Anthropic Mythos AI cybersecurity concerns

The most consequential thing about the Mythos story isn't what the model can do — it's what the model is doing to the US national-security apparatus. According to Axios and TechCrunch reporting, the NSA appears to be among the roughly 40 organizations with Mythos Preview access, using it primarily to scan environments for exploitable vulnerabilities. That is a direct offensive-signals-intelligence use case, executed through Anthropic's restricted Project Glasswing channel. Simultaneously, the Department of Defense has formally labeled Anthropic a 'supply-chain risk' after the company refused to grant Pentagon officials unrestricted access to its models' full capabilities, particularly for mass-surveillance and autonomous-weapons use cases.

These two facts cannot be comfortably reconciled. The Pentagon is saying Anthropic cannot be trusted as a government vendor. The NSA is operating Anthropic's most capable offensive tool against real targets. The White House response — Dario Amodei meeting Chief of Staff Susie Wiles and Treasury Secretary Scott Bessent on April 17 — suggests the administration sees the friction itself as the problem to be managed, not either side's position. For enterprise security teams, the practical takeaway is that US government policy on frontier AI is no longer a single-valued function: the same model can be blacklisted and operationally deployed by different arms of the same government on the same day. Procurement, export-control, and third-party-risk playbooks assuming a unified federal stance will need to account for this fracture.

Anthropic did not simply decline to release Mythos; it built an entire alternative distribution model around the decision. Project Glasswing gives access to roughly 40 critical-infrastructure organizations — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks among them — backed by $100 million in Mythos usage credits and $4 million in direct donations split between Alpha-Omega/OpenSSF ($2.5M) and the Apache Software Foundation ($1.5M). Post-preview API pricing is set at $25 per million input tokens and $125 per million output tokens for Glasswing participants.

This is a meaningfully new posture in AI distribution. Historically, frontier models ship publicly (with safety filters) or stay fully internal. Glasswing is a third option: the vendor pre-selects a closed club of defenders, front-loads subsidy, and uses the restricted phase to burn down as much of the attack surface as possible before wider release. Anthropic says Mythos has already identified thousands of high- and critical-severity zero-days, including a 27-year-old OpenBSD bug and a 16-year-old FFmpeg H.264 codec flaw — vulnerabilities that sat latent for decades until a sufficiently capable model looked. The template has obvious appeal — aligned incentives between vendor and defenders, concentrated remediation capacity — and obvious hazards: the vendor becomes de facto arbiter of who counts as a legitimate defender, and any breach of the inner ring (unauthorized access to Mythos was reported within days of the preview) becomes a single point of failure for the entire approach.

Not everyone is buying the apocalyptic framing, and the skeptics include people whose views normally carry weight. OpenAI's Sam Altman, on the Core Memory podcast, accused Anthropic of 'fear-based marketing,' comparing the messaging to selling a bomb shelter for $100 million after announcing you've built the bomb. Georgia Tech's Peter Swire — a former Clinton and Obama White House advisor — told Scientific American the announcement was 'very dramatic and was a PR success, if nothing else,' adding that many cybersecurity academics view Mythos as an expected incremental step rather than a paradigm shift. Oxford's Ciaran Martin, former CEO of the UK National Cyber Security Centre, called Mythos 'a big deal' but unlikely to be 'the end of the world.' On Reddit, communities covering the announcement skew sharply in the same direction, with the dominant sentiment treating the 'too dangerous to release' positioning as marketing theater — especially after the unauthorized-access leak.

The economic logic is the sharpest contrarian point: if Mythos were truly as far ahead of the field as Anthropic implies, the profit-maximizing move would be to keep it in-house and monopolize the vulnerability-research market, not license it out for $25 / $125 per million tokens to eleven of the world's biggest tech and finance firms. The counter-read is that Anthropic's strategy is coherent precisely because Mythos is a big step but not a singular one — the company expects competitors to arrive at comparable capability soon, so the play is to set the defender-first norm now and capture the associated brand, policy access, and enterprise relationships. Both readings can be true. What they share is a warning against taking any single party's framing at face value: the vendor's, the regulator's, or the competitor's.

The benchmarks behind the Mythos narrative are concrete enough to scrutinize. Anthropic's red-team disclosure reports that Mythos produced working Firefox exploits 181 times compared to just 2 successes for Claude Opus 4.6 — a roughly ninety-fold step. On OSS-Fuzz benchmarks the model triggered 595 crashes at tiers 1 and 2, and achieved full control-flow hijack on 10 separate fully-patched targets. Engineers at Anthropic with no formal security training reportedly asked Mythos to find remote-code-execution vulnerabilities overnight and woke to complete working exploits.

The UK AI Safety Institute's independent evaluation adds external ballast: Mythos solved expert-level CTF tasks 73% of the time and became the first model to complete AISI's 'The Last Ones' simulated multi-stage attack scenario end-to-end, doing so in 3 of 10 attempts. These are the numbers regulators are reacting to, and they also represent the strongest case against the Altman-Swire skepticism — the jump between Opus 4.6 and Mythos Preview on the same internal benchmarks is not a marketing artifact. What the benchmarks cannot settle is the question Ciaran Martin raises: whether this level of offensive capability, in the hands of ~40 pre-cleared defenders plus an unknown number of adversaries racing to build equivalents, tilts net security toward safer or more dangerous.

While Washington was still negotiating with itself, Singapore activated the first pan-regional financial-sector response to a named frontier AI model. The Monetary Authority of Singapore urged financial institutions to 'redouble efforts to strengthen their security defences, pro-actively identify and close vulnerabilities, and raise vigilance on cyber hygiene, including timely security patching.' The Hong Kong Monetary Authority and South Korea's Financial Supervisory Service followed with parallel outreach to major banks and their information-security officers, and Australian regulators ASIC and APRA are among those monitoring the situation.

The speed and coordination matter. The typical regulatory lag between a frontier AI capability announcement and a sectoral supervisor response is usually measured in quarters or years, not days. That it happened in days here reflects two things: first, the cyber mechanism is unusually legible to financial regulators — patch faster, scan harder, raise hygiene — in ways that more speculative AI harms are not. Second, Asian regulators are demonstrating a muscle memory for cross-border coordination on cyber threats that their US and European counterparts have not yet visibly activated around Mythos. For multinationals, the operational implication is that the Asia financial cluster is where Mythos-related compliance pressure will show up first, with examination questions, attestation requirements, and patching-cadence expectations likely to tighten before similar pressure arrives elsewhere.