CISA, America's top cyber defense agency, has no access to Anthropic's Mythos

Anthropic is marketing its new cybersecurity-focused AI model Mythos as too dangerous for public release, but hasn't even provided the US Cybersecurity and Infrastructure Agency with access to it. This seems bizarre.

On Tuesday, reports appeared that Anthropic had opened an investigation after discovering that a small group of Discord users had gained unauthorized access to Mythos.

This indeed sounds very dangerous since the AI company has been marketing Mythos as one of the most powerful vulnerability-hunting AI models currently being tested. Experts fear Mythos could also empower attackers.

The model's supposed capabilities might, of course, just be part of the hype - Anthropic needs the big and the rich to buy and use its product, and the idea that machines will do a better job than costly human analysts can certainly sound tempting.

Still, the firm deems Mythos too dangerous for public release. It has only provided limited access to more than 40 companies and organizations that are testing and using it to shore up their systems.

The risk is deemed urgent. The US Treasury and the European Central Bank have raised the issue with major banks, and financial analysts in the United Kingdom and Germany have also been examining risks around Mythos.

That's why it's just so bizarre that, according to Axios sources, Anthropic hasn't provided CISA - America's top cyber defense agency tasked with helping to secure those very same banks as well as critical infrastructure - with access to Mythos.

Essentially, the agency has to sit on the outside looking in. Axios sources say that Anthropic only briefed CISA and the US Commerce Department on Mythos' capabilities.

However, unlike CISA, the Commerce Department's Center for AI Standards and Innovation has been testing Mythos - as has the National Security Agency, despite the Department of War having previously declared Anthropic a "supply chain risk."

CISA has been suffering under the second President Donald Trump administration, which has spent the last year reducing capacity at the agency. It now has less money, fewer employees, and other resources.

Still, the decision to cut CISA out must have been Anthropic's, and the company's reasoning is unclear. The fact, at least so far, is that security teams at critical infrastructure organizations have often followed CISA's guidance on dealing with cyber threats.

Of course, Anthropic - still arguing with the Pentagon - might simply be trusting the private sector more since it's not so dependent on constantly shifting political winds.

The Mozilla Foundation, one of the organizations Anthropic shared an early version of Mythos with, said this week that thanks to the AI model, the new release of Firefox 150 includes fixes for 271 vulnerabilities identified during initial evaluation.

"Defenders finally have a chance to win, decisively," the Mozilla Foundation wrote in a blog post ambitiously titled "The zero-days are numbered."