Anthropic, the AI safety company that sued the Trump administration for branding it a national security threat, has stationed six of its own engineers inside the National Security Agency to customize an autonomous cyber weapon.
The model, called Mythos, was deemed too dangerous for public release. It produced 181 working exploits in a Firefox engine benchmark, a task at which its predecessor had a near-zero success rate. The engineers are forward-deployed inside the NSA, adapting the model for offensive operations against networks in China and Iran, according to reporting confirmed by the Financial Times.
On March 9, 2026, the same company filed suit in the Northern District of California against the Department of War, the Treasury, and over a dozen other federal agencies. The suit alleges that Secretary of War Pete Hegseth’s February 27 supply-chain risk designation was illegal retaliation for Anthropic's refusal to alter its usage terms to permit mass domestic surveillance of Americans and fully autonomous weapons.
The consensus framing is hypocrisy. The consensus is wrong about what matters. The NSA embedding is not a contradiction of Anthropic's mission. It is the mission's logical endpoint. The company's founding bet was that safety requires control, and control requires being inside the room where the weapons are built. The lawsuit is not a principled stand. It is a negotiating tactic to secure better terms for that insider status, not to end it.
The Two Tracks
Anthropic is running two parallel operations.
Track one is the NSA deployment. The engineers are adapting Mythos for specific operational needs. The model uses an agentic architecture that can read source code, generate vulnerability hypotheses, write and execute test cases, and confirm exploitable bugs without human guidance at each step. It does not assist a human operator. It replaces the operator for the exploit development phase.
Track two is the lawsuit. Anthropic had been the first frontier AI lab to deploy models on U.S. government classified networks, a relationship dating back to June 2024. The lawsuit frames the supply-chain designation as unconstitutional retaliation for protected speech—specifically, the company's refusal to drop its two explicit carve-outs: mass domestic surveillance and fully autonomous weapons. "No amount of intimidation or punishment from the Department of War will change our position on mass domestic surveillance or fully autonomous weapons," the company stated.
The two tracks appear contradictory. They are complementary.
The Mechanism
The technical leap matters because it erases the human bottleneck. Mythos autonomously hypothesizes vulnerabilities, tests them against running software, and confirms exploitability at machine speed. The 181 working exploits represent a capability that did not exist in a deployable form a year ago.
This is not a hypothetical threat. On May 29, 2026, the Sysdig Threat Research Team observed an agentic threat actor exploiting a vulnerability in a marimo notebook and executing a fully automated kill chain that included container escape and Kubernetes credential replay. The attacker was not a script. It was an AI agent reasoning through obstacles.
Researchers at the University of Toronto, the Vector Institute, and the University of Cambridge have built a proof-of-concept AI-driven worm that analyzes each target, reasons about how to attack it, and creates a strategy on the fly using a small, free large language model running on compromised machines. Across 15 independent runs on a 33-host test network, the worm identified an average of 31.3 vulnerabilities, exploited 23.1 hosts to elevated access, and propagated to 20.4 hosts.
The genie is out. The only remaining question is which genie your adversary is using. A source close to Anthropic stated the logic plainly: "The best way to build a good defence is to build a good attack. If [Mythos] is not used to build attack agents, adversaries will find a way to do it."
The Glasswing Mousetrap
The contrarian read is that the lawsuit and the NSA embedding are two legs of a single strategy. The strategy secures a monopoly on the most sensitive offensive AI contract in the U.S. government while maintaining a defensive brand that launders the intelligence gathered.
Anthropic expanded its Glasswing cybersecurity program this week to approximately 150 organizations across more than 15 countries. The program is a defensive front. It provides threat intelligence and model-driven defenses to critical infrastructure operators and government agencies. The intelligence that feeds it is not generated in a vacuum—it is generated by the same offensive pipeline that Mythos enables inside the NSA. The defensive program depends on the offensive access. The offensive access requires the classified contract. The classified contract requires the government to trust Anthropic as a sole-source partner. The lawsuit pressures the government to accept Anthropic's terms rather than lose access to the model entirely.
The two carve-outs are the negotiating currency. Anthropic stated it "supports all lawful uses of AI for national security aside from the two narrow exceptions above." The exceptions are narrow in language and vast in loophole. Mass domestic surveillance of Americans is prohibited. Surveillance of non-Americans, or targeted surveillance of Americans with legal process, is not. Fully autonomous weapons are prohibited. Weapons with a human in the loop somewhere in the kill chain, however nominally, are not. These distinctions will be renegotiated into classified contract annexes that the public will never see.
The only defensible line is no longer about what the technology does. It is about who gets to wield it. The safety movement did not lose an argument. It was absorbed by the machine it swore to regulate.
What This Means for Operators
The era of trusting AI usage policies is over. A model that exists is a model that is being weaponized by someone. The question is not whether an AI lab's terms of service prohibit offensive use. The question is whether the lab has embedded engineers inside an intelligence agency to make the weaponization more effective.
Regulatory attention will shift from model capability to deployment authority. The battle is not about what models can do. It is about who is legally permitted to run them, on which networks, against which targets. The distinction between a defensive cybersecurity product and an offensive cyber weapon is now purely a function of the user's clearance level and the network's classification.
Audit your supply chain for the AI models your vendors are embedding in classified or critical infrastructure. If a vendor has a Glasswing-like program that feeds threat intelligence into your security operations center, ask where the raw intelligence originates. If the answer is classified, understand that the classification protects the source, not you.
Loop Closed
The six engineers at the NSA are not an anomaly. They are the blueprint. Within 18 months, expect the lawsuit to be settled under seal. The carve-outs for mass domestic surveillance and fully autonomous weapons will likely vanish into classified contract language. The Glasswing program will likely be exposed as a defensive front that funnels vulnerability intelligence directly from the same offensive pipeline it claims to protect against. A congressional inquiry will produce noise and change nothing.
The safety company is now also an offensive cyber contractor. The only thing left to negotiate is the price.
