TL;DR
Anthropic will give ENISA, the EU cybersecurity agency, access to its Mythos AI model through Project Glasswing, making it the first EU institution to access the system that discovered more than 10,000 zero-day vulnerabilities. The decision ends weeks of contentious negotiations.
Anthropic agreed to provide the European Union’s cybersecurity agency, ENISA, with access to Claude Mythos, the artificial intelligence model that has autonomously discovered more than 10,000 high-severity and critical zero-day vulnerabilities in all major operating systems and web browsers. The decision, communicated to the European Commission over the weekendmakes ENISA the first EU institution to join Project Glasswing, Anthropic’s controlled access cybersecurity initiative.
The move ends a weeks-long standoff that had become one of the most visible flashpoints in the transatlantic AI relationship. Eurozone finance ministers, the European Central Bank and several EU member states had demanded access after learning that Mythos had found vulnerabilities in systems that European banks, governments and critical infrastructure providers rely on daily, while no European institution was able to see the findings.
What can Myths do?
Mythos is not a conventional cybersecurity tool. Released in April 2026 as Claude Mythos Preview, the model can autonomously identify security flaws in complex codebases, generate working exploits on the first attempt in more than 83% of cases, and run attack simulations that would traditionally require teams of human researchers working for months. In his first month within the Glasswing Project, the model discovered more than 10,000 zero-day vulnerabilities in all the world’s most important software.
Anthropic partnered with more than 50 major technology organizations, including Microsoft, Apple, Google, and Cloudflare, to deploy Mythos in highly targeted codebases. The model’s strength in cybersecurity is a direct result of its broader capability: an AI system that can deeply understand and modify complex software is also one that can find and fix its vulnerabilities.
The 💜 of EU technology
The latest rumors from the EU tech scene, a story from our wise founder Boris and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
Until now, access has been restricted to approximately 40 vetted US companies and select government entities, in addition to recent access granted to UK financial institutions. OpenAI has launched its own competitive initiative, Daybreakaimed at finding software vulnerabilities and generating patches, but Mythos remains the benchmark after its unprecedented zero-day discovery rate.
the negotiations
The path to EU accession was controversial. Anthropic and the Commission held four to five meetings shortly after Mythos was announced, but progress stalled. Commission officials flew to San Francisco last week to present the case in person. An ENISA spokesperson told reporters: “It has been offered but the conditions are still being agreed”, confirming that a decision had been made to grant access but the specific terms were still under negotiation.
The sticking points have not been publicly revealed, but are likely to include provisions on data sovereignty, restrictions on how findings can be shared with EU member states, and the scope of systems ENISA will be able to test. The confrontation had already led BNP Paribas and Mistral to begin developing a European alternative.an effort that will continue regardless of ENISA’s access to the original.
Why is it important
The Mythos access crisis exposed a structural vulnerability in Europe’s digital security posture. The EU AI Law, which will come into force in August 2026, regulates how AI models can be implemented in Europe. But it has no mechanism to force a US company to share its most powerful model with European regulators, regardless of how important the model’s findings are for European security.
The more than 10,000 zero-day vulnerabilities Mythos has identified include flaws in the software that runs European banking systems, government networks and critical infrastructure. Every day that European security agencies couldn’t see those findings was a day they couldn’t assess whether their own systems were affected or begin to remediate them.
The ECB summoned the banks of the euro zone to discuss cybersecurity implications after learning that Mythos had found vulnerabilities in financial software widely used across the eurozone. That pressure, combined with demand from finance ministers and direct engagement from the Commission, appears to have changed Anthropic’s position.
What comes next?
ENISA joining the Glasswing Project does not solve the broader problem. EU member states will want their own national cybersecurity agencies to access Mythos findings, and the financial sector will push for direct access rather than relying on ENISA as an intermediary. The episode has reinforced European concerns about dependence on American AI infrastructure. for critical security functions, an argument that will strengthen the case for sovereign AI capabilities in cybersecurity.
Anthropic’s Mythos is priced at $25 per million input tokens and $125 per million output tokens for Glasswing participants, accessible via Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry. One of the details still being finalized is whether ENISA access will be on commercial terms or through a government-to-government agreement. The European Commission confirmed it had “several productive meetings” with Anthropic, but declined to elaborate on the terms.
