Project Glasswing and Claude Mythos: What AI-Powered Vulnerability Scanning Means for the NHS

Anthropic has just announced Project Glasswing, and if you work in cybersecurity, healthcare IT, or digital health, this one deserves your full attention...

What is Project Glasswing?

Project Glasswing is a coalition of some of the world's largest technology companies, Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and Palo Alto Networks, formed specifically to address what Anthropic describes as an inflection point in AI-powered cybersecurity.

At the centre of it is Claude Mythos Preview, an unreleased frontier AI model that Anthropic says has already identified thousands of previously unknown (zero-day) critical vulnerabilities, in every major operating system, every major web browser, and a range of other critical software infrastructure.

The model found many of these vulnerabilities autonomously, without human guidance, including flaws that had survived decades of human security review and millions of automated tests.

Why Does This Matter?

For years, finding serious software vulnerabilities required deep expertise held by a small number of skilled security researchers. That expertise barrier is about to disappear.

AI models can now read, reason about, and exploit code at a level that approaches, or in some cases surpasses, the best human security researchers. The cost and effort required to find and exploit vulnerabilities are dropping dramatically.

Anthropic is being explicit about the dual-use nature of this: the same capabilities that make Mythos Preview valuable for defenders make it dangerous in the wrong hands. If capabilities like these proliferate to nation-state actors, criminal groups, or even script kiddies, the consequences for critical infrastructure could be severe.

The Project Glasswing coalition is an attempt to use these capabilities for defence before that proliferation happens. Anthropic is committing $100M in usage credits for Mythos Preview across partner organisations, plus $4M in direct donations to open-source security organisations.

What This Means for the NHS and Digital Health

The healthcare sector sits at the intersection of every risk factor this development highlights:

• Legacy systems with unpatched vulnerabilities. Many NHS trusts and digital health suppliers run software that has never been subjected to the kind of deep vulnerability scanning that Mythos Preview can now perform autonomously. Flaws that have existed for years — in EPR systems, patient portals, medical devices — are now potentially discoverable at scale.
• High-value targets for attackers. Patient data, clinical systems, and healthcare infrastructure are consistently among the most targeted sectors globally. The WannaCry attack on the NHS in 2017 is the most cited example, but attacks have continued at pace. AI-augmented attack capabilities will make these incidents more frequent and more sophisticated.
• The defender advantage is real — if you act. The flip side of this is equally important. The same AI capabilities that empower attackers can be used to systematically scan and harden NHS systems and digital health products. Organisations that adopt AI-assisted vulnerability scanning now will be significantly better protected than those that wait.
• Supply chain risk intensifies. For NHS suppliers, this is a supply chain security question. If your software has vulnerabilities that Mythos-class models can find autonomously, your NHS clients are exposed. DSPT obligations and NHS procurement requirements will need to evolve to reflect this new capability baseline.

The Governance Question

Project Glasswing also raises a governance challenge that the digital health sector hasn't fully grappled with: who decides how AI vulnerability-finding capabilities are used, and against whose systems?

Anthropic has made a deliberate choice to form a coalition of trusted partners and restrict access. But as they note in the announcement, capabilities like these are likely to proliferate; the question is whether defenders or attackers move faster.

For organisations responsible for healthcare data and clinical systems, the answer has to be to act now: audit your AI tooling, review your vulnerability management processes, and ensure your security posture reflects the new threat reality that Mythos Preview represents.

The Practical Takeaways

1. AI-assisted vulnerability scanning is no longer optional. If you're an NHS supplier or digital health company, manual security testing is not sufficient in a world where AI can find zero-days autonomously. Your security programme needs to include AI-augmented scanning.
2. Your DSPT submission needs updating. NHS Digital's Data Security and Protection Toolkit requirements don't yet reflect AI-class threat capabilities, but the underlying obligation to identify and manage vulnerabilities absolutely does. Don't wait for the guidance to catch up.
3. Patch velocity matters more than ever. The window between a vulnerability being discovered and it being exploited is shrinking. Organisations that can't patch quickly are increasingly exposed. If your deployment pipeline can't support rapid patching, that's a risk you need to address today.
4. The supply chain is the attack surface. Mythos Preview found vulnerabilities in open-source software used across millions of systems. If your product depends on third-party libraries or open-source components, and it almost certainly does , those components are now subject to a new level of automated scrutiny from both defenders and potential attackers.

Final Thought

Project Glasswing is a signal, not just an announcement. It tells us that AI has crossed a threshold in cybersecurity capability that changes the risk calculus for every organisation that operates critical software, including every organisation that touches NHS systems or patient data.

The coalition bets that if defenders move first, the advantage can be sustained. That bet only pays off if organisations outside the coalition also move. The NHS and digital health sector need to be part of that response.