Project Glasswing: who really has access to Claude Mythos (and why no French player made the list)

Anthropic just expanded Project Glasswing to 150 new organizations across more than 15 countries. France is on the list. But when you look at the named partners, not a single French company appears. No bank, no telecom operator, no energy company. That silence speaks volumes about France's real position in the AI-driven cybersecurity race.

What Project Glasswing reveals about Claude Mythos

Project Glasswing is not a standard access program. It is a controlled offensive cybersecurity initiative, launched in April 2026, in which Anthropic provides Claude Mythos to hand-picked organizations so they can scan their own systems.

The concept is straightforward: Mythos identifies software vulnerabilities and generates working exploits. According to Clubic, the model produces working exploits on the first attempt in 83% of cases, sometimes outperforming specialized human penetration-testing teams.

Why did Anthropic restrict access from the start?

The UK's AI Security Institute (AISI) evaluated Mythos and concluded that the model could execute sophisticated cyberattacks that would have taken professionals several days, according to Silicon.fr. A tool capable of finding 10,000 critical vulnerabilities in a few weeks does not get distributed like a SaaS subscription.

The first wave (April 2026) was therefore limited to around fifty organizations, almost exclusively American: Google, VMware, Mozilla, Palo Alto Networks, JPMorgan Chase. The tightest circle, the most controlled. For a look at the full history of Mythos and its restrictions, I covered the reasons behind this lockdown in a previous article.

Anthropic's logic is clear: whoever provides the weapon chooses who carries it.

The real list of Glasswing partners (Phase 2)

In early June 2026, Anthropic announced the expansion of Glasswing to 150 new organizations across more than 15 countries. The country list includes Five Eyes alliance members (Canada, Australia, New Zealand), then France, Germany, Italy, Switzerland, the Netherlands, Spain, Belgium, Sweden, India, Japan, and South Korea.

Which companies were selected in Phase 2?

Anthropic does not publish the full list. But the names that have leaked are telling: Okta (American), Samsung, SK Hynix, and SK Telecom (South Korean). On the institutional side, NATO and ENISA (the European cybersecurity agency) are among the new entrants.

The sectors targeted in Phase 2 cover energy, water, healthcare, communications, and computer hardware. According to Anthropic, a successful cyberattack on any of these partners could affect more than 100 million people.

The takeaway is hard to miss: France is officially within the geographic scope, but no specifically French organization has been publicly named. The institutions that do have access (NATO, ENISA) are European, not French.

Why France remains on the sidelines of Glasswing

France's situation is paradoxical. The country is among the 15 authorized nations, but negotiations between the European Commission and Anthropic are described as "at a standstill" by Spanish officials, according to Clubic. Discussions have been dragging on since April 2026.

How did BNP Paribas decide to work around the problem?

Faced with the impossibility of obtaining access to Mythos, BNP Paribas made a radical decision: partner with Mistral AI to develop an AI model dedicated to banking cybersecurity. No European bank appears on the Glasswing list (JPMorgan Chase, an American bank, has been in since Phase 1). France's largest bank chose the sovereign route instead.

This choice illustrates a broader problem. I see it in my daily work with French SMBs: dependence on an American vendor for critical capabilities creates a structural risk. When Anthropic decides to restrict access, all of Europe finds itself negotiating for a ticket in.

Claudia Plattner, head of Germany's Federal Office for Information Security (BSI), sums up the tension in a FRANCE 24 report: attacks that used to take days can now happen in minutes. Waiting for Anthropic to open the floodgates is not a viable option for critical European infrastructure.

Europe is negotiating while Mythos is scanning.

Why does Anthropic favor American and Asian partners?

Three factors explain this hierarchy. The first is legal: Phase 1 Glasswing partners operate under US law, which simplifies confidentiality and liability agreements. The second is strategic: after the conflict with the Pentagon (Anthropic refused to let its models be used for mass surveillance and autonomous weapons), the company needs to show it cooperates with Washington on defensive cybersecurity.

The third factor is commercial. Anthropic has filed a confidential IPO prospectus with the SEC, according to FRANCE 24. Its latest funding round valued the company at $96.5 billion. In that context, every Glasswing partnership doubles as a showcase for investors. Asian companies (Samsung, SK Hynix) represent high-growth markets; European ones, less so.

