Anthropic Selects Zafran for Mythos-Class Cyberdefense

When Anthropic unveiled Claude Mythos Preview and Project Glasswing in April, our co-founder and CTO Ben Seri called it cybersecurity's Manhattan Project moment. The same model that lets defenders audit the world's most important code also hands attackers an autonomous exploit factory. The power to find and fix is the power to find and weaponize.

We argued that defenders would need early visibility into the vulnerabilities Mythos surfaces, so security vendors could prepare detection and mitigation ahead of public disclosure, the way Microsoft's MAPP program shares vulnerability intelligence with vendors before Patch Tuesday. Today we are putting that principle into practice. Zafran has been selected for Anthropic's Cyber Verification Program.

What the Cyber Verification Program is

The Cyber Verification Program gives a vetted group of organizations access to advanced cyber capabilities for defensive use, under Anthropic's security, confidentiality, and responsible-use requirements. In announcing the program's latest expansion, Anthropic will "grant Mythos-class capabilities” to organizations for specific cyberdefense tasks.

For Zafran, participation means our platform is gaining verified access to those capabilities, scoped to defensive work and governed by Anthropic's controls.

Why this matters for the organizations we defend

Zafran protects many of the largest critical infrastructure organizations in the country, including Fortune 50 financial and healthcare institutions, along with utilities and other operators of the systems that millions of people depend on every day. These are the organizations where the patch-to-deploy gap is most dangerous. The window between a patch becoming public and a working exploit appearing has collapsed to hours, while deploying that patch across a regulated, legacy-heavy environment still takes weeks or months. Mythos-class models widen that gap by surfacing critical vulnerabilities at a volume the existing security infrastructure was never built to absorb.

Closing that gap takes two things. First, a precise read on which disclosed vulnerabilities actually create risk in a given environment. Second, the ability to act immediately, through compensating controls already in place, while a patch works its way through change management. Early, verified visibility into Mythos-class findings strengthens both, and it lets us prepare protections before a flaw is public rather than after.

What changes for our customers

The Zafran platform was built for this moment. Our Exposure Graph already maps every vulnerability finding to the compensating controls present in an environment, so when a new disclosure lands we can tell a security team which assets are exposed, which are already protected by existing defenses, and where the real gaps are. The Zero Day Agent runs that loop continuously, assessing exploitability against an organization's actual risk context and routing mitigation and remediation through the ticketing tools teams already use.

Our place in the Cyber Verification Program feeds that pipeline with earlier and higher-fidelity signal. The practical result for customers is a shorter exposure window, mitigation that starts before a patch is available, and a clear, business-level answer to the question every board is now asking: are we exposed, and what are we doing about it.

A durable advantage for defenders

Anthropic has framed its goal as a permanent advantage for defenders. We share that aim. Cheap, fast models with strong cyber capabilities are coming within months, and many will arrive without the safeguards that keep them from being misused. The organizations that have built continuous, mitigation-first, automated programs before that happens will be the ones still standing when AI-powered exploitation becomes routine.

Being selected for the Cyber Verification Program is a step toward making that advantage real for the critical infrastructure operators we serve. We will share more as the program develops.