Anthropic grants EU cybersecurity agency ENISA access to Mythos AI model after weeks of negotiations

Anthropic has agreed to give the European Union's cybersecurity agency, ENISA, access to its Mythos AI model through Project Glasswing, ending a weeks-long standoff that had become a flashpoint in transatlantic AI relations. The decision, communicated to the European Commission over the weekend, makes ENISA the first EU institution to join the controlled-access programme.

What Mythos can do

Mythos is not a conventional cybersecurity tool. Launched in April 2026 as Claude Mythos Preview, the model can autonomously identify security flaws in complex codebases, generate working exploits on the first attempt in more than 83% of cases, and execute attack simulations that would traditionally require teams of human researchers working for months. In its first month inside Project Glasswing, the model discovered over 10,000 high- and critical-severity zero-day vulnerabilities across every major operating system and web browser. Anthropic says the model's advanced capabilities allowed it to detect cyber threats that had remained hidden for 27 years.

This latest development is of utmost importance to get a clear picture on the potential risks.

The negotiations

European authorities had been shut off from accessing the cutting-edge cybersecurity AI for weeks, leading to urgent calls by European politicians and government officials to gain access. Euro-area finance ministers, the European Central Bank, and multiple EU member states demanded access after learning that Mythos had found vulnerabilities in systems that European banks, governments, and critical infrastructure providers rely on daily. The breakthrough came after a meeting in San Francisco last week between European Commission officials and Anthropic at its headquarters.

This is the result of the strong bilateral cooperation and the Commission's engagement with Anthropic.

Conditions still under discussion

While the permission was granted on Sunday, Anthropic and the European Commission are still negotiating the terms under which testing will be conducted before ENISA gains access. These conditions include safeguards to prevent the disclosure of any cybersecurity vulnerabilities detected in European companies and banks. The Commission's priority is to define an adequate framework that guarantees secure access to the model.

A wider AI race

The EU's access comes as OpenAI has already launched its own competing initiative, Daybreak, aimed at finding software vulnerabilities and generating patches, and has been faster than Anthropic in opening access to its GPT-5.5 Cyber model. Meanwhile, French startup Mistral is planning to launch its own version of Mythos and is in discussions with European banks to deploy this alternative. Mistral CEO Arthur Mensch warned during a hearing at the French National Assembly on 12 May that Europe cannot let the French army's source code be analysed by Mythos, calling it a dependency that must be addressed.

Let's not forget that Mythos is not a one-off, a new wave of powerful models are coming to the market.

Who already has access

Until now, access to Mythos through Project Glasswing has been restricted to approximately 40 vetted US companies and select government entities, plus recent access granted to UK financial institutions. The list includes Apple, Google, Microsoft, Nvidia, Cloudflare, Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, and JPMorgan Chase. The NSA has also been testing Mythos to compare its results with the agency's other cybersecurity research tools, though it is not known what security bugs the testing has turned up. The Commission is working on a formal action plan to respond to powerful AI hacking tools and has indicated it wants to release it before the summer break, according to an industry official.