Hackuity Joins Anthropic's Cyber Verification Program

Ten hours. That's how long defenders now have between a vulnerability disclosure and the first exploitation attempt in the wild. In 2021, that window was 400 days. The math has changed permanently, and so has what it takes to stay ahead.

This is the context in which we decided to apply to Anthropic's Cyber Verification Program. Here's what that means, and why it matters for where we're heading.

What the CVP is

Claude, Anthropic's AI model, applies strict default limits on cybersecurity-related tasks. Things like exploit analysis, vulnerability exploitation, or offensive security tooling are restricted by default, because those capabilities sit on both sides of the attacker-defender line.

The Cyber Verification Program is Anthropic's application-based process to grant verified security organizations access to those dual-use capabilities for legitimate defensive work. Organizations apply, detail their use cases, and Anthropic reviews each request independently before granting clearance. Approved teams can then work with Claude on tasks that would otherwise be blocked, within the boundaries of Anthropic's security and responsible-use requirements.

It's free. It's selective. And acceptance reflects an independent review of what your organization actually does with AI.

Why we applied

Hackuity's core promise is simple: tell security teams what genuinely needs to be fixed, not just what scores high on paper. That requires more than theoretical severity. It requires understanding whether a vulnerability is actually exploitable in a specific environment, by a real attacker, given real conditions.

That kind of judgment demands offensive reasoning. Not because we're building attack tools, but because you cannot accurately assess exploitability without understanding how exploitation works.

We're actively exploring what frontier AI models can bring to that challenge. Can a Mythos-class model reason about exploitability with enough accuracy to change how we score risk? Can it help us validate findings in context, or anticipate how attackers are evolving their techniques? These are open questions we're investigating in R&D, including through concepts like Probe, our early-stage thinking on AI-assisted exploit validation.

CVP gives us the right framework to run that kind of research: with access to frontier capabilities, under proper oversight, and with a clear boundary between our internal research environment and the platform our customers use.
‍

What this does not change for customers

We want to be clear on this point. CVP access is strictly scoped to our internal research team. No customer data is involved. No findings, no assets, nothing from your environment reaches Anthropic's models through this program.

What we're exploring is how frontier AI can improve the intelligence and logic that powers our platform over time. The research happens on our side. What customers interact with is Hackuity, not the underlying models.

The direction we're heading

We're building Europe's AI-powered Exposure Management platform, one designed for a world where exploitation windows are measured in hours and AI is reshaping both attack and defense.

Understanding frontier AI capabilities, including their offensive potential, is not optional for a security vendor that wants to stay relevant. The CVP gives us a structured, responsible way to do exactly that.

The threats are moving faster. Our R&D has to move with them.