U.S. Clears Claude Mythos 5 for Infrastructure Defenders
Weeks after an export-control directive pulled Claude Mythos 5 offline worldwide, the U.S. government has cleared Anthropic to redeploy its most powerful cyber model — but only to a vetted set of organizations that defend critical infrastructure, and with safeguards attached.
The U.S. government has cleared Anthropic to put Claude Mythos 5 — the model the company once described as a potential "cybersecurity reckoning" — back into the hands of a vetted set of organizations that operate and defend critical infrastructure. The decision, confirmed by Anthropic on June 27, comes barely two weeks after a federal export-control directive forced the company to pull Mythos 5 offline worldwide.
That hold took effect on June 12, when Anthropic suspended both Mythos 5 and the general-use Fable 5 to comply with a directive from the Commerce Department. According to CNN, Commerce Secretary Howard Lutnick has now determined that "appropriate safeguards are in place to permit certain trusted partners to access the Claude Mythos 5 Model," allowing a narrow redeployment rather than a full return to market.
Crucially, access is limited to a "defined set" of U.S. organizations charged with defending critical systems — spanning energy, financial services, healthcare and telecommunications — rather than the open developer market. The model returns through the same channel that has governed it from the start: Project Glasswing, Anthropic's vetted program that had grown to roughly 200 partners, among them government agencies and companies such as Apple, Amazon and Microsoft, before the suspension.
The tight leash reflects just how capable the model is at offensive cybersecurity. In testing detailed by Anthropic's red team, Mythos Preview generated 181 successful exploits against the Firefox JavaScript engine where the prior Opus model managed two, and achieved full control-flow hijack on ten separate, fully patched targets drawn from roughly 7,000 repository entry points. It surfaced a 27-year-old flaw in OpenBSD, a 16-year-old bug in the FFmpeg codec and a 17-year-old remote-code-execution vulnerability in FreeBSD (CVE-2026-4747). Anthropic says more than 99% of the vulnerabilities the model has found remain unpatched — the central reason the company has refused to put it in front of the general public.
For now, the broader restrictions stay in place. There is no public access to Mythos 5, and Fable 5, the first Mythos-class model intended for everyday use, has not yet returned. Anthropic says it is working with the government toward a wider expansion and the eventual reinstatement of Fable 5, but offered no timeline. The company has framed the moment carefully, acknowledging that the transition "may be tumultuous regardless" while arguing that, over the long run, "defense capabilities will dominate."
The episode is a live test of a question the industry has circled for months: whether a model powerful enough to find decades-old zero-days at scale can be released to the defenders who need it without arming the attackers it was built to outpace. Washington's answer, at least this week, is a conditional yes — pointed squarely at the operators keeping the lights, the networks and the payment rails running.
Want AI news before everyone else