A genuine turning point in cybersecurity arrived this week, and Canada is now part of it. Anthropic, the company behind the Claude AI assistant, has built a model called Mythos that can find and break into software better than almost any human expert alive. It is being kept on a very short leash, and as of June 2, 2026, Canada has access to it through a program called Project Glasswing. Here is what it is, why it matters, and what it means for a small business that will never touch the model itself.
What Mythos actually is
Most AI you hear about writes emails or answers questions. Mythos does something different: pointed at a piece of software, it reads the code, forms a theory about where the weak spots are, runs the program to test those theories, and then writes a working exploit if it finds a way in. In short, it can find and exploit software vulnerabilities better than nearly every human security expert, and it does so at machine speed.
This is not a lab demo. In a matter of weeks, Mythos uncovered thousands of serious, previously unknown flaws in software the whole world runs, including a 27-year-old bug in OpenBSD and a 16-year-old flaw in a widely used media tool. Anthropic's first group of partners used it to find more than 10,000 vulnerabilities they rated highly or critically severe.
Why it is locked down
A tool that finds and exploits flaws this well is dangerous in the wrong hands, so Anthropic deliberately chose not to release Mythos to the public. Instead it created Project Glasswing: a tightly controlled program that puts the model to work on defense, finding and fixing flaws before criminals can use them.
Access is limited to a small set of vetted organizations: governments, operators of critical infrastructure, and major technology and security firms such as Amazon, Apple, Google, Microsoft, Cisco, CrowdStrike, NVIDIA, and Palo Alto Networks. Anthropic has committed up to 100 million US dollars in usage credits to keep the focus on defensive work.
Where Canada fits in
On June 2, 2026, the Canadian Centre for Cyber Security gained access to Mythos as Anthropic expanded the program to roughly 200 organizations across more than 15 countries. The Centre is Canada's national cyber agency, part of the Communications Security Establishment, and federal AI minister Evan Solomon confirmed the move.
Access in Canada is reserved for the organizations that protect essential services: power, water, healthcare, and national security. Individual small businesses are not on the list, and that is the right call given how powerful the tool is. The Centre framed it as a way to help Canada's cyber defenders understand vulnerabilities and strengthen protection for government services, critical infrastructure, and Canadian institutions.
Why this matters even if you never use it
You will not log into Mythos, but its arrival changes the ground under every business in two ways. The good news first: the software you depend on every day, your operating system, your browser, the tools your business runs on, is being hardened at a scale never seen before, as the biggest vendors find and patch decades-old flaws. Everyone benefits from a safer software supply chain, including the smallest shops.
The harder truth is the other side of the same coin. Mythos proves that AI can now find and exploit flaws faster than people can, and criminals are racing to build their own versions. The practical effect is blunt: the gap between a flaw becoming known and being attacked has collapsed from months to minutes. When a patch is released, the clock to apply it before someone exploits it is now far shorter than most small businesses are used to.
The comforting myth that dies here
If there was ever a reason to believe a small business flies under the radar, this ends it. AI scans the internet tirelessly and indiscriminately: it does not care whether you have five employees or five thousand, only whether you have an unpatched flaw it can reach. "We are too small to be a target" is no longer a survival strategy, if it ever was. The targeting is automated, and automation does not skip the little guys.