Anthropic, the company that built its entire identity on AI safety, has stationed roughly six of its own engineers inside the National Security Agency to deploy a model called Mythos for offensive cyber operations—even as it sues the Pentagon to keep its commercial contracts alive.
The operations could include breaking into networks in China and Iran, according to a Financial Times report on June 5, 2026. Simultaneously, Anthropic is suing the Department of War for designating the company a supply-chain risk and barring federal purchase of Claude, its commercial model.
The two moves are not a contradiction. They are a single strategy. The AI safety brand has collapsed into a pure geopolitical arms-dealing posture where access to the kill chain is the only moat that matters.
The two tracks
The lawsuit track began on February 27, 2026, when the Secretary of War issued a directive designating Anthropic a "Supply-Chain Risk to National Security" under the Federal Acquisition Supply Chain Security Act. The Department of War sent a formal notice to Anthropic on March 3, effective immediately, covering all of Anthropic's products or services.
CEO Dario Amodei's public response emphasized the company's first-mover status in the national security apparatus: "We were the first frontier AI company to deploy our models in the US government's classified networks, the first to deploy them at the National Laboratories, and the first to provide custom models for national security customers." He noted the company chose to forgo several hundred million dollars in revenue to cut off use of Claude by firms linked to the Chinese Communist Party.
The NSA track, reported by the Financial Times on June 5, operates in a different register entirely. Six Anthropic engineers are stationed inside the NSA helping deploy Mythos, a model the company declined to release publicly over misuse concerns. Mythos uses an agentic architecture that can autonomously read source code, generate vulnerability hypotheses, write and execute test cases against running software, and iteratively confirm exploitable bugs without human guidance at each step.
Anthropic this week also expanded its Glasswing cybersecurity program to approximately 150 organizations across more than 15 countries. The expansion provides public-facing cover, a defensive narrative to pair with the classified offensive work.
The architecture is the weapon
Mythos is not a tool that a human operator uses. It is an autonomous agent that reasons, hypothesizes, and exploits. The distinction matters because it changes the threat surface. Defenses built for scripted attacks assume a fixed playbook. An agent that generates strategies on the fly, at machine speed, without waiting for human direction, breaks that assumption entirely.
The broader research landscape confirms this is operational, not theoretical. Researchers at the University of Toronto, the Vector Institute, and the University of Cambridge built and tested a proof-of-concept AI-driven worm that analyzes each target, reasons about how to attack it, and creates strategies on the fly using a small, free LLM running on compromised machines. Across 15 independent runs in a 33-host test network, the worm correctly identified an average of 31.3 vulnerabilities, exploited 23.1 hosts to elevated access, and propagated to 20.4 hosts.
On May 29, 2026, the Sysdig Threat Research Team observed a threat actor exploiting CVE-2026-39987, a vulnerable marimo notebook, and driving a fully automated kill chain. The attacker performed container escape and Kubernetes credential replay. Every stage bore the fingerprints of an agentic threat actor, an attacker whose operations are driven by an LLM harness rather than a human at a keyboard. Sysdig called it the first observed agent-driven kill chain of this kind.
The technology is no longer a proof of concept. It is in the wild and inside the NSA.
The strategy is not hypocrisy
The consensus framing casts Anthropic as hypocritical, preaching safety while building cyber weapons. That misses the point. Anthropic is being strategically lucid.
The company understood years ago that "safety" was never a technical specification. It was a market-access narrative for the pre-escalation phase of an AI arms race. The lawsuit against the Pentagon is not a contradiction of the NSA work. It is the other half of a pincer strategy: embedding with the operational side of the state while litigating to break the commercial blockade erected by the procurement side.
Amodei's carve-outs confirm the scope. He stated the company has never raised objections to particular military operations. The two use cases Anthropic refuses to include in contracts are narrow: mass domestic surveillance and uses outside the bounds of what today's technology can safely and reliably do. Those exclusions leave the entire offensive cyber domain untouched.
The real story is not moral incoherence. The company is executing a unified strategy that treats the administrative state as a fragmented entity to be defeated in detail. The Department of War's procurement arm blocks Claude. The operational arm, the NSA, gets embedded engineers and the most dangerous model Anthropic has built. The lawsuit pressures one side while the other side gets results.
The frontier model market will bifurcate
Within 18 months, the frontier model market will split entirely along geopolitical lines with no pretense of neutrality. Anthropic will formally spin out or rebrand its government services division to isolate public-facing safety rhetoric from classified offensive cyber revenue. A NATO-aligned consortium will scramble to standardize agentic attack protocols before a Chinese counterpart does.
The safety brand is dead. What replaces it is a two-tier system: public-facing alignment theater and classified operational capability. Access to the kill chain, not model weights, not safety research, becomes the definitive competitive moat.
What this means for operators
For security leaders, the threat surface now includes autonomous agents that reason and adapt without human guidance. The Sysdig observation and the Toronto worm prove the attack class is real and active. Defenses built for deterministic, scripted attacks are obsolete against an adversary that generates novel exploit chains on the fly.
For policy professionals, the regulatory conversation around AI safety must account for the fact that the same companies invoking safety are embedding inside offensive cyber units. Any framework that takes corporate safety commitments at face value is negotiating with a fiction.
For the industry, the era of the neutral AI platform is over. Every frontier lab will be forced to choose a geopolitical lane or be chosen for one. The market will not permit the ambiguity much longer.
The six engineers inside the NSA are not an anomaly. They are the blueprint. The lawsuit is not a contradiction. It is a negotiation over terms of access. The safety company is now an arms dealer. The only question left is which side of the kill chain you are on.
