Anthropic built Claude Mythos Preview. It found a software vulnerability that had existed for twenty-seven years. It demonstrated the ability to autonomously discover and construct working exploits for previously unknown security flaws. And Anthropic decided it was too dangerous to release to the public. [1]

Then Anthropic gave the Pentagon access.

This paper argued on Friday that Anthropic's $30 billion revenue run rate was built on safety-as-moat — the proposition that restraint is not the opposite of profit but the condition for it. The Mythos story tests that thesis to its breaking point. Safety-as-moat requires the company to be seen as responsible. Selling access to your most dangerous model to the defense establishment while withholding it from the public is not irresponsibility. It is a specific kind of responsibility — one that trusts the state more than the citizen, the classified more than the open, the contract more than the commons.

The technical details, laid out in Anthropic's own system card and analyzed by InfoQ on April 13, are precise. [1] Mythos Preview achieved what Anthropic calls "autonomous vulnerability research" — the ability to identify security flaws in software systems without human direction, build working proof-of-concept exploits, and chain multiple vulnerabilities together into attack sequences. In testing, the model discovered a flaw in a widely used open-source library that had been present since 1999. It generated a working exploit in under four hours. [1] Human security researchers typically require days or weeks for equivalent work, if they find the vulnerability at all.

The system card places Mythos at the highest risk level — ASL-4 — on Anthropic's own Responsible Scaling Policy, a framework the company published in 2024 to govern the deployment of increasingly capable models. [2] ASL-4 models are defined as those whose capabilities "substantially increase the risk of catastrophic misuse" and require deployment restrictions that go beyond standard safety measures. Anthropic's conclusion was that Mythos Preview's cybersecurity capabilities crossed that threshold. The model is not publicly available. It cannot be accessed through the Claude API. It does not appear in any commercial product. [1]

Except through Project Glasswing. The $100 million contract, first reported by TechCrunch in March, gives the Department of Defense access to Anthropic's most advanced models through a secure cloud environment operated by Palantir and Amazon Web Services. [3] The contract includes classified workloads — meaning the specific applications for which the Pentagon uses Mythos are not publicly known. Anthropic has confirmed the partnership's existence but declined to specify which models are available to defense customers or how they are being used. [3]

The philosophical question is not whether governments should have access to powerful AI. Governments have always had access to the most advanced technologies of their era — from nuclear physics to satellite surveillance to cryptography. The question is whether a company that brands itself as the responsible steward of AI capability can simultaneously withhold a model from the public on safety grounds and sell access to the same model to a military customer. The implied logic is that the Pentagon can be trusted with capabilities that ordinary developers and researchers cannot. This may be true. It may also be the most significant assumption in the AI safety debate, and Anthropic has made it without public deliberation.

InfoQ's April 13 analysis provides additional technical context. [1] Mythos Preview's capabilities extend beyond vulnerability research. The model demonstrated what Anthropic's researchers describe as "sustained autonomous operation" — the ability to pursue multi-step objectives over extended periods without human oversight. In cybersecurity testing, this meant chaining exploit development with reconnaissance, lateral movement, and data exfiltration in simulated environments. The system card notes that the model's performance on these tasks "exceeded that of expert human red teams" in controlled settings. [1]

The safety implications are bidirectional. A model that can find vulnerabilities faster than human researchers can also defend against them faster. Anthropic has emphasized this defensive application in its public communications, describing Mythos as a tool that could "dramatically accelerate the identification and patching of critical security flaws." [2] This is true and incomplete. The same capability that finds a twenty-seven-year-old bug in an open-source library can find zero-day vulnerabilities in military systems, critical infrastructure, and financial networks. The distinction between offense and defense is a matter of intent, not capability.

The market context makes the tension visible. Anthropic is now valued at $380 billion. It generates $30 billion in annualized revenue. Its commercial success depends on the perception that it is the most capable and the most responsible AI company — that choosing Claude over GPT or Gemini is a choice for both quality and safety. [3] The Mythos decision reinforces both pillars: the model is so capable it had to be restricted, and the company was responsible enough to restrict it. But the Pentagon contract introduces a third variable: the restriction has exceptions, and the exceptions are available to those who can pay $100 million and hold a security clearance.

Dario Amodei, Anthropic's CEO, addressed the tension in a blog post last week without resolving it. "We believe that the most powerful AI systems should be deployed only where robust safeguards exist," he wrote. "Government partnerships with appropriate oversight mechanisms meet that standard. Unrestricted public access does not." [2] The statement is coherent on its own terms. It is also a declaration that Anthropic has decided who gets to use the most powerful AI in the world, and the answer is: not you.

The precedent matters more than the specific model. If Mythos Preview is too dangerous for public release but appropriate for classified government use, the same logic will apply to every subsequent model that crosses the ASL-4 threshold. Anthropic has established a framework in which the most capable AI is, by definition, restricted to the most powerful institutions. This is not a bug in the safety-as-moat thesis. It is the thesis fully expressed: safety creates scarcity, scarcity creates value, and value flows to those who can afford it and clear the security screening.

The company that promised to save the world from dangerous AI is now selling the most dangerous AI to the entity with the largest capacity for organized violence on the planet. Both halves of that sentence are true. The question of whether they can coexist is not technical. It is political, and Anthropic has answered it without asking the public.

-- ANNA WEBER, Berlin