Australian organisations will be given access to Anthropic’s powerful Claude Mythos Preview model, an artificial intelligence system the company has withheld from public release because of its ability to find and potentially exploit serious software vulnerabilities.

The San Francisco-based AI company has expanded access to the model through Project Glasswing, a restricted cyber defence program designed to help major organisations find and fix security flaws before similar tools become widely available to attackers.

Reuters reported that Anthropic is expanding Project Glasswing from about 50 organisations to roughly 200, with new partners across more than 15 countries. The company has declined to name the organisations joining the program, but said the expansion includes government bodies and partners in healthcare, power, water, communications and hardware.

The Financial Times reported that access has been extended across the Five Eyes intelligence alliance, which includes Australia, as well as NATO and the European Union’s cybersecurity agency. Anthropic has confirmed Australian organisations will gain access, but has not publicly identified them.

Claude Mythos Preview has attracted global attention because of its cyber capabilities. Anthropic says Project Glasswing partners use the model to find and fix vulnerabilities in major systems, including through local vulnerability detection, black box testing, endpoint security and penetration testing. The company says it does not plan to make Mythos Preview generally available until stronger safeguards are in place.

The model has already been used by partners to identify more than 10,000 high or critical-severity security flaws, according to Anthropic. Reuters reported that Anthropic believes a major attack on the systems of partner organisations could affect more than 100 million people, underlining why the company is limiting access to trusted organisations rather than releasing the model to the public.

Australia has been watching the model closely for weeks. In April, Reuters reported that the Australian Government was working with software providers, including Anthropic, over possible cybersecurity vulnerabilities after Mythos uncovered thousands of major weaknesses in operating systems and web browsers. A spokesperson for Home Affairs Minister Tony Burke said the government took the protection of critical infrastructure “extremely seriously”.

The Reserve Bank of Australia and the Reserve Bank of New Zealand were also reported to be monitoring the release of Mythos and engaging with major regulators overseas, while the Australian Banking Association said banks were working with regulators to protect the financial system.

The concern is that Mythos is a dual-use tool. In the hands of defenders, it can help banks, governments and infrastructure operators find hidden vulnerabilities before they are exploited. In the hands of malicious actors, similar technology could accelerate attacks on financial systems, utilities, telecommunications networks and critical public services.

The United Kingdom’s AI Security Institute said its evaluation found Mythos represented a step up over previous frontier models in cybersecurity. In controlled tests, the model could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously, tasks the institute said could take human professionals days of work.

On expert-level capture-the-flag tasks, which test whether a model can identify and exploit weaknesses in target systems, Mythos succeeded 73 per cent of the time, according to the UK evaluation. The institute also said Mythos was the first model to solve a 32-step simulated corporate network attack from start to finish in some attempts.

University of Queensland researchers said Anthropic had decided not to release Mythos publicly because of its capabilities and the risks they posed. They said the aim of Project Glasswing was to give defenders a head start before comparable AI cyber tools became widely available to attackers.

Anthropic’s own Project Glasswing material reflects that approach. The company says the program is meant to secure “foundational systems” that represent a large portion of the world’s shared cyberattack surface. It has also committed model usage credits and funding to support open-source software maintainers responding to the new cyber risk landscape.

For Australia, access to Mythos could help strengthen the cyber defences of banks, government agencies, telecommunications companies, energy networks and other critical infrastructure operators. But it also raises difficult questions about who gets access, how the model is monitored, and what safeguards are needed to stop powerful AI cyber tools from being misused.

Anthropic says similar AI capabilities could become available from other providers within six to 12 months, increasing pressure on governments and companies to fix vulnerabilities before attackers gain the same level of automated support.

The rollout places Australia inside a fast-moving global experiment: using a restricted AI model considered too risky for public release to harden the systems most exposed to future AI-assisted cyberattacks.

Support our Journalism

No-nonsense journalism. No paywalls. Whether you’re in Australia, the UK, Canada, the USA, or India, you can support The Australia Today by taking a paid subscription via Patreon or donating via PayPal — and help keep honest, fearless journalism alive.