Anthropic has provided the EU cybersecurity agency ENISA with access to Mythos AI.

      Anthropic has decided to provide the European Union’s cybersecurity agency, ENISA, access to its Claude Mythos AI model through Project Glasswing. This marks ENISA as the first EU institution to utilize the system that has identified over 10,000 zero-day vulnerabilities. This agreement concludes weeks of negotiations that were marked by tension.

      The European Commission was informed over the weekend that ENISA will have access to Claude Mythos, which has independently detected more than 10,000 critical and high-severity zero-day vulnerabilities across major operating systems and web browsers. ENISA's participation in Project Glasswing will provide it with capabilities previously limited to a few select US companies and agencies, along with granted access to UK financial institutions.

      Mythos is not a typical cybersecurity solution. Introduced in April 2026 as Claude Mythos Preview, the model can autonomously pinpoint security weaknesses in complex codebases, generate functional exploits on the first attempt in over 83% of instances, and perform attack simulations that typically take teams of researchers months to complete. Within its first month in Project Glasswing, it identified over 10,000 zero-day vulnerabilities in critical software globally.

      Anthropic has collaborated with over 50 leading technology firms, such as Microsoft, Apple, Google, and Cloudflare, to deploy Mythos against specialized codebases. Its effectiveness in cybersecurity stems from its advanced capacity to understand and modify complex software, thereby identifying and rectifying vulnerabilities.

      Until this agreement, access was limited to around 40 approved US companies and select government bodies, alongside coverage extended to UK financial institutions. OpenAI is also pursuing a similar initiative called Daybreak to identify software vulnerabilities and create patches, but Mythos still sets the standard with its exceptional discovery rate.

      The negotiations for EU access were challenging. Anthropic and the Commission conducted several meetings soon after the announcement of Mythos, but progress halted. Commission officials traveled to San Francisco last week to advocate in person. An ENISA representative confirmed that while access has been offered, the conditions are still being determined.

      Details about the sticking points have not been publicly disclosed but likely include data sovereignty issues, rules on sharing findings with EU member states, and the extent of systems ENISA is allowed to test. This standoff had prompted BNP Paribas and Mistral to consider developing a European alternative, an effort that will persist regardless of ENISA's access to the original model.

      This access issue highlighted a critical vulnerability in Europe’s digital security strategy. The EU AI Act, coming into full force in August 2026, regulates the deployment of AI models in Europe but lacks the authority to require American companies to share their most advanced models with European regulators, even when the findings are crucial for security.

      The over 10,000 zero-day vulnerabilities identified by Mythos include issues within software that operates European banking systems, government networks, and essential infrastructure. Each day that European security agencies lacked access to these findings impeded their ability to determine the impact on their own systems or to initiate remediation.

      Following the discovery of vulnerabilities in financial software used across the eurozone, the European Central Bank gathered euro-area banks to address cybersecurity concerns. The pressure from financial ministers and the Commission's direct involvement likely influenced Anthropic's decision.

      However, ENISA's participation in Project Glasswing does not address the broader issue. EU member states are expected to advocate for their national cybersecurity agencies to gain access to Mythos findings, and the financial sector is likely to seek direct access instead of relying on ENISA as an intermediary. This situation has highlighted European worries about reliance on American AI technology for vital security operations, reinforcing the argument for developing sovereign AI capabilities in cybersecurity.

      Anthropic’s Mythos pricing is set at $25 per million input tokens and $125 per million output tokens for Glasswing participants, available through the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry. It remains to be seen whether ENISA will access Mythos under commercial terms or through a government-to-government arrangement, as these details are still being finalized. The European Commission noted it had several productive meetings with Anthropic but did not provide further details on the terms.