Anthropic's AI security tool Mythos found vulnerabilities across nearly all US classified systems in hours, not weeks — according to Senate testimony.
Senator Mark Warner of Virginia told a congressional hearing this month that NSA chief Joshua Rudd informed him Mythos "broke into almost all of our classified systems, not in weeks, but in hours." A US official later clarified the distinction: Mythos identified the vulnerabilities during a controlled exercise rather than actively exploiting them. That clarification matters, but it doesn't fully soften the finding — a tool that can map classified system weaknesses in an afternoon is its own kind of problem. Anthropic first introduced Mythos in early April and immediately declined to release it publicly, sharing access only with a select group of corporations to help them patch flaws before attackers could use the same capability.
The NSA disclosure puts a government stamp on what private companies have been reporting for weeks. Mozilla said Mythos performed on par with the world's best security researchers and helped ship more than 400 Firefox bug fixes in April alone. Anthropic later said the roughly 50 companies in its early access program collectively found more than 10,000 critical or high-severity vulnerabilities in about two months — with Cloudflare alone logging 2,000 bugs, 400 of them high or critical severity.
The controlled-exercise framing is doing a lot of work here. "Found vulnerabilities" and "broke in" describe meaningfully different threat levels, and Washington has reason to prefer the softer read — but the underlying capability is the same either way.