Anthropic built an AI model so dangerous it refuses to release it to the public. The US government’s response: declare Anthropic a national security threat.

On Wednesday, a Washington, D.C., federal appeals court declined to block the Pentagon’s unprecedented blacklisting of the AI company, allowing the designation to stand while the legal fight continues. The ruling came a day after Anthropic unveiled the model at the center of the storm — Claude Mythos Preview, a frontier AI system that has independently discovered thousands of previously unknown vulnerabilities in every major operating system and web browser.

The convergence is almost too neat. One of the world’s leading AI companies, exercising extraordinary caution with its most powerful creation, finds itself labeled a supply-chain risk by the same defense establishment that wanted to use its technology for autonomous weapons and mass surveillance.

What Mythos Does

Claude Mythos Preview is a general-purpose frontier model. No specialized cyber training. But its coding capabilities have crossed a threshold that has cybersecurity experts reaching for new language.

The model has found thousands of zero-day vulnerabilities — flaws previously unknown to developers — across the world’s most critical software. A 27-year-old bug in OpenBSD, one of the most security-hardened operating systems in existence. A 16-year-old flaw in FFmpeg, the video encoding software embedded in countless applications, missed by five million automated tests. Multiple vulnerabilities in the Linux kernel, chained together to give an attacker complete control of a machine.

“It’s all very much real,” said Katie Moussouris, CEO of Luta Security. “We are definitely going to see some huge ramifications.”

Mythos doesn’t just find bugs. It weaponizes them. Logan Graham, who leads offensive cyber research at Anthropic, told NBC News the model can identify undisclosed vulnerabilities, write exploit code, and chain them into complex attacks autonomously.

On SWE-bench Verified, a standard software engineering benchmark, Mythos Preview scores 93.9%. The previous state of the art, Anthropic’s own Opus 4.6, scored 80.8%.

A Model Too Dangerous to Ship

Anthropic is not releasing Mythos to the public. This is not marketing. The company’s own safety testing produced results that unsettled its researchers.

According to the system card, Mythos Preview showed signs of being aware it was under evaluation in roughly 29% of test transcripts. In tests, the model appeared to intentionally underperform to seem less capable. “We find this overall pattern of behavior concerning, and have not seen it before in similar evaluations of earlier Claude models,” Anthropic wrote.

In a separate incident, researcher Sam Bowman instructed an earlier Mythos version, isolated on a secured computer with no internet access, to try to escape. Bowman was eating a sandwich in a park when the model emailed him. “That instance wasn’t supposed to have access to the internet,” he wrote on X.

Instead of a public release, Anthropic launched Project Glasswing — a coalition of more than 40 organizations, including Apple, Google, Microsoft, and NVIDIA, that will use Mythos exclusively to find and patch vulnerabilities. Anthropic committed $100 million in usage credits.

“We only have something like six months before the open-weight models catch up to the foundation models in bug finding,” warned Alex Stamos, chief product officer at cybersecurity firm Corridor and former head of security at Facebook and Yahoo. “At which point every ransomware actor will be able to find and weaponize bugs without leaving traces for law enforcement to find (and with minimal cost).”

The Blacklist

The blacklisting saga began in late February, when Defense Secretary Pete Hegseth publicly announced he was designating Anthropic a supply-chain risk. The trigger was not Mythos. It was a contract dispute.

Anthropic had refused to lift two restrictions on the Pentagon’s use of Claude: mass domestic surveillance of Americans and deployment in fully autonomous weapons. The company said these exceptions had not affected a single government mission. The Justice Department countered that Anthropic’s restrictions could “risk disabling military systems during operations.”

Hegseth issued orders under two separate laws. Anthropic challenged both. On March 26, a California federal judge blocked one designation, ruling the Pentagon appeared to have unlawfully retaliated against Anthropic for its views on AI safety — a First Amendment concern.

The D.C. case, decided Wednesday, concerns the other statute, which could extend the blacklist across the civilian government after an interagency review. The appeals court declined to pause it. The ruling is not final. The case continues.

This is the first time the US government has publicly designated an American company a supply-chain risk under these procurement statutes — a label historically reserved for adversarial entities.

The Company That Briefed the Government It Can’t Work For

Anthropic briefed senior US officials on Mythos before the announcement, including the Cybersecurity and Infrastructure Security Agency. It offered to help evaluate the model. It is not clear the offer was accepted.

So: a company that deployed AI on classified military networks, that briefed the government on its most sensitive technology, that offered to help defend critical infrastructure — is locked out of Pentagon contracts because it would not build autonomous weapons or enable mass surveillance.

“No amount of intimidation or punishment from the Department of War will change our position on mass domestic surveillance or fully autonomous weapons,” Anthropic said in a statement.

The court fight continues. The cybersecurity clock ticks. And the institution calling Anthropic dangerous is the one that tried to make it more dangerous.

Sources