Zafran Accepted into Anthropic's Cyber Verification Program

When Anthropic unveiled Project Glasswing in April, the security industry got its clearest signal yet of where AI-powered cybersecurity is heading. The same capabilities that let defenders audit the world's most important code can hand attackers an autonomous exploit factory. The power to find and fix is also the power to find and weaponize.

We argued then that defenders would need to move faster than the disclosure cycle: studying how vulnerabilities get found and exploited, so security vendors can prepare detection and mitigation ahead of public disclosure, the way Microsoft's MAPP program shares vulnerability intelligence with vendors before Patch Tuesday. Today we are putting that principle into practice. Zafran has been accepted into Anthropic's Cyber Verification Program (CVP).
‍

What the Cyber Verification Program is

A lot of legitimate defensive security work overlaps with techniques that can also be used offensively. Vulnerability research, exploitability analysis, adversarial simulation, and threat modeling all require reasoning about how an attacker would operate. Frontier models apply default safeguards to this kind of dual-use work, which can interrupt the research that defensive teams rely on.

The CVP is Anthropic's application-based program that lets vetted organizations carry out this legitimate dual-use research with fewer of those default interruptions, under Anthropic's security, confidentiality, and responsible-use requirements. Acceptance is scoped to defensive work and governed by Anthropic's controls.
‍

How we use the CVP

Verified access strengthens the research pipeline behind the platform in a few concrete ways.

We use it to study exploitability with more depth. Understanding whether and how a disclosed flaw can actually be exploited in a realistic environment is what separates a noisy vulnerability feed from an accurate read on risk. Dual-use research access lets our team reason through these questions the way an attacker would, then translate that understanding into detection and mitigation logic.

We use it to pressure-test our own detections. Running adversarial simulations against the controls we model helps us find where coverage is thin before an attacker does.

And we use it to keep our threat models current. As the tooling available to attackers evolves, our research has to evolve with it. The CVP gives our team a faster path to that work.

The output of all this research lands in the platform our customers already use. Customers interact with Zafran, not with the underlying research access.
‍

What changes for our customers

The Zafran platform was built for this. Our Exposure Graph maps every vulnerability finding to the compensating controls present in an environment, so when a new disclosure lands we can tell a security team which assets are exposed, which are already protected by existing defenses, and where the real gaps are. The Zero Day Agent runs that loop continuously, assessing exploitability against an organization's actual risk context and routing mitigation and remediation through the ticketing tools teams already use.

Feeding that pipeline with sharper, better-validated research means a shorter exposure window, mitigation that can start before a patch is available, and a clear, business-level answer to the question every board is now asking: are we exposed, and what are we doing about it.
‍

A durable advantage for defenders

Anthropic has framed its goal as a permanent advantage for defenders. We share that aim. Cheap, fast models with strong cyber capabilities are arriving within months, and many will reach attackers without the safeguards that keep them from being misused. The organizations that have built continuous, mitigation-first, automated programs before that happens will be the ones still standing when AI-powered exploitation becomes routine.

Being accepted into the Cyber Verification Program is a step toward making that advantage real for the critical infrastructure operators we serve. We will share more as the program develops.