NSA uses Anthropic's Mythos AI despite Pentagon supply-chain risk label

Mythos Preview is not a general-purpose chatbot with a red-team skin. According to Anthropic's own disclosure, the model is 'capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so.' That is the rationale Anthropic offers for withholding it from public release and parceling access to roughly 40 organizations via Project Glasswing. In practice, Mythos compresses the most labor-intensive phase of offensive cybersecurity — enumerating bugs in complex, unfamiliar codebases — into automated runs.

The UK AI Security Institute's evaluation puts hard numbers on the shift. AISI reported a 73% success rate on expert-level capture-the-flag challenges and recorded Mythos as 'the first model to solve TLO from start to finish, in 3 out of its 10 attempts' on The Last Ones, a 32-step cyber range that takes human experts around 20 hours. Anthropic's own disclosures claim working exploits on the first attempt in more than 83% of tested cases, including vulnerabilities in code more than 27 years old. That is the capability profile the NSA is reportedly pointing at its own networks for defensive scanning — and the same profile that has the Bank of England privately briefing banks.

The surface-level shock of the Axios scoop is a Catch-22 inside the U.S. government. The Department of Defense designated Anthropic a 'supply chain risk' on Feb 28, 2026, with language explicit enough to quote directly: 'No contractor, supplier, or partner that does business with the United States military may conduct any commercial activity with Anthropic.' The NSA is a combat support agency that reports, organizationally, through the DoD. Yet it is reportedly using the most offensive-capable model Anthropic has ever built, while its parent agency tells everyone else in the defense industrial base to unwind their Anthropic relationships.

That tension is not incidental — it is structural. The dispute began when Anthropic refused a Pentagon demand for unrestricted use of Claude for 'all lawful purposes,' a scope broad enough to include offensive operations that conflict with Anthropic's usage policy. The DoD's response was to cut off commercial channels; the NSA's response, apparently, was to take Mythos anyway through the Glasswing allow list. It is hard to read the April 17-18 meeting between Amodei, Susie Wiles, and Scott Bessent as anything other than a West Wing attempt to paper over a policy that the intelligence community has already voted against with its usage logs.

Mythos is wrapped in a commercial strategy that looks less like a product launch and more like a coalition build. Project Glasswing bundles $100M in usage credits across the ~40 participating organizations, with an additional $2.5M earmarked for open-source maintainers and $1.5M flowing to the Apache Software Foundation. The partner list — AWS, Apple, Google, Microsoft, NVIDIA, Cisco, Broadcom, CrowdStrike, Palo Alto Networks, JPMorgan Chase, the Linux Foundation — is effectively the defender side of the global attack surface. Anthropic is subsidizing them to pre-harden infrastructure before a similar capability leaks into the wild.

The financial-services thread is where the story quietly sharpens. Disruption Banking reports that Goldman Sachs, Citi, Bank of America, Morgan Stanley, and JPMorgan are already running internal Mythos trials, even as Andrew Bailey calls the situation 'a very serious challenge for all of us' and Christine Lagarde concedes regulators still lack a framework 'to actually mind those things.' Meanwhile the original $200M Pentagon contract from July 2025 — which made Claude the first frontier model on classified networks — is the backdrop that makes the DoD's blacklist look less like procurement hygiene and more like leverage in a contract renegotiation that Anthropic refused to lose.

A strand running through the public discussion pushes back on the premise that the supply-chain-risk label carries the weight it is reported to. The argument, voiced across the AI and technology subreddits, is that Anthropic does not appear on the standard FAR or DFARS supply-chain-risk lists that contractors actually check before signing. One recurring point is that Anthropic's court filings benefit from exactly the kind of NSA-is-still-using-it evidence Axios surfaced: the lawsuit can cite operational use to rebut the risk framing. Among the developer and engineering-YouTube crowd, the dominant framing is not fear but skepticism of the Pentagon's coherence — a version of 'if it were really dangerous, why is its parent agency quietly running it?'

There is a second contrarian angle worth flagging without endorsing: whether Mythos's capability claims are partly marketing theater. A minority view across the community points out that the most spectacular Mythos results appear in security-coded contexts and that 'thousands of zero-days' is exactly the number a company would want in the press during a Pentagon fight. Peter Swire's line that 'a large fraction of the cybersecurity professors believe this is pretty much what was expected' lands in similar territory — not denying the capability, but puncturing the sense that it arrived from nowhere. Taken together, the skeptics are not arguing Mythos is fake; they are arguing both the threat and the ban may be more performative than the headlines suggest.

Timing is the most underrated part of this story. Anthropic won an injunction against the DoD designation on March 26, then lost it on appeal on April 8. Mythos Preview was announced April 7, one day before the appeals ruling reinstated the blacklist. Amodei sat down with Wiles and Bessent on April 17-18. Axios published the NSA story on April 19. Each beat compresses the next.

The sequence matters because it suggests the leak is doing political work. With the designation legally back in force, the NSA disclosure reframes the debate from 'should the Pentagon trust Anthropic?' to 'what does it mean that the Pentagon's own signals-intelligence arm already does?' Michael Hayden's description of the Pentagon's move as 'a profound departure from its intended purpose' captures the discomfort among former intelligence principals; Ciaran Martin's dry note that Mythos is 'a big deal, but it's unlikely to prove to be the end of the world' captures the working practitioners' view. Both can be true at once — and both cut against a clean Pentagon narrative right at the moment Anthropic needs the White House to intervene.