You can access the original blog from here
Anthropic has launched Claude Security, a defensive vulnerability scanner for enterprise codebases, three weeks after its most powerful model Mythos alarmed governments worldwide including India. The tool runs on Opus 4.7, a model Anthropic deliberately built to be less capable than Mythos on cybersecurity tasks. It does not address Mythos-level vulnerabilities.
Does it address Mythos? Mythos is Anthropic’s most powerful model, capable of finding and exploiting software vulnerabilities autonomously across major operating systems and browsers, including bugs hidden for decades. Anthropic restricted it to roughly 40 companies under Project Glasswing, a cross-industry cybersecurity initiative, because of the threat it poses if misused.
On the day Mythos launched, a Discord group guessed its URL from Anthropic’s naming conventions, exploited contractor credentials, and accessed the model through a third-party vendor environment, raising questions about Anthropic’s ability to contain it. Anthropic said it is investigating the incident and found no impact on its core systems.
MediaNama founder Nikhil Pahwa identified the core structural problem in Reasoned last week: “A tool that compresses attack timelines without compressing defense timelines increases systemic risk before it improves security.”
Pahwa also flagged the institutional gap Claude Security does not close: “Vulnerabilities can now be surfaced at machine speed, while the systems responsible for fixing them still move through human, institutional timelines, often with the primary objective of protecting their reputation.”
How far behind is Opus 4.7? Anthropic has stated that it deliberately reduced Opus 4.7’s cyber capabilities during training compared to Mythos. On CyberGym, a UC Berkeley benchmark for cybersecurity capability, Mythos scored 83.1% against Opus 4.7’s 73.1%.
On the Firefox 147 exploit benchmark, Mythos produced 181 working exploits, code that actively takes advantage of a vulnerability to attack a system, compared to just 2 for Opus 4.6, a 90x gap. Anthropic calls Opus 4.7 the first model on which it has tested new cyber safeguards before any broader Mythos release.
What Claude Security is: Claude Security gives defenders a way to find and patch vulnerabilities in their own code before attackers using Mythos-grade tools find them first. Teams scan their codebase directly from the Claude.ai sidebar with no Application Programming Interface (API) setup or custom agent build required.
Currently only GitHub-hosted code repositories, where teams store and manage their software code, are supported. Access is available now to Claude Enterprise customers; while Team and Max customers get access soon.
Claude Security reads source code, traces how data moves across different parts of the code, and reasons about how components interact. It generates a confidence rating for each finding, explains its severity, and produces a suggested patch that teams can work through in Claude Code. It does not match against a list of known bugs.
Public beta features:
- Scheduled scans: Set Claude Security to automatically scan code at regular intervals, so security checks happen continuously rather than only when a team remembers to run them
- Targeted scans: Scan a specific section of code rather than the entire codebase, useful when reviewing a particular update or feature
- Audit integration: Send scan results directly to tools like Slack or Jira that security and engineering teams already use, so findings reach the right people without extra steps
- Triage tracking: Dismiss findings with documented reasons, so future reviewers skip issues that have already been assessed and focus only on new ones.
Partners: Technology partners embedding Opus 4.7 into their existing enterprise security platforms:
Services partners deploying Claude-integrated security solutions for enterprises:
- Accenture
- BCG
- Deloitte
- Infosys
- PwC
“This is not AI simply augmenting security,” said Satish H.C., EVP and chief delivery officer at Infosys, in a statement to SecurityWeek. “It is AI redefining how enterprises defend themselves.”
India still locked out of Glasswing: No Indian company, bank, government agency, or telecom operator has secured admission to Project Glasswing. Ministry of Electronics and Information Technology (MeitY) Secretary S. Krishnan confirmed on April 28 that the government is still working out logistics with US authorities to include Indian entities. Nasscom has written to Anthropic arguing that Indian firms maintain critical code used by organisations worldwide and must be included. No resolution has been announced.
Finance Minister Nirmala Sitharaman chaired a meeting on April 23 with Reserve Bank of India (RBI), National Payments Corporation of India (NPCI), Indian Banks’ Association (IBA), and Indian Computer Emergency Response Team (CERT-In) officials, calling the Mythos threat “unprecedented.”
CERT-In has issued a high-severity advisory directing organisations to treat every critical vulnerability as exploitable within hours of disclosure, not weeks.
Airtel and Vodafone Idea are reviewing their network software vendors’ security practices. India’s 2018 data localisation rules create a direct compliance conflict that remains unresolved: payment system providers must store all transaction data on servers within India, while Mythos runs on strictly controlled US-based servers. NPCI has not publicly addressed this.
What Claude Security changes, and what it does not: Infosys, as a named services partner, can now deploy Claude Security to enterprise clients in India, giving Indian organisations an indirect path to Opus 4.7-powered vulnerability scanning. Indian companies still lack Mythos access, Glasswing membership, and a resolution to the data localisation conflict that blocks NPCI from using the model even if access comes through.
Pahwa set out the geopolitical dimension plainly in Reasoned: “Strategic technologies do not distribute their benefits evenly, even when their risks are universal. The strategic benefit flows first to the US and its allies. Mythos is built by a US company, access is gated by that company, and the capability is explicitly framed as part of maintaining technological lead. Meanwhile everyone is vulnerable.”
Pahwa drew an analogy to COVID-era vaccine distribution: “It is important to watch who gets access to the vaccines first.”
Indian policymakers, banks, and IT firms face the same unresolved question Mythos raised three weeks ago: how to defend against a weapon they cannot access, using a tool that is deliberately less capable than the weapon.
MediaNama has reached out to Anthropic for comment and will update this story if a response is received.
Also read:
