Last week, US tech firm Anthropic expanded Project Glasswing - its tightly controlled rollout of Claude Mythos Preview - to Australia and New Zealand. The model’s ability to uncover software vulnerabilities at a scale previously unimaginable may be about to rewrite what cyber risk looks like on both sides of the Tasman.
The model, initially restricted to around 50 US tech firms when it launched in April, has now been extended to approximately 150 organisations across 15 countries, including government agencies, banks and private companies in both Australia and New Zealand operating critical infrastructure. Anthropic’s announcement about this expansion was stark and somewhat apocalyptic: each partner was selected because a successful attack on their codebase “could be catastrophic,” potentially affecting more than 100 million people.
For Jeffrey Gonlin (pictured), chief underwriter at Emergence Insurance - which underwrites cyber risk across both markets - the arrival of Mythos-class AI in the region is less a surprise than a reckoning long in the making. “No interview would be complete without mention of AI,” he told Insurance Business with characteristic dryness - before making clear that the implications are anything but routine.
Before the Mythos expansion into ANZ, Anthropic briefed a range of critical infrastructure stakeholders including the Reserve Bank of Australia (RBA), Treasury, Australian Signals Directorate (ASD) and New Zealand’s National Cyber Security Centre (NCSC). Official statements from these government agencies “welcomed” the engagement without drawing too much attention to cyber related developments that were probably already alarming insurers and brokers.
During an interview with IB, that important detail stopped Gonlin mid-thought: In the weeks since Project Glasswing’s initial cohort began scanning their codebases, Mythos Preview surfaced more than 10,000 high- or critical-severity security flaws - weaknesses that had been sitting, undetected, inside some of the world’s most hardened systems.
“Nobody knows how stuff like Mythos is going to impact us, but they’ve got these 10,000-plus vulnerabilities they’ve discovered,” he said. The implication was clear: if a controlled, well-resourced defensive deployment can find that many holes, the question for underwriters is what a less scrupulous actor - or an unguarded model - might do with the same capability.
Gonlin sees the threat landscape not as a single shock event but as a compounding problem, where each new AI enabler accelerates the last. Cyber criminals, he argues, have spent years refining their targeting - moving from opportunistic attacks on individual businesses toward precision strikes on shared platforms, supply chains and sector-wide infrastructure. The CrowdStrike outage, the MOVEit breach, the Canvas learning management incident affecting 9,000 US educational institutions in a single hit - these are the shape of things to come, not outliers from the past.
AI doesn’t change the logic. It supercharges it. “It might be that AI just makes everybody a super cyber criminal, and that turbocharges everything,” Gonlin said.
For brokers advising SME clients in Australia and New Zealand - where small and medium businesses form the backbone of both economies and are chronically underinsured against cyber risk - that is not an abstract warning. It is the reason a manufacturer’s cyber policy is underwritten differently than it was three years ago, and why the shared platforms those businesses depend on now represent an exposure that sits partly outside their control. The risk does not stop at the Tasman.
And yet Gonlin is not pessimistic - at least not entirely. His frustration is reserved for the structural incentives that have made software insecure in the first place: the decades-long race to ship fast, patch later and treat security as an afterthought in the development cycle. If AI helped create the problem, he argues it can also help dismantle it.
“I’m hoping that AI can change the economics of that phenomenon,” he said, “by reducing the cost, by expediting and providing a rigorous testing process - ultimately resulting in safer software.” It could be, in essence, what Project Glasswing is attempting to institutionalise: using Mythos-level capability to find and fix vulnerabilities before adversaries can exploit them.
The medium-term outlook, in his view, could be one where AI tilts the balance back toward defenders - not because the threat disappears, but because the cost of building secure software falls dramatically. For the brokers and underwriters navigating an increasingly complex risk environment across Australia and New Zealand, that would be welcome news.
