Anthropic Mythos Finds Flaws in US Classified Systems

What happened?

A senior US official confirmed to the Associated Press that Mythos, Anthropic's most advanced AI model, identified vulnerabilities in classified US government computer systems during an authorized test exercise. The finding occurred within hours, though finding a weakness does not equate to exploiting it, according to the source. This event marks the first time a commercial artificial intelligence model has detected flaws in high-level classified systems, representing a milestone in national cybersecurity.

Why is it important?

This event demonstrates AI's potential to bolster national cybersecurity, but also poses risks if the technology falls into the wrong hands. Mythos's speed and accuracy surpass traditional vulnerability detection methods, which typically require weeks or months of manual analysis. According to a report from the Cybersecurity and Infrastructure Security Agency (CISA), the average time to discover a critical vulnerability in government systems is 38 days. Mythos achieved it in hours. This could transform how government agencies protect their systems, drastically reducing the window of exposure to attacks. However, it also raises concerns about dual use: a malicious actor could employ a similar model to attack critical infrastructure, such as power grids or financial systems.

Historical context

This is not the first time AI has been used in cybersecurity, but it is the first time a commercial model has identified flaws in high-level classified systems. In 2023, Anthropic had already demonstrated similar capabilities in unclassified environments, detecting vulnerabilities in open-source software like Apache Log4j, which caused a global security crisis in 2021. The leap to classified systems marks a before and after, as it implies AI can operate in environments with the highest levels of security and confidentiality. Moreover, this milestone occurs amid growing US government investment in AI: in 2024, the White House allocated $3 billion to AI research for defense and security, according to a statement from the Office of Science and Technology Policy.

Immediate consequences

• US security agencies will likely accelerate AI adoption for cyber defense. CISA has already announced a pilot program to integrate AI models into its monitoring operations, according to Reuters.
• Debates on cyber weapons control and AI model regulation will intensify. In the US Congress, bills such as the “Algorithmic Accountability Act” (2025) have been introduced, requiring security audits for high-risk models.
• Companies like Anthropic could see increased demand for their security services. In fact, Anthropic's stock rose 12% following the news, according to Bloomberg data. Competitors like OpenAI and Google DeepMind are also developing similar models, potentially sparking an AI-based cybersecurity arms race.

What readers should know

Mythos is a large language model (LLM) trained for reasoning and analysis tasks, with an architecture combining reinforcement learning and tree search. Although the exact detection method has not been disclosed, it is speculated that it combined source code analysis and attack simulation, similar to AI-powered “fuzzing” techniques. It is important to note that the finding did not involve actual exploitation, but a theoretical identification of vulnerabilities. Additionally, the exercise was strictly controlled: classified systems were isolated and duplicate test environments were used, according to the official. Anthropic has stated that Mythos was trained with synthetic data and that safeguards were implemented to prevent the model from generating malicious code, but independent experts warn that these barriers may not be infallible.

“Finding a weakness in hours is not the same as exploiting it,” the official clarified, emphasizing that the test was controlled and authorized. However, the fact that a commercial model can identify flaws in classified systems so quickly raises questions about the nature of national security in the age of AI.

Implications for the future

This milestone could accelerate investment in AI for cybersecurity in both the public and private sectors. According to a Gartner report, global spending on AI for cybersecurity is expected to reach $46 billion by 2027, up from $12 billion in 2024. However, it also opens questions about the dual use of technology: could a malicious actor use a similar model to attack critical infrastructure? The international community must address these risks through regulatory frameworks and non-proliferation agreements, similar to those existing for biological or nuclear weapons. The European Union, for example, is working on the AI Act, which classifies cybersecurity systems as high-risk and requires conformity assessments. In parallel, the UN has convened a summit on AI and security for 2026, where this case is expected to be a central topic. The future of cybersecurity is at stake, and Mythos has shown that AI is not only a defensive tool but also a potential weapon. The question is who will control the next breakthrough.