What this means for French SMBs

I will be blunt: Mythos is not relevant to you. Not today, not in six months. The Glasswing program targets critical infrastructure, systemically important banks, and telecom operators serving hundreds of millions of users. If you run an SMB with 30 to 200 employees, you are not in scope.

Should you wait for Mythos to secure your systems?

The answer is no, and waiting is actually counterproductive. The 5 reasons why Mythos is not yet public show that the model will remain restricted for months. Meanwhile, the vulnerabilities in your systems already exist.

What protects an SMB is not a restricted-access frontier model. It is integrating best practices into existing workflows: regular audits, systematic updates, network segmentation, team training. I help companies with their AI integration, and cybersecurity consistently comes up as a blind spot, long before the question "which model should we use."

The real question is not "when will we get Mythos?" but "have we done the basics before dreaming about the cutting edge?"

The BNP/Mistral initiative actually shows the right approach: identify a critical need, choose an accessible partner, build a solution tailored to your regulatory context. That is exactly what I recommend to SMBs on GoLive Software when they ask me where to start with AI. Start small, with a clear use case that is measurable and quickly testable.

Anthropic has announced that Mythos will be available to the general public "in the coming weeks," according to IT-Connect. When that day comes, developers and security teams will benefit. But so will cybercriminals. The democratization of Mythos will not solve the fundamental problem: the gap between those who know how to integrate AI into their operations and those who wait for a magic tool to do the work for them.

Project Glasswing confirms a trend I have been watching since the first production feedback: the most powerful models only benefit those who already have the infrastructure to leverage them. France has the talent (Mistral proves it), and it has the needs (BNP proves that too). What is missing is the ability to build partnerships at the right level, at the right time, without waiting for an American green light.

Frequently asked questions

What exactly is Project Glasswing?

Project Glasswing is a program created by Anthropic in April 2026 to provide Claude Mythos to selected organizations. These organizations use Mythos to scan their own software and detect critical vulnerabilities. The program has identified more than 10,000 high or critical severity flaws in systems used by hundreds of millions of people.

Does France have access to Claude Mythos through Glasswing?

France is among the 15 countries authorized in Glasswing Phase 2 (June 2026). However, no specifically French company or institution has been publicly named as a partner. The European institutions that have access (NATO, ENISA) are not French entities. Negotiations between the European Commission and Anthropic remained at a standstill as of May 2026.

Why is BNP Paribas working with Mistral rather than Anthropic?

BNP Paribas was unable to obtain access to Claude Mythos, as no European bank appears on the Glasswing list. The bank therefore chose to partner with Mistral AI to develop an AI model dedicated to banking cybersecurity. This sovereign approach lets it maintain control over its data and avoid depending on an American vendor for a critical function.

Will Claude Mythos be publicly available soon?

Anthropic confirmed in late May 2026 that models in the Mythos category would be offered to all customers "in the coming weeks." The company is currently developing enhanced security measures ahead of this release. When Mythos goes public, it will be available to developers and security teams, but also potentially exploitable by malicious actors.

Should French SMBs worry about not having access to Mythos?

No. Mythos targets critical infrastructure (energy, water, healthcare, telecoms, systemically important banks), not SMBs. Companies with 10 to 250 employees have real cybersecurity needs, but those are addressed through regular audits, updates, training, and proper AI integration into existing workflows, not through a restricted-access frontier model.

Vidéos YouTube

• IA : Anthropic rend son moteur ultra-performant Mythos accessible à l'UE · FRANCE 24

Articles & ressources

• Bientôt un Claude Mythos "made in France" ? La BNP et Mistral travaillent activement sur le sujet · clubic.com
• Claude Mythos arriverait enfin en Europe, mais la France n'attend pas les Américains · briefia.fr
• Claude Mythos s'ouvre au Monde...et à la France · silicon.fr
• Claude Mythos : le modèle IA qu'Anthropic voulait garder secret · studeria.fr
• Anthropic confirme l'arrivée de Claude Mythos dans les prochaines semaines · it-connect.fr