IMPLICATOR
The National Security Agency has been testing Anthropic's restricted Claude Mythos Preview system to find security flaws in Microsoft software and other widely used programs, according to a U.S. official and another person familiar with the work. The trials come as Washington weighs wider government access to a general-purpose model now being used for defensive vulnerability research but powerful enough to raise misuse concerns. NSA and Anthropic declined to comment on the testing.
Key Takeaways
- The NSA is testing Claude Mythos Preview against Microsoft software and other widely used programs.
- Microsoft says Project Glasswing findings will move through MSRC, Update Tuesday, or out-of-band fixes.
- Anthropic says more than 99 percent of Mythos-discovered vulnerabilities were still unpatched on April 7.
- The White House is weighing broader agency access while Pentagon litigation continues.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Microsoft becomes the test case
The NSA work, first detailed by Bloomberg, adds a more specific use case to the earlier report that the agency had access to Mythos. The officials told Bloomberg that staff in the NSA's cybersecurity directorate had been impressed by the tool's speed and efficiency, though they did not know whether the tests had found any bugs.
Microsoft wrote in an April 22 security blog that it is working with Anthropic through Project Glasswing and plans to incorporate advanced AI systems such as Claude Mythos Preview into its Security Development Lifecycle. The company stated that AI-assisted discoveries would move through its Microsoft Security Response Center process, including Update Tuesday or out-of-band fixes when appropriate.
A restricted model enters federal review
Anthropic announced Mythos Preview on April 7 and disclosed that the system had identified thousands of high and critical severity vulnerabilities during internal testing. Its technical writeup said "over 99%" of the vulnerabilities found during testing had not yet been patched. The post described only a small set of cases and recorded other findings through SHA-3 commitments rather than project names or exploit details.
OpenBSD's example centered on SACK handling in TCP, with code added in 1998. FFmpeg's H.264 case dated to a 2010 refactor of a codec introduced in 2003. Anthropic withheld most other examples until affected maintainers finish patching.
Track AI security policy before it moves
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
Expansion is still contested
The White House has opposed Anthropic's plan to expand Mythos access to about 70 additional organizations, which would raise the total to roughly 120, according to the Wall Street Journal. The administration is weighing that security concern against demand from agencies that want the model for defensive work.
That demand sits beside a separate fight between Anthropic and the Pentagon. Defense Secretary Pete Hegseth has stated that the department would transition away from Anthropic services after a dispute over whether military contracts should permit all lawful uses. Anthropic has challenged the supply-chain risk designation in court, and federal agencies have continued using the company's products while the cases proceed.
The next decision is access
White House officials are also preparing a national security AI memo that could set rules for how agencies use multiple AI providers, contract with defense vendors and evaluate tools such as Mythos. Bloomberg reported that the memo is still subject to change and is not specific to Anthropic.
For now, the NSA testing gives Mythos a clearer federal role than the public Project Glasswing list showed. Microsoft is folding similar systems into its security process, Anthropic argues broad release would be unsafe, and the White House has to decide which agencies get access before comparable tools become common elsewhere.
Frequently Asked Questions
What did the NSA test Anthropic Mythos on?
Bloomberg reported that NSA staff tested Claude Mythos Preview against Microsoft programs and other widely used software. The sources did not say whether the work found any specific security bugs.
Why does Microsoft have access to Mythos?
Microsoft is part of Anthropic's Project Glasswing effort. In an April 22 security blog, Microsoft said it plans to use advanced AI models such as Mythos in its Security Development Lifecycle and route findings through its normal response process.
Why is Mythos restricted?
Anthropic says Mythos can find and help develop exploits for serious software vulnerabilities. The company released it only to selected partners and said broad access could help attackers before defenders patch affected systems.
What is the White House deciding?
Officials are weighing whether to permit wider government use of Mythos while limiting access for security reasons. The White House has opposed one Anthropic plan to expand access to roughly 70 more organizations.
How does this affect the Pentagon fight?
The testing does not resolve Anthropic's dispute with the Pentagon. The department still wants broader military-use terms, while Anthropic is challenging the supply-chain risk designation in court.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Marcus Schuler
Editor-in-Chief and founder of Implicator.ai. Former ARD correspondent and senior broadcast journalist with 10+ years covering tech. Writes daily briefings on policy and market developments. Based in San Francisco. E-mail: [email protected]
