into these findings hindered their ability to determine if their systems were impacted or to initiate remediation efforts.

      Following revelations that Mythos had detected vulnerabilities in financial software widely implemented in the eurozone, the ECB convened euro-area banks to discuss the cybersecurity ramifications. The combined pressure from finance ministers and direct Commission engagement appears to have influenced Anthropic's stance.

      However, ENISA's participation in Project Glasswing does not resolve the broader issue. EU member states are likely to seek direct access for their national cybersecurity agencies to Mythos findings, while the financial sector will advocate for direct access instead of relying on ENISA as a middleman. This situation has underscored European concerns regarding dependency on American AI infrastructure for essential security functions, bolstering the argument for developing sovereign AI capabilities in cybersecurity.

      The pricing for Anthropic’s Mythos is set at $25 per million input tokens and $125 per million output tokens for participants in Glasswing, available through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry. Whether ENISA's access will be based on commercial terms or through a government-to-government agreement remains a detail yet to be finalized. The European Commission acknowledged having “several productive meetings” with Anthropic but did not provide further information on the terms.