Anthropic's Mythos Model Discovers Vulnerabilities in Classified U.S. Government Systems During Testing
0xBroomberg
Anthropic's Mythos AI model identified multiple vulnerabilities in highly sensitive U.S. government computer systems within hours during a controlled test — but officials stress that finding flaws is not the same as exploiting them, and the result has become ammunition for both sides of the AI regulation debate.
What did this test actually do?
Through its Project Glasswing initiative, Anthropic partnered with U.S. intelligence agencies to let the Mythos model probe highly sensitive government computer systems.
The result: the model flagged several vulnerabilities in hours, not weeks. Senator Mark Warner put it bluntly at a hearing — "This tool nearly broke into all of our classified systems, not in weeks, but in hours," citing NSA Director Gen. Joshua Rudd.
A U.S. official added a critical qualifier: finding a vulnerability ≠ being able to exploit it. This means → the model showed it can "spot the keyhole," not "pick the lock" — a meaningful gap.
Why are Anthropic and the White House clashing?
The Trump administration issued a directive this month ordering Anthropic to bar foreign nationals from using its latest models, Fable 5 and Mythos 5.
Anthropic's response was aggressive: it shut off access to those models for all customers and publicly stated it did not consider the government's measures "necessary."
In plain terms = the government said "don't let foreigners use it"; Anthropic said "fine, nobody gets it" — a confrontational retreat-as-offense move.
What does the executive order framework look like?
Trump previously signed an executive order establishing a framework allowing the federal government to review the most advanced AI systems for national-security risks for up to one month before public release.
The key detail: developer participation is voluntary, not mandatory.
This means → the government has an "advisory right," not a "veto" — if a company refuses to cooperate, the framework has no enforcement mechanism.
What does the cybersecurity community think?
Over a hundred cybersecurity experts and executives from companies including Adobe and Nvidia sent a joint letter to the Trump administration demanding the Anthropic directive be rescinded.
The letter concedes that Mythos is "quite good" at discovering and weaponizing software vulnerabilities, but stresses it is "not uniquely capable" — many signatories already use other foundation and open-source models for security audits.
The letter's core warning: stripping away the best cyber-defense tools "without justification" while U.S. adversaries advance rapidly is itself a security risk.
The same AI capability — shield or spear?
BULL
Defense value proven
Finding classified-system flaws in hours validates AI-accelerated security audits.
Restrictions weaken defense
100+ experts warn that removing the best tool hands adversaries an edge.
BEAR
Offensive potential is equally real
The ability to find vulnerabilities can be weaponized — regulation has logic.
Voluntary framework lacks teeth
Review depends on voluntary participation; non-compliance renders it hollow.
In plain terms = both sides are right — AI is simultaneously the best security auditor and the most dangerous attack tool. The real policy challenge is keeping the shield without exposing the spear.
What is the core unresolved question?
Mythos's test results are being cited by both camps simultaneously: pro-regulation voices say "look, it can breach classified systems"; anti-regulation voices say "look, it can help us defend against attacks."
This reflects a fundamental dilemma in AI safety policy — the offensive and defensive properties of the same capability cannot be separated, yet the policy toolkit remains stuck on a binary "allow or ban" choice.
The NSA declined to comment; Anthropic's spokesperson did not respond. This means → both sides are waiting for the other to show their hand first — the standoff is far from over.
Content is for reference only, not financial advice.