Claude Security and Project Glasswing: What Anthropic's Cybersecurity Push Means for Your Team
TL;DR
Anthropic just launched Claude Security — a tool that scans your company's code for security vulnerabilities and suggests fixes, now available in public beta for Claude Enterprise customers. Meanwhile, Project Glasswing, Anthropic's initiative to secure the world's most critical software, has already found more than 10,000 high-severity vulnerabilities across major operating systems, browsers, and open-source projects using a restricted model called Claude Mythos. In its first weeks, Claude Security has helped patch over 2,100 vulnerabilities across organizations using it. Here's what both of these mean for your business — even if you don't have a security team.
Why Cybersecurity Matters for Every Business — Not Just Tech Companies
If your business has a website, a customer database, or custom software, you have a cybersecurity surface.
Most business leaders think of cybersecurity as something for banks, hospitals, and government agencies. But the reality in 2026 is different. Every company with a web application, a cloud-hosted database, or custom internal tools is a potential target. And the attacks that hit small and medium-sized businesses are rarely the sophisticated, headline-grabbing kind. They exploit known vulnerabilities in common software — the same libraries, frameworks, and tools that your website and your internal systems are built on.
The problem isn't that companies don't care about security. It's that finding and fixing vulnerabilities requires specialized expertise that most organizations don't have in-house. A 50-person company doesn't employ a penetration tester. A 200-person company might have one security engineer who's already stretched across compliance, access management, and incident response. The actual work of scanning code, tracing data flows, and understanding how components interact across files — that work mostly doesn't get done.
Anthropic just shipped two things that change this equation: one for individual organizations, and one for the entire software ecosystem.
What Claude Security Does
Think of it as an AI security auditor that reviews your codebase while your team sleeps.
Claude Security is a feature built into Claude for Enterprise customers. It uses Claude Opus 4.7 — the most capable generally available Claude model — to scan your organization's code repositories for security vulnerabilities. When it finds a problem, it doesn't just flag it with a warning. It traces the data flow through your code, understands how the vulnerable component interacts with the rest of the system, and proposes a specific patch that your developers can review and apply.
Here's what that looks like in practice:
- Scheduled scans. You can set up Claude Security to run on a recurring schedule — weekly, nightly, or after every code deployment. It reviews your entire codebase each time and reports what it found.
- Targeted scans. When your developers push new code or make significant changes, you can trigger a focused scan on just the changed files. This catches vulnerabilities before they reach production.
- Triage tracking. Findings are categorized by severity and tracked over time, so your team can prioritize what to fix first and show progress to auditors, clients, or compliance teams.
- Proposed patches. For each vulnerability, Claude Security generates a suggested fix — not a generic recommendation, but actual code your team can review, modify, and merge. Your developers still make the final call.
- Audit integration. Findings can be exported and integrated with your existing security workflows and compliance reporting.
No API integration or custom agent build is required. If your organization uses Claude Enterprise, you can start scanning today. Claude Team and Max customers are expected to get access soon.
What Claude Security Has Found So Far
In its first weeks of availability, Claude Security has been used to patch more than 2,100 vulnerabilities.
That number comes from organizations that were already running Claude Enterprise and turned on the security scanning beta. These aren't hypothetical issues found in test environments. These are real vulnerabilities in production codebases that were found, triaged, and fixed — many of them in code that had been reviewed by human developers and passed through existing automated security tools.
The reason AI finds things that traditional tools miss is how it reads code. Conventional static analysis tools match patterns — they look for known vulnerability signatures. Claude Security reads code the way a senior security engineer would: it follows the data flow across files and modules, understands the logic of how components interact, and identifies weaknesses that emerge from the combination of individually safe-looking pieces. A variable that's properly sanitized in one function but passed unsafely through three other functions to a database query — that's the kind of vulnerability that pattern-matching tools miss and AI catches.
Project Glasswing: Securing the Software Everyone Depends On
While Claude Security protects individual organizations, Project Glasswing protects the global software infrastructure.
Project Glasswing is a separate initiative that Anthropic launched with a coalition of major technology companies: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The goal is ambitious: use AI to find and fix security vulnerabilities in the world's most systemically important software before attackers do.
To do this, Anthropic deployed a restricted, non-public model called Claude Mythos Preview. Mythos is significantly more capable at cybersecurity tasks than any generally available AI model. How much more capable? In one test using Firefox's codebase, Claude Opus 4.6 was able to turn discovered vulnerabilities into working exploits only twice across several hundred attempts. Mythos did it 181 times.
That capability is exactly why Anthropic is not making Mythos publicly available. It's restricted to vetted security partners working through the Glasswing program, with strict controls on how it's used. The model is a tool for defenders, not attackers.
What Glasswing Has Found
The results published on May 22, 2026, are staggering.
Across roughly 50 partner organizations, Project Glasswing has identified more than 10,000 high- or critical-severity vulnerabilities in the most widely used software in the world. These include thousands of zero-day vulnerabilities — meaning vulnerabilities that were previously unknown — across every major operating system and every major web browser.
One specific example that was publicly disclosed: a critical flaw in WolfSSL, a widely used encryption library, that could allow an attacker to forge security certificates and impersonate legitimate services. That vulnerability was assigned a CVSS score of 9.1 out of 10 — about as serious as it gets.
To put this in perspective: the software your business runs on — your operating system, your browser, the open-source libraries your web applications depend on — is now being systematically checked for security weaknesses by the most capable AI security tool ever built. The vulnerabilities being found are getting patched by the companies that maintain that software. Your business benefits from this even if you never interact with Project Glasswing directly, because the software you depend on is getting more secure.
Why This Matters for Your Business
Cybersecurity has traditionally been a game of resources. AI just changed the rules.
