IMPLICATOR
Anthropic has placed about half a dozen of its engineers inside the U.S. National Security Agency to help deploy Mythos, its most capable cyber model, for offensive operations, the Financial Times reported Thursday, citing two people familiar with the arrangement. The engineers work as "forward-deployed" staff, customizing a model Anthropic has declined to release publicly on misuse grounds; one person told the FT it would be useful for infiltrating networks in nations such as China or Iran. It remains unclear whether they are assisting active operations. The work proceeds while Anthropic sues the Pentagon, which oversees the NSA, over how its models are used in war.
Anthropic has built its public identity on the uses it refuses. It sought to restrict Claude's use for mass surveillance of Americans and autonomous weapons, and the Pentagon branded it a "supply-chain risk" for the resistance, the first such designation against an American company. The NSA work shows where those refusals stop. Anthropic balked at the uses that carry reputational and legal cost at home, and it staffed the one aimed outward, helping a U.S. intelligence agency deploy a model built for offensive cyber.
Key Takeaways
- Anthropic embedded about six "forward-deployed" engineers inside the NSA to deploy its Mythos cyber model for offensive operations, the Financial Times reported.
- The arrangement runs alongside Anthropic's lawsuit against the Pentagon, which blacklisted it as a "supply-chain risk" over limits on Claude's military use.
- Anthropic calls Mythos too dangerous to release publicly, yet expanded access to about 150 organizations across 15-plus countries on June 2.
- The disclosure lands days after Anthropic filed confidentially for an IPO at a valuation near $1 trillion.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
What Anthropic's red team disclosed in April
In an April 7 post, Anthropic's red team said Mythos Preview could find and exploit zero-day vulnerabilities in "every major operating system and every major web browser" when a user directed it to. The oldest flaw it found was a 27-year-old bug in OpenBSD, an operating system built around security. A complete exploit pipeline against a complex Linux target ran under a day at a cost below $2,000, the post said, and roughly a thousand OpenBSD vulnerability searches cost under $20,000 in total. Engineers with no security training asked the model for remote-code-execution bugs overnight and woke to working exploits.
Britain's AI Security Institute, testing the model independently, found it solved 73% of expert-level tasks that no model could complete before April 2025, and became the first to finish a 32-step simulated corporate-network attack, in 3 of 10 attempts. Anthropic restricted Mythos to about 50 mostly U.S. partners under a program it calls Project Glasswing, saying it lacks the safeguards needed to prevent serious misuse.
Get Implicator.ai in your inbox
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
Hegseth's supply-chain-risk label
The NSA arrangement sits against an unresolved fight with the same department over Anthropic's other models. In early March, Defense Secretary Pete Hegseth designated the company a supply-chain risk after talks collapsed over Anthropic's request to limit Claude in domestic surveillance and autonomous weapons. Anthropic sued, citing the First Amendment, and this week the department told a federal appeals court that Hegseth had denied its request to reconsider. President Trump has ordered the Pentagon to remove Claude from its systems by August.
The case has drawn sharp questioning, though not in one direction. "For the life of me, I do not see any evidence of maliciousness," Judge Karen Henderson said at May oral arguments, referring to a Pentagon memo that accused Anthropic of "mal-intent." A majority of the three-judge panel, even so, appeared disposed to let the designation stand. In the same weeks, a company that fought to keep Claude out of warfighting has had its own engineers inside the NSA, which the department runs, working on the most powerful cyber model it has built.
Know someone who'd find this useful? ✉️ Email it to a friend in one click, or they can subscribe free here.
From 50 partners to 150
On June 2, Anthropic widened access to Mythos to about 150 organizations across more than 15 countries, up from the roughly 50 mostly U.S. partners admitted in April. The new cohort, the FT reported, includes Okta, Samsung, NATO, and the EU's cybersecurity agency, ENISA. Partners have surfaced more than 10,000 high- or critical-severity flaws, and an internal Anthropic scan of 1,000 open-source projects flagged 23,019 potential vulnerabilities, 6,202 of them estimated high or critical.
Anthropic presents the restricted release as a safety measure. But vulnerability-hunting AI was not scarce to begin with. "We've been able to use AI to find more bugs than we know what to do with for months if not years," one researcher with early Mythos access told Reuters, which reported in May that fears about the model were overstated. The controlled rollout has not kept the capability rare so much as decided who holds it. Those holders now include the NSA itself, alongside the security agencies, chipmakers, and telecom operators among the 150 organizations admitted to Project Glasswing, days after a funding round valued Anthropic near $1 trillion and it filed confidentially for an IPO. Its annualized revenue is on track to reach $50 billion by the end of June, up from $9 billion at the end of 2025.
Anthropic's defenders call the NSA work unavoidable. "The best way to build a good defence is to build a good attack," a person close to the company told the FT, arguing that adversaries will build their own attack agents regardless. The three-judge panel in Washington is still weighing whether Hegseth's designation stands, and the Pentagon's deadline to drop Claude from its systems falls in August. Anthropic's confidential IPO filing will eventually move its finances into public view.
Frequently Asked Questions
What is Claude Mythos?
Mythos is Anthropic's most capable cyber model, able to find and exploit zero-day software vulnerabilities. Anthropic's red team said it cracked flaws in every major operating system and browser, including a 27-year-old OpenBSD bug, and built working exploits for under $2,000. The company has declined to release it publicly, citing misuse risk.
What is Anthropic doing at the NSA?
The Financial Times reported Anthropic placed about half a dozen "forward-deployed" engineers inside the National Security Agency to help deploy Mythos for offensive cyber operations and customize it for specific uses. It remains unclear whether the engineers are assisting active operations.
Why is Anthropic suing the Pentagon?
In early March, Defense Secretary Pete Hegseth designated Anthropic a "supply-chain risk" after the company sought to limit Claude's use in domestic surveillance and autonomous weapons. Anthropic sued, the first such designation against a U.S. company. The Pentagon has denied its request to reconsider, and a three-judge panel is weighing the case.
How many organizations can use Mythos?
Anthropic expanded access on June 2 to about 150 organizations across more than 15 countries, up from roughly 50 mostly U.S. partners in April, under a program it calls Project Glasswing. Named members include Okta, Samsung, NATO, and the EU cybersecurity agency ENISA.
Is Mythos as dangerous as feared?
Views differ. Anthropic restricted release because Mythos can autonomously exploit vulnerabilities, and the UK AI Security Institute found it solved 73% of expert-level tasks. But Reuters reported in May that fears were overstated, quoting a researcher who said vulnerability-hunting AI has been available "for months if not years."
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Marcus Schuler
Editor-in-Chief and founder of Implicator.ai. Former ARD correspondent and senior broadcast journalist with 10+ years covering tech. Writes daily briefings on policy and market developments. Based in San Francisco. E-mail: editor@implicator.ai
