The National Security Agency has turned to Anthropic PBC’s Mythos AI model to hunt cybersecurity flaws in Microsoft Corp. products and other major software. Officials from the agency’s cybersecurity directorate tested the tool’s prowess. They came away impressed by its speed and efficiency. Bloomberg broke the story on April 30, 2026, citing a U.S. official and another person familiar with the matter, both speaking anonymously because they lacked public authorization.
Mythos isn’t your average language model. Anthropic calls it a general-purpose frontier model with agentic coding skills that outpace all but elite human hackers. In weeks of testing, it uncovered thousands of zero-day vulnerabilities—flaws unknown to developers—in every major operating system and web browser. Think OpenBSD’s 27-year-old remote crash bug. Or FFmpeg’s 16-year-old video-processing weakness, missed by five million automated scans. Linux kernel chains leading to full machine control. Anthropic reported these. Patches followed. Yet over 99% lingered unpatched at announcement. Anthropic’s Project Glasswing page details the haul.
Mythos in the Shadows of Government Tension
But here’s the twist. The Pentagon, NSA’s overseer, branded Anthropic a “supply chain risk” in February 2026. Why? The AI startup refused unrestricted access to its models for mass surveillance or autonomous weapons. Contract talks soured. DoD sued in federal court to sever ties. A judge blocked the move; appeals drag on. Still, NSA runs Mythos on classified networks. Two sources told Axios as much. One said usage spreads wider in the department. TechCrunch confirmed NSA scans environments for exploits, despite the feud.
Anthropic restricts Mythos to 40-odd vetted groups via Project Glasswing. Launch partners include Microsoft, Apple, Google, AWS, CrowdStrike, Cisco, NVIDIA, Palo Alto Networks, Broadcom, JPMorgan Chase, Linux Foundation. They scan proprietary and open-source code defensively. Microsoft weaves it into its Security Development Lifecycle for early flaw detection. The Information first flagged NSA’s Microsoft focus. No public word on what bugs surfaced there. Pricing post-preview: $25 per million input tokens, $125 output.
Speed thrills NSA testers. What took human pentesters months, Mythos does in hours—or minutes. Benchmarks back it: 83.1% on CyberGym vulnerability reproduction, crushing prior models. 77.8% on SWE-bench Pro coding tasks. Yet false positives loom. Security pros must verify floods of alerts. Bruce Schneier flagged this in The Hacker News. Anthropic pledges safeguards, like output blocks on dangerous code, plus a Cyber Verification Program.
And the irony bites. DoD litigates against Anthropic as a threat. NSA deploys its crown jewel for national defense. Anthropic CEO Dario Amodei met White House Chief of Staff Susie Wiles and Treasury Secretary Scott Bessent on April 17. Productive talks on security practices, per Axios. U.K.’s AI Safety Institute got access too.
AI Arms Race Reshapes Cyber Defenses
Mythos signals a pivot. AI collapses discovery-to-exploit timelines. Adversaries—state or criminal—will wield similar tools soon. Anthropic warns: without safeguards, attacks multiply, devastating economies and security. Project Glasswing counters with defense-first access, $100 million in credits, $4 million to open-source funds. Cisco’s Anthony Grieco called it urgent. Microsoft’s Igor Tsyganskiy praised risk mitigation. Google’s Heather Adkins pushed industry collaboration.
Short paragraphs for punch. NSA benchmarks Mythos against its own tools. Wins in efficiency. But classified details stay locked. Public fears grow. Fox News noted 2,000 bugs in seven weeks. CBS highlighted universal reach. X buzz—from Techmeme to analysts—echoes the split: boon or bomb?
Governments scramble. Singapore mandates prep. U.S. Treasury briefs banks. Anthropic eyes scaled safeguards with next Claude Opus. For now, Mythos patrols the code shadows. Microsoft patches quietly. NSA sharpens its edge. The cyber frontier just got AI-armed.
WebProNews is an iEntry Publication