Europe locked out of cyber AI: Anthropic's Mythos finds hundreds of zero-days but only US firms get access
What it really says
On April 7, 2026, Anthropic unveiled its frontier model Claude Mythos Preview, which demonstrates unprecedented capabilities in cybersecurity tasks. The model can autonomously find zero-day vulnerabilities in real software projects, confirm them, and create proof-of-concept exploits. In a collaboration with Mozilla, Mythos identified 271 security flaws in the Firefox browser, which Mozilla patched on April 21 in the Firefox 150 security update. These included critical use-after-free vulnerabilities in DOM and WebRTC components. For comparison: an earlier scan with Claude Opus had found only 22 bugs. Anthropic deliberately chose not to make the model publicly available, instead founding 'Project Glasswing' - a consortium of Amazon Web Services, Apple, Google, JPMorgan Chase, Microsoft, and Nvidia that receive early access to find and fix vulnerabilities in their systems. No European government, EU institution, or European company has access. The European Commission has been negotiating unsuccessfully with Anthropic for weeks over test access for European financial institutions and companies. In contrast, OpenAI has offered its GPT-5.5-Cyber model to the EU AI Office.
Our assessment
This situation warrants classification as a serious risk. European software - operating systems, browsers, banking systems - has the same vulnerabilities as the software Mythos scans for US partners. Yet Europe has no access to the most capable tool for finding these flaws. This creates an asymmetric security landscape: US companies can proactively secure their systems, European ones cannot. Anthropic's justification - restricted access to prevent misuse - is understandable, as a publicly available model that finds zero-days would be a gift to attackers. At the same time, the power question looms: a single US company effectively decides who gets access to the world's most powerful cybersecurity tool. Mozilla CTO Bobby Holley offered some perspective: none of the 271 bugs found were of a type that an elite human security researcher couldn't have found. The model is faster and more thorough than humans, but not fundamentally superior. That OpenAI is offering its competing product to the EU shows the geopolitical competition for European favor.
Relevance for Germany
For Germany, this development is critical for several reasons. First, the cybersecurity gap directly affects the German economy: German banks, insurers, and industrial companies use the same software that Mythos scans for US partners - without access to the protective mechanism. The ECB has already convened European banks regarding AI cybersecurity risks. Second, the question of digital sovereignty arises: the EU AI Act provides reporting obligations for 'General Purpose AI with Systemic Risk' - whether Mythos falls under this category is an open legal question that may need to be resolved by August 2026. Third, Europe lacks a comparable model of its own. Germany's Federal Office for Information Security (BSI) and the European cybersecurity agency ENISA have no equivalent AI tools. The dependence on US tech corporations for cybersecurity has never been more visible.
Fact check
The Firefox numbers (271 vulnerabilities, fixed in Firefox 150) are verifiable through Mozilla's official security advisory MFSA 2026-30 and are consistently reported by SecurityWeek, The Register, and Slashdot. The UK AI Safety Institute (AISI) evaluation is documented on their official website. Project Glasswing and participating companies are confirmed through Anthropic's own website (anthropic.com/glasswing). The stalled EU negotiations are independently reported by CNBC, The Parliament Magazine, and CryptoBriefing. Mozilla CTO Bobby Holley's statement that no bug was of a type an elite researcher couldn't have found comes from The Register report.
Source
- • https://www.cnbc.com/2026/05/11/openai-eu-cyber-model-anthropic-mythos-gpt.html
- • https://www.securityweek.com/claude-mythos-finds-271-firefox-vulnerabilities/
- • https://www.theregister.com/2026/04/22/mozilla_firefox_mythos_future_defenders/
- • https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities