What did Mythos actually find in the classified systems test?

The specifics remain classified. A US official told the Associated Press that the model surfaced vulnerabilities in highly sensitive networks within hours. The official clarified that identifying flaws is different from being able to exploit them within the same timeframe. Earlier evaluations outside the classified environment found thousands of zero-days across major operating systems and browsers, including a 27-year-old bug in OpenBSD.

What is Project Glasswing and how does the government testing relate to it?

Project Glasswing is Anthropic's controlled-access programme that provides Mythos to vetted organisations, including US intelligence agencies, for security research. The classified government red-team exercise occurred within this framework, with NSA, Cyber Command, the Senate Intelligence Committee, the UK AI Security Institute, and CISA all participating in various capacities. The programme operates under strict access controls specifically because of the model's demonstrated vulnerability-finding capabilities.

Why did the administration restrict Mythos after testing it against government systems?

The Trump administration issued a directive requiring Anthropic to prevent foreign nationals from accessing Fable 5 and Mythos 5, citing national security concerns. This created a contradiction: the same administration that had intelligence agencies test the model against classified infrastructure also moved to restrict its availability. Anthropic has separately raised concerns about how the US military intends to use its AI models, adding another layer of tension to the government-Anthropic relationship.

Anthropic Mythos Found Vulnerabilities in Classified US Government Systems

Update: This article covers new developments from June 23, 2026 regarding Mythos being tested against classified US government infrastructure. For background on Project Glasswing and the broader AI vulnerability research landscape, see our earlier piece: Glasswing and the AI Vulnerability Race.

A US official has confirmed that Anthropic’s Mythos model identified vulnerabilities in classified US government infrastructure during a controlled red-team exercise. The disclosure, reported first by the Associated Press and confirmed by multiple outlets on 23 June 2026, marks the clearest public acknowledgement to date that frontier AI models are being actively tested against the most sensitive government networks, and that they are finding things.

What Happened

The testing was conducted through Project Glasswing, Anthropic’s controlled-access programme that provides Mythos to vetted partners rather than through general release. US intelligence agencies joined the exercise alongside NSA, Cyber Command, the Senate Intelligence Committee, UK’s AI Security Institute, and CISA.

Mythos surfaced vulnerabilities in the classified environments within hours. The official was careful to note that identifying a vulnerability is not the same as being able to exploit it within the same timeframe, a technically accurate distinction that does not diminish the significance of the finding. The model was pointed at some of the most hardened, scrutinised, and presumably well-resourced infrastructure in the world, and it found holes.

The specific vulnerabilities remain classified. Previous Glasswing evaluations outside government environments found thousands of zero-days across major operating systems and browsers, including a 27-year-old bug in OpenBSD that manual audits had not surfaced in nearly three decades.

The Policy Contradiction

The disclosure lands in the middle of a pointed contradiction. The same administration that had intelligence agencies run Mythos against classified infrastructure also issued a directive restricting foreign nationals from accessing Fable 5 and Mythos 5, Anthropic’s most capable models. The restriction was framed as a national security measure. Anthropic has separately raised its own concerns about how the US military intends to use its AI, creating a situation where both parties have reservations about the other’s intentions while collaborating on some of the most sensitive security work either is doing.

This is not purely bureaucratic incoherence. It reflects a genuine tension that defensive AI capability creates: a model capable of finding vulnerabilities in classified infrastructure is, by definition, a dual-use asset. The same capability that makes Mythos useful for hardening government networks makes its unrestricted availability a risk.

Why This Matters for AI Security

The classified systems test is significant for a few reasons beyond the policy drama.

First, it confirms that the use of frontier AI for red-teaming has moved from research context to active deployment against real classified infrastructure. This was anticipated, but the public confirmation changes the baseline. Security teams assessing AI-assisted red-teaming should now treat “AI will find things your current programme misses” as a validated operational reality, not a vendor claim.

Second, the hours timeframe is notable. Project Glasswing’s earlier work found thousands of zero-days in open production software over a month of automated analysis. Against classified government systems, presumably with some access constraints, Mythos surfaced findings within hours. The speed advantage of AI vulnerability analysis over human-led testing is not marginal.

Third, the testing framework itself is instructive. Project Glasswing was designed specifically to channel the model’s capabilities into controlled defensive research. The access controls, vetting requirements, and oversight structures in Glasswing represent one model for how organisations should think about deploying AI red-teaming tools: not as open utilities but as controlled instruments with defined scope and authorised targets.

Implications for Defenders

For enterprise security teams, the government test validates the offensive case for AI-assisted vulnerability discovery. The defensive case follows directly: if a frontier model can find vulnerabilities in classified government systems within hours, the same capability can be turned toward finding vulnerabilities in your environment before attackers do.

The barriers are real. Access to Mythos and comparable frontier models for security research remains controlled and expensive. But the capability is no longer speculative. Several vendors are now offering AI-assisted penetration testing that draws on similar techniques at more accessible price points, with varying degrees of rigour.

The harder question the government test surfaces is about patch prioritisation in the AI-acceleration era. When adversaries have access to similar tooling, the gap between vulnerability discovery and exploitation shrinks. The 24-hour exploitation window that Mandiant’s 2026 data documents for disclosed CVEs is a consequence of exactly this dynamic. A model that can find vulnerabilities in hours compresses that window further for zero-days that never enter the public disclosure queue.

What to Watch

The immediate follow-on questions are whether Anthropic publishes a sanitised account of what Glasswing found in the government tests, how the administration resolves its contradictory posture toward Anthropic’s most capable models, and whether the UK AI Security Institute’s participation in the exercise translates into any public guidance on AI-assisted red-teaming.

The longer-term question is whether “vetted access to frontier AI for government security testing” becomes a formalised programme with published methodology, or remains a series of ad hoc engagements with outcomes that stay classified. The answer shapes how the broader security community gets to learn from what Mythos finds.