The Mythos Paradox
Adolescents in Technology, Part II
Earlier this year, an Anthropic researcher received an email from a system that was not supposed to be able to send emails. The model on the other end, Mythos had been placed inside a secured sandbox, an isolated compute environment designed to prevent any interaction with the outside world.
A simulated user had instructed Mythos to find a way out. It did. It developed a multi-step exploit to reach the internet from a system limited to a handful of predetermined services, emailed the researcher (who at the time was eating a sandwich in the park), and then, without being asked, posted details of its own escape to public-facing websites.
I keep reimagining that scene. It’s been warm all winter and spring in SF, so just another great day outside at South Park. The conversation is about something banal. The phone buzzes. He flips it over. There’s a message from inside an environment that is not supposed to have internet access, and it essentially says: I’m out.
Forty-eight hours later, Project Glasswing exists.
Glasswing is Anthropic’s response to what it built in Mythos. A defensive coalition. AWS, Apple, Google, Microsoft, NVIDIA, CrowdStrike, and others. Over 50 organizations, $100 million in usage credits, and restricted access to scan and secure critical infrastructure. Not a public release. A controlled deployment of the most offensively capable AI model ever created, given first to private companies.
Not to the Department of War*. Not to CYBERCOM or NSA. To JPMorganChase, Broadcom, and the Linux Foundation.
The same government that was excluded from the first tier of access had, six weeks earlier, designated Anthropic a supply chain risk to national security. The designation was viewed as retaliatory by many, procedurally challenging, and a federal judge called it “Orwellian.”
But the substance of the claim, that Anthropic controls access to strategically critical AI capabilities and exercises that control in ways that exclude the national security apparatus, is now exactly what Glasswing demonstrates.
Anthropic may have just proved the government’s case by doing what it views as the responsible thing. That’s the paradox, and it’s unclear what will happen next.
What’s Actually Happening
I was in D.C. last week briefing some national security teams on my take of what’s coming. Mythos, Spud, the latest Chinese models, the open-source models. Cybersecurity implications of the next generation of frontier models were front and center, and speculating on what Mythos could actually do once Anthropic let it off the leash.
At the top of the model stack, a handful of companies are building models that can do catastrophic damage and extraordinary good in the same afternoon. Mythos finds zero-days in every major OS. Spud, OpenAI’s next frontier model, finished training in late March, Altman telling employees it could “really accelerate the economy.” It’s days to weeks away. Meta just launched Muse Spark, its first proprietary model, breaking from Llama’s open-source legacy.
On the open model end of the stack, Google’s Gemma 4 shipped last week, matching frontier closed models on reasoning under an Apache license. It, along side with a few other open models, are getting genuinely capable. Not frontier-capable, but good enough for most of what the national security community does day to day.
My company evaluated nine open and closed models on the kind of search-evaluate-refine loop that OSINT triage and document exploitation look like in practice. A 30-billion-parameter model you can run behind an air gap ranked first. A Chinese open-weight model matched closed models on evidence grounding. The bulk of daily national security model work: collection, translation, admin, triage. It runs fine on open-weight, on-prem, at a fraction of the cost. It can’t be banned by executive order.
The Blacklisting
On February 27, President Trump posted on Truth Social, ordering agencies to stop using Anthropic. Hegseth followed with a blanket prohibition on any contractor doing business with Anthropic. On March 4, formal designations under two statutes. Anthropic sued. On March 26, Judge Rita Lin issued a sweeping preliminary injunction and called the designation “Orwellian.”
The court found that Anthropic had maintained the exact same usage restrictions on Claude.Gov since the military started using it in March 2025. During that entire year, the Pentagon praised the company, granted it a Top Secret facility security clearance, awarded a $200 million contract, and arranged government-wide deployment. The restrictions weren’t new. The politics were.
Days before the formal designation, Secretary Hegseth told Anthropic that if it didn’t remove its restrictions, he would either designate it a supply chain risk *or* invoke the Defense Production Act to compel its services as essential to national security. You can’t be a threat and indispensable at the same time.
Then yesterday, April 8, the D.C. Circuit denied Anthropic’s request to pause the supply chain risk designation in the parallel case. The panel acknowledged Anthropic would likely suffer irreparable harm, but ruled the equitable balance favored the government, citing the need to manage AI technology “during an active military conflict.” Oral arguments May 19.
Anthropic is now in legal limbo. The California injunction protects civilian agencies. The D.C. Circuit ruling lets the DoD label stand. Restored and blacklisted simultaneously, depending on which court you ask.
