Anthropic's Cybersecurity Model Raises Questions for U.S. Offensive Operations
Anthropic withheld a powerful AI model over cybersecurity risks and launched Project Glasswing on Tuesday to study how the tool reshapes hacking and defense. The move has prompted discussions within the intelligence community about whether the model could reshape offensive cyber operations against adversaries.
The company unveiled the initiative with partners including Amazon Web Services, Apple, Cisco, Google, and Microsoft. Those participants will gain access to Claude Mythos Preview, an unreleased model that Anthropic says has already uncovered thousands of vulnerabilities in major operating systems and web browsers.
What Intelligence Agencies Are Weighing
Multiple U.S. intelligence agencies are considering how to use the model for both securing critical software and identifying weaknesses in adversary systems, according to people familiar with internal discussions. Anthropic briefed senior officials across the government on Mythos Preview's full capabilities before any external release, including discussions with the Cybersecurity and Infrastructure Security Agency and NIST's Center for AI Standards and Innovation.
Analysts at the National Security Agency have been discussing the Mythos release internally. The model could help identify vulnerabilities that U.S. agencies might exploit in foreign networks - but that same capability in adversary hands poses a significant risk.
"They want secure code and to use AI to find network vulnerabilities as well," said a person familiar with intelligence community thinking.
The Dual-Use Problem
Offensive and defensive cyber operations often depend on the same knowledge. If a U.S. analyst finds a vulnerability in an enemy network using Mythos, that same weakness likely exists in American systems.
"There's going to be a real equity conversation that occurs," said Morgan Adamski, former executive director of U.S. Cyber Command and lead for PwC's Cyber, Data & Technology Risk services. "If we exploit something in an adversarial network, we're going to have to be able to defend against it in our own critical infrastructure."
Cyber executives outside government are alarmed by the scale at which the model identifies vulnerabilities. One executive at a cyber investment firm asked: "How is anyone supposed to defend against all of this at once?"
Hayden Smith, co-founder at Hunted Labs, called the Glasswing announcement "scary and ominous" because it remains unclear how Mythos could be weaponized if it reaches a hostile government. "Even with deep vetting, the odds of Mythos flowing into the wrong hands is barely a hypothetical given the landscape of current attacks on the open source ecosystem," he said.
Open-Source Software at Risk
Much of the internet runs on open-source software maintained by developers worldwide. A model like Mythos could expose weaknesses in code that underpins large portions of the digital ecosystem.
Recent software supply chain incidents have heightened these concerns. A compromise of the Axios JavaScript library disclosed last week demonstrated how vulnerabilities can spread widely. Some developers behind critical open-source projects are affiliated with companies the U.S. government considers tied to foreign adversaries.
Congressional and Industry Response
Sen. Mark Warner, vice chairman of the Senate Intelligence Committee, said the government must act faster. "We are already seeing cyber threat actors using AI tools to improve their capabilities, putting government, businesses and consumers' security and personal information at risk," he said. "As AI dramatically accelerates the discovery of new vulnerabilities, I hope industry will correspondingly accelerate and reprioritize patching."
Gary DePreta, senior vice president of Cisco's U.S. Public Sector Organization, framed the company's participation as part of a broader shift. "We're going from an age of detect-and-respond - and as we automate with AI - to predict-and-prevent threats," he said.
Friction With the Defense Department
Anthropic has drawn friction with the Pentagon over its ethical stance. Earlier this year, the company declined to ease restrictions against its tools being used for domestic surveillance or fully autonomous weapons. The Defense Department designated Anthropic a "supply chain risk" and ordered federal agencies to phase out use of its tools. The company has legally challenged the move.
The Mythos announcement could reshape that relationship. "The government needs to make amends with Anthropic and help them and Glasswing members maintain the American lead on AI by preventing Chinese model theft," said Leah Siskind, an AI research fellow at the Foundation for Defense of Democracies.
Siskind warned that adversaries will not exercise similar restraint. "China is already exploiting U.S. AI models to accelerate its own capabilities, and when they reach Mythos-level performance, they will weaponize it."
Operations professionals managing cybersecurity risks should understand how these tools will reshape threat detection and remediation. Consider exploring AI Learning Path for Cybersecurity Analysts to stay current on AI-driven defense strategies.
Your membership also unlocks:
