On Tuesday June 2, 2026, Anthropic published Expanding Project Glasswing, announcing that it has added roughly 150 new organisations across more than 15 countries to the closed cohort with access to Claude Mythos Preview. The starting cohort, launched in early April, was around 50 partners. The expansion roughly triples the count. The announcement landed inside the same news cycle as Trump's voluntary frontier-model executive order. The two stories share a thesis. Reported through CNBC, CyberScoop, Help Net Security, Infosecurity Magazine, CSO Online and Engadget within 36 hours, the expansion is the largest single deployment of a frontier offensive-security model the public has seen.

The headline number from the initial cohort: more than 10,000 high- or critical-severity software vulnerabilities found in approximately two months. The model used to find them is the one Anthropic has explicitly said it will not sell. The model used to patch them — Claude Security, built on Opus 4.8 — has shipped publicly and has, by Anthropic's count, closed over 2,100 vulnerabilities in three weeks.

What 200 partners actually means

The initial cohort, as named in CyberScoop's reporting, was a who's-who: AWS, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks. Mozilla joined separately. Cloudflare separately again. The May Hacks post from Mozilla's security team established the pattern: point Mythos at a giant codebase, the model finds an order-of-magnitude more bugs than the previous baseline did in a year. Firefox 150 shipped 271 Mythos-discovered fixes against a 2025 baseline of 20 to 30 a month. Cloudflare's number is 2,000 bugs, 400 of them high or critical. Three weeks later we now have the open-source side: 6,202 high or critical severity vulnerabilities across 1,000 scanned projects, a 90.6% true-positive rate on the human-reviewed sample, 530 disclosed to maintainers, 75 patched, 65 public advisories.

The expansion changes the kind of organisation in the cohort, not just the count. The new 150 includes power, water, healthcare, communications and hardware vendors — exactly the sectors the initial Magnificent-Seven-plus-finance cohort did not represent. The line in the Anthropic post is precise about why: most of the new partners are vendors "that maintain codebases relied upon by lots of other organizations around the world, including governments." The order of operations matters. Apple, Microsoft and Google have the staff to patch what Mythos finds. A regional grid-SCADA vendor with eleven engineers does not.

Anthropic's own framing is the line worth quoting. From the June 2 post: "The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them." That is not the sentence you write if your product is finding bugs. That is the sentence you write when the model has solved the finding part and the rest of the supply chain has not.

The independent experts all say the same thing

This is the part that read, across CSO Online, Infosecurity Magazine and CyberScoop, like a press release in advance. Five named security executives, none of them at Anthropic, gave essentially the same quote when asked.

Jeff Williams, founder of OWASP and CTO of Contrast Security, to Infosecurity Magazine: "AI is turning vulnerability discovery into an industrial-scale activity, but most organizations still remediate at human speed."

Gunter Ollmann, CTO of Cobalt, same outlet: "The organizations that benefit most from these advances will be the ones that can rapidly validate, prioritize and remediate the issues being discovered before attackers find them first."

Mark Tauschek at Info-Tech Research Group, to CSO Online: "Organizations still treating patching as a quarterly exercise are operating with materially more risk."

Kellman Meghu at DeepCove Cybersecurity, same outlet: "Finding bugs is now cheap, but patching them is still slow and human-bound."

Jim Sherlock at ProCircular, to CyberScoop: "Patch pipelines that are not able to handle the incoming flood of advisories and vulnerabilities will simply turn into a giant backlog full of good intentions."

Five experts, five outlets, one synonym. Cheap discovery, expensive remediation. The Cloud Security Alliance, SANS Institute and OWASP signed a joint warning in late May that defenders are "likely to be overwhelmed." That sentence is the consensus.

The corollary the press cycle did not write down: AI vulnerability discovery has so completely flipped the cost curve that the people who used to charge real money to find bugs in your codebase now charge real money to help you keep up with the bugs the AI found.

Why this lands the same day as the EO

Two announcements ran inside 12 hours of each other on June 2. The White House signed the executive order asking frontier labs to voluntarily submit covered models for federal cyber-capability review. Anthropic announced the tripled cohort for the program that has been quietly running the kind of model the EO is about. Whether the timing was coordinated or not, the order reads better with Anthropic in the room than without.

The order's scaffolding — a Treasury clearinghouse for vulnerability discovery and patch distribution, NSA/CISA/NIST classified benchmarking, CISA binding directives — describes a workflow the Glasswing partner set has already been running, informally, for two months. The 100-million-people-could-be-affected figure that Anthropic attached to most of the new partners is the same magnitude as the "critical infrastructure operators" CISA's binding directives will target. The clearinghouse the EO asks Treasury to stand up in 30 days has 200 organisations already plugged into a private version of that workflow.

If you wanted to give the federal government a working pilot of the cybersecurity machinery the EO asks for, you would publish a 200-partner expansion of an existing program the day the order is signed. Anthropic did.

What gets harder from here

The model side keeps scaling. Anthropic told Infosecurity Magazine it expects rival labs to ship comparable cyber-capable models "within six to 12 months," presumably without the same disclosure infrastructure. That is the part of the announcement that reads like the actual ask of the EO: build the federal workflow now, because the cohort widens whether anyone is ready.

The remediation side does not scale. CSO Online noted that maintainers asked Anthropic to slow disclosure rates — the bug pipeline saturated open-source patching capacity faster than the open-source side could clear it. The expansion to power, water and healthcare vendors does not improve that math. It moves the saturation point from the Apache Foundation to a midwestern utility's IT contractor.

The Anthropic commitments here are what quietly become load-bearing: $100M+ in usage credits and $4M to open-source security organisations, announced at launch. Those dollars are doing the patching subsidy the model itself cannot do. Whether the line item grows with the cohort is the variable to watch.

What this means

Three takeaways.

1. Glasswing is now Anthropic's most important non-API product. Two hundred organisations, fifteen-plus countries, the kind of vendors whose breach affects nine-figure populations — that is a federal-scale deployment, even with no contract signed. The model that does not ship is the platform for the largest AI cyber-defence coalition anyone has assembled. The product strategy that says "we will not sell this" is also the product strategy that says "we will give it to the orgs that protect 100 million people each." Both are true. Both follow from each other.

2. The bottleneck has moved. Every independent security executive who got quoted in the press cycle said the same thing in different words: finding bugs is cheap, patching them is slow. That is a remediation-engineering problem, not a model problem. The next twelve months of cybersecurity tooling is going to be about industrialising the patch side — triage queues, automated PR generation, maintainer subsidy — and whichever lab gets there second has lost the AI-cybersecurity market.

3. The EO and the expansion read from the same playbook. Trump's 30-day voluntary review window and Anthropic's expanded coalition published the same day. The order assumes the rest of the industry will behave like Anthropic. Glasswing is the artefact that lets Anthropic claim the assumption is already operational. The shape of US AI policy for the next twelve months is starting to look a lot like the shape of Anthropic's product roadmap. That is not coincidence. It is the merger.

The model that nobody can buy now protects more code than any model anyone can.