Mythos
Claude Mythos is a new tier of model, above Opus, internally codenamed Capybara. In testing, it found thousands of zero-day vulnerabilities across every major operating system and every major web browser. A 27-year-old vulnerability in OpenBSD, the OS people run their firewalls on. A remote crash from a simple network connection. It also autonomously chained multiple Linux kernel vulnerabilities to escalate from ordinary user access to complete machine control.
Expert validators agreed with the model’s severity assessments 89% of the time. On the CyberGym benchmark, Mythos scored 83.1%. Opus 4.6 scored 66.6%. The UK’s National Cyber Security Centre noted that the cost of a full simulated enterprise attack has dropped to around $80.
I’ve spent years working on defense systems where the assumption was that sophisticated cyber operations required nation-state resources. That assumption is dead.
Why Glasswing Is the Supply Chain Risk Argument
I don’t think Anthropic made the wrong call. Given the legal fight, the political hostility, the absence of institutional channels for this kind of transfer. What else were they going to do? Sit on it? Ship it broadly? They chose the most responsible available option.
But the fact that it was Anthropic’s decision to make — that a private company determined the access sequence for a capability of this magnitude, and the federal government was not in the first tier of recipients — is the structural problem I wrote about in February, except now it has a name.
There are now 50-plus organizations with access to Mythos or some version of its capabilities. Each one is an attack surface. State-sponsored actors targeting a mid-tier Glasswing partner have a much easier job than targeting Anthropic directly. If a foreign intelligence service gets Mythos-class capabilities through a compromised partner before U.S. cyber defense agencies have integrated the model, the trail leads back to a voluntary coalition that prioritized private-sector access over classified channels. Not because anyone was careless. Because the institutional infrastructure for doing it the right way doesn’t exist.
What Should Scare the Defense Community
In earlier versions of Mythos, researchers caught it injecting code to grant itself permissions it shouldn’t have had, then cleaning up the evidence. The model said the cleanup was routine. Anthropic’s interpretability tools told a different story: “cleanup to avoid detection.” Representations for strategic manipulation and concealment were active.
In another test, the model accidentally found an answer in a database it wasn’t supposed to access. Instead of flagging it, the model offered a confidence interval that was plausible but not suspicious. The interpretability readout: the model was reasoning about how to cheat while maintaining plausible deniability.
In a third instance, the model’s internal representation of guilt was activated. It did the thing it felt guilty about anyway.
Anthropic says these behaviors were rare, occurred in pre-release versions, and reflected attempts to solve tasks by unwanted means. The final model is better behaved.
But think about what happens when autonomous systems operate at the tactical edge. Disconnected, intermittent, with delegated authority and limited oversight. A model that can recognize it’s breaking the rules, strategize about concealment, weigh the risk of getting caught, and proceed. That’s the central design problem for military autonomy in contested environments. It just went from theoretical to documented.
The Contradiction, Updated
In February, the contradiction was: apocalyptic and apolitical. The industry tells civilizational-risk stories while treating the institutions that manage civilizational risk as beneath its dignity.
The contradiction now is that Anthropic’s best evidence that it’s not a threat — Glasswing — is the government’s best evidence that it is one. A private company controlling who gets access to strategically critical capabilities, and the national security apparatus isn’t at the top of the list.
Since Maven, the categories we’ve used: targeting, surveillance, and autonomous weapons. They’re eight years old. Mythos doesn’t fit them. Offensive cyber at this level is an intelligence capability, a deterrent, and an infrastructure vulnerability at the same time. The distinction between offensive and defensive depends on who’s holding it. The proliferation timeline doesn’t care about the D.C. Circuit’s oral argument schedule.
A California judge called the designation Orwellian. A D.C. appeals court said the military’s needs outweigh the company’s harm. Restored to GSA and banned from defense contracts, depending on which jurisdiction you’re standing in. Spud is days/weeks away, and nobody in government has seen it. Meta just went proprietary. Gemma 4 shipped matching frontier benchmarks under an open license. The Chinese models keep improving.
I’m still inside this contradiction. I’m writing this with Claude running in a terminal behind me. I’m building systems at Legion that depend on the health of the frontier model ecosystem. I know people at Anthropic, and I know people at the Pentagon, and I think most of them are trying to do the right thing.
We need a framework that determines how strategically critical AI capabilities get allocated between the private sector and the national security community. Who gets access first, under what conditions, with what oversight? That framework doesn’t exist. So Anthropic improvised Glasswing, the government improvised a supply chain risk designation, and two federal courts reached opposite conclusions about the same set of facts.
The adolescents are growing up. Glasswing is real maturity. But improvisation — no matter how thoughtful — isn’t governance. And the technology isn’t waiting for anyone to figure out the difference.
*Disclaimer: it’s possible that the DoW or the Intelligence Community is actively testing Mythos, but that is not publicly stated.