The Associated Press reports that Anthropic’s Mythos model, running red-team exercises with U.S. intelligence agencies under an Anthropic initiative called Project Glasswing, identified vulnerabilities in highly sensitive classified U.S. government computer systems. Senator Mark Warner, citing General Joshua Rudd, head of the National Security Agency and U.S. Cyber Command, said: “This tool broke into almost all of our classified systems, not in weeks but in hours.” Mythos identified the holes with exploitation outside the scope of the exercise. The Washington Post, CNBC, Euronews, and SecurityWeek corroborated.
Twelve days earlier, the Trump administration directed Anthropic to disable Mythos 5 and Fable 5 for foreign nationals over national-security concerns. At the time, the directive read as opaque and overbroad. The Glasswing disclosure explains it. The government has classified a frontier model as a cyber weapon and is moving to restrict its distribution the way it would restrict any other dual-use capability with strategic consequences.
Classified government systems are not the same as a corporate network. The part that matters for executives is the speed. A frontier AI model found unknown weaknesses in some of the most defended systems in the world, and it found them in hours instead of weeks. When that same kind of capability shows up in the hands of attackers going after companies – and it will – the assumption that your security team has weeks to find and fix a serious flaw stops being safe. The clock on the defensive side gets compressed by an order of magnitude while the offensive side just runs a model.
This is going to happen sooner than most of us think. Frontier capability from Anthropic, OpenAI, and Google sits in roughly the same neighborhood, and freely available versions trail by about twelve to eighteen months. Assume a Mythos-class capability is inside a sophisticated adversary’s toolkit by 2027, and assume Washington’s access controls buy some delay rather than prevent the outcome.
Two things belong on the agenda this week. Your security team needs a threat model that assumes attackers can find brand-new vulnerabilities in hours. Your patch cycle for anything customers can reach needs to compress from weeks to hours.
Every company needs a Claw strategy. Do you have one?
Author’s note: This is not a sponsored post. I am the author of this article and it expresses my own opinions. I am not, nor is my company, receiving compensation for it. This work was created with the assistance of various generative AI models.