Before Claude Security, the options for a mid-sized business were limited:
- Hire a security team. Expensive. A single senior security engineer costs more than many companies spend on their entire technology budget.
- Run automated scanning tools. Cheaper, but these tools only catch known patterns. They miss the complex, multi-step vulnerabilities that cause the worst breaches.
- Hire a penetration testing firm. Effective but episodic. You get a point-in-time assessment, usually once a year. Everything that changes between tests is unexamined.
- Hope for the best. This is what most companies actually do.
Claude Security changes this by making continuous, AI-powered security auditing available to any organization with a Claude Enterprise subscription. It doesn't replace a dedicated security team for organizations that need one. But it gives every organization with custom code a level of security review that was previously available only to well-funded tech companies.
And Project Glasswing means the foundational software your business depends on — the operating systems, browsers, cloud platforms, and open-source libraries — is getting a systematic security review at a scale that has never been attempted before.
The Security Partner Ecosystem
Anthropic didn't build this alone. The partners tell you where this is heading.
The companies embedding Claude's security capabilities into their own products include CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, TrendAI, and Wiz. These are the security tools that enterprises already use to protect their infrastructure. When these vendors integrate Claude's vulnerability detection, the AI security capabilities become available through the tools you may already be paying for.
On the services side, Accenture, BCG, Deloitte, Infosys, and PwC are now helping organizations implement Claude-powered security workflows. If your company works with any of these consulting firms, the cybersecurity capabilities they bring to the table just got significantly more powerful.
For a business leader, this means you don't necessarily need to set up Claude Security yourself. Your existing security vendor may be integrating these capabilities. Your IT consulting partner may be offering them as part of their services. The capability is entering the ecosystem from multiple directions.
What This Doesn't Do
AI security scanning is a powerful tool, not a complete solution.
Claude Security scans code. It does not replace your firewall, your access management, your employee security training, or your incident response plan. Security is layers, and Claude Security adds an important layer — finding vulnerabilities in your custom code before attackers do — but it's one layer among many.
It also requires someone on your team to review and apply the patches it proposes. Claude Security does not automatically modify your code. It finds the problem, explains it, and suggests a fix. A developer reviews the suggestion and decides whether to apply it. This human-in-the-loop approach is deliberate: security patches can have unintended side effects, and your team needs to verify that a fix doesn't break something else.
For organizations without in-house developers, the findings can still be shared with your external development agency or IT partner. The vulnerability reports are clear enough that any competent developer can understand the issue and evaluate the proposed fix.
How to Think About This for Your Organization
Three questions to ask your team this week.
1. Do we have custom code? If your company has a website, a web application, internal tools, or custom integrations built by developers, you have code that could contain vulnerabilities. Claude Security is designed for this scenario. If you only use off-the-shelf SaaS products with no custom development, you benefit indirectly through Project Glasswing and through your vendors' own security improvements, but you wouldn't use Claude Security directly.
2. When was our last security review? If the answer is “never” or “more than a year ago,” you have an unknown amount of technical debt in your codebase. Claude Security gives you a way to get a comprehensive review without the cost and scheduling overhead of a traditional penetration test.
3. Are our vendors investing in AI security? Ask your software providers, cloud hosting company, and IT partners whether they're using AI-powered security scanning on the code that runs your services. The answer tells you how seriously they're taking the new generation of security tools — and whether the software you depend on is being protected by the best available technology.
FAQ
Who can use Claude Security?
Claude Security is currently in public beta for Claude Enterprise customers. Anthropic has said that access for Claude Team and Max customers is expected to follow. No API integration or custom agent build is required — if your organization has a Claude Enterprise subscription, you can start scanning today.
Does Claude Security automatically change our code?
No. Claude Security proposes patches, but a human developer must review and apply each one. The tool finds vulnerabilities and suggests fixes. Your team decides which fixes to implement and when. Nothing is modified automatically.
What is Claude Mythos and can we use it?
Claude Mythos Preview is a restricted AI model with advanced cybersecurity capabilities that Anthropic uses in Project Glasswing. It is not publicly available and Anthropic has no current plans to make it generally available. Your organization benefits from Mythos indirectly: the vulnerabilities it finds in major operating systems, browsers, and open-source projects get reported and patched by the maintainers of that software. Those patches reach you through normal software updates.
We don't have developers on staff. Is Claude Security relevant to us?
If you have custom code maintained by an external development agency or freelance developers, yes. You can share Claude Security's findings with your developers, who can then review and apply the proposed patches. If you use only off-the-shelf software with no custom code, you don't need Claude Security directly, but you still benefit from the broader ecosystem improvements driven by Project Glasswing.
How is Claude Security different from the security scanning tools we already use?
Traditional static analysis tools match known patterns. Claude Security reads code like a security engineer — following data flows across files, understanding how components interact, and identifying vulnerabilities that emerge from the combination of individually safe-looking pieces. In its early deployment, it has found and helped fix vulnerabilities that had passed through conventional scanning tools and human code review.
What is Project Glasswing and why should I care?
Project Glasswing is Anthropic's initiative to find security vulnerabilities in systemically important software — operating systems, browsers, cloud platforms, open-source libraries. It has found over 10,000 high-severity vulnerabilities, which are being patched by the companies that maintain that software. You benefit because the software your business runs on is getting more secure, regardless of whether you use Claude directly.
Is my code shared with Anthropic or other organizations?
No. Claude Security scans your code within your organization's environment. Your code and the vulnerability findings are not shared with Anthropic, Project Glasswing partners, or other organizations. The same data privacy commitments that apply to Claude Enterprise apply to Claude Security.
The Deployed Kickstart includes a practical session on AI-powered security review for your team — whether you run your own code or work with external developers. The Partner program keeps your organization current as Anthropic ships new security capabilities, so your defenses improve automatically as the tools get better.