The Patch Wave Nobody Is Ready For

On 2 June, Anthropic announced an expansion of Project Glasswing, its programme for putting Claude Mythos Preview into the hands of organisations that maintain the world's most consequential software. The original cohort of around fifty partners has reportedly identified more than ten thousand high- or critical-severity flaws since the spring. The new tranche adds approximately 150 organisations across more than fifteen countries, weighted towards sectors that were thinly represented the first time round: utilities, healthcare, communications, hardware makers, and the upstream vendors whose code quietly underpins almost everyone else. The unifying criterion, in Anthropic's own framing, is consequence. A successful attack on any one of them could touch upwards of a hundred million people.

Set the figures aside for a moment, because the passage worth reading in the announcement is the one where Anthropic describes its own role shifting. The company is now openly stating that the cybersecurity constraint has slid downstream. Discovery, the thing everyone feared frontier models would do at scale, has turned out to be the manageable end of the chain. The bottleneck is now verification, disclosure, patch authoring, and the unglamorous work of getting fixed software actually deployed across millions of estates that were never built to absorb a flood of advisories. Anthropic says as much and has started to reposition the programme accordingly, from finding vulnerabilities towards helping partners disclose and remediate them. It has also released a public-model product (currently in Beta for Enterprise customers), Claude Security, built on Opus 4.8, to scan codebases and propose patches for the wider market.

This is the part that should hold a strategist's attention because the same realisation is now appearing in regulatory machinery on both sides of the Atlantic, and the calendar is unforgiving.

The UK: a patch wave the system is not built to sustain

The National Cyber Security Centre has been unusually direct about this for several months. Its CTO, Ollie Whitehouse, has warned of a coming "patch wave", a forced correction that will work through years of accumulated technical debt across open source, proprietary, and SaaS estates alike. His argument is precise and uncomfortable. AI does not invent new categories of weakness so much as it collapses the cost of finding flaws that were already sitting there. The disclosures that follow will demand a patching tempo that most organisations are simply not structured to maintain.

The NCSC paired that warning with a checklist for any organisation tempted to point a model at its own code. The blunt message running through it is that finding more vulnerabilities does not, by itself, make you safer, and may make you less safe if you have no process to triage and fix what surfaces. The agency's guidance leads defenders first towards the external attack surface, then inward, and presses hard on the operational questions that get skipped in the rush: data leakage, sandboxing, the permissions granted to a model, and the legal jurisdiction of a hosted service.

That last point matters more than it first appears, and I will come back to it. Worth holding alongside all this is the NCSC and AI Safety Institute assessment from late March, which put a number on the offensive side of the ledger. A frontier model completed roughly half of a thirty-two step enterprise intrusion simulation, the sort of chain that would occupy a human specialist for the better part of two working days, at a cost of around £65 per attempt. The figure that should worry boards is not the headline cost but its trajectory. Inference gets cheaper, and the economics of automated intrusion improve with it.

The EU: reporting obligations go live in three months

While the UK frames this in advisory language, the European Union has hard dates. The Cyber Resilience Act entered into force in December 2024, and its full requirements came into effect on 11 December 2027. The date to circle, though, is 11 September 2026. From that point, manufacturers of products with digital elements must actively report vulnerabilities that are being exploited and serious incidents to ENISA through a single reporting platform within tight time windows.

That is roughly three months away. The CRA's reporting regime is, in effect, the regulatory plumbing built for exactly the disclosure volume that a programme like Glasswing generates. The Act also extends to open-source stewardship and mandates lifecycle vulnerability management and software bills of materials, which is to say it codifies the obligation to know what is in your product and to keep fixing it. The awkward arithmetic is that the obligation to report at pace arrives before most organisations have demonstrated they can patch at pace. Europe is about to discover, in public, how wide that gap really is.

The US: crowdsourcing the catalogue under strain

CISA's contribution to the same problem is its Known Exploited Vulnerabilities catalogue, the authoritative list of flaws under active exploitation and the spine of US federal remediation under Binding Operational Directive 22-01. Organisations remediate KEV-listed bugs markedly faster than others, which makes the catalogue one of the more effective interventions in the field.

In early May, CISA opened a nomination form inviting researchers to submit exploited vulnerabilities directly, a deliberate move to crowdsource exploitation intelligence and shorten the lag between something being weaponised in the wild and defenders being told. The logic mirrors the moment precisely. If AI is accelerating both the discovery and the exploitation of flaws, then coordinated disclosure has to speed up to keep pace, or the catalogue will fall behind the threat.

It is worth noting the conditions under which this is happening. CISA has spent much of 2026 under acute funding pressure. A threatened lapse in Department of Homeland Security appropriations early in the year put more than half its workforce at risk of furlough, several allied information-sharing programmes lost their funding outright, and the long-promised incident-reporting rule under CIRCIA slipped past its expected date. The body the US relies on to coordinate disclosure at a national scale is being asked to absorb an AI-driven surge in volume at a moment when its own footing has been anything but settled. That is not a comfortable position from which to meet a patch wave.

What the convergence actually tells us

Strip the three jurisdictions down, and they are saying the same thing in their own idioms. The UK warns that the tempo of fixing cannot keep up with the tempo of finding. The EU is about to make reporting that flood a legal obligation. The US is trying to widen the funnel of trustworthy disclosure even as its coordinating body runs short of resources. None of these is principally a technology problem any longer. They are problems of process, capacity, and institutional design, which is a far harder class of problem to solve and a far slower one.

This is where Anthropic's expansion becomes interesting from a governance standpoint, rather than merely a security one. A single private company is, in practice, standing up the disclosure-and-remediation infrastructure for critical software ahead of the state, and deciding who is admitted to it. Access to Mythos-class capability is gated by Anthropic's security requirements and extended to organisations that Anthropic judges to be both critical and trustworthy. That may well be the responsible course for now. It is also a substantial allocation of power over national resilience to a commercial actor, and it sits uneasily beside the NCSC's caution about the jurisdiction of hosted models. A European water utility or a British hospital trust running its source code through a US-hosted frontier model is making a sovereignty decision, whether or not it is framed as one.

There is a further claim in the announcement that deserves scrutiny. Anthropic frames the endgame as a permanent advantage for defenders: if defence can find and fix issues faster than attackers can find and exploit them, the balance tips in defence's favour. The trouble is that this rests on safeguards that, by Anthropic's own admission, no one has yet built. The company is candid that safely releasing Mythos-level capability to general access would require robust controls to prevent misuse, and that neither it nor, to its knowledge, anyone else has those controls today. The same post estimates that within six to twelve months, other developers will field Mythos-class models, and some may ship them without restraint.

That window is the real clock. Glasswing's expansion is best read as an attempt to bank a defender's lead before the capability proliferates and the asymmetry that currently favours the careful actor disappears. Whether the regulatory and institutional machinery now coming online can move fast enough to convert that lead into something durable is the open question. The CRA's September deadline, the NCSC's patch wave, and a resource-constrained CISA are all, in their own way, tests of whether slow institutions can keep pace with fast technology.

For defenders reading this from inside an organisation rather than from the regulatory gallery, the practical takeaway is the one the NCSC keeps repeating, and it bears restating without the drama. The advantage will not accrue to whoever finds the most vulnerabilities. It will accrue to whoever has built the boring capacity to act on what is found, at speed, before the same flaw is surfaced by someone with no interest in telling you first. The finding was always going to be the easy part. Everything that comes after it is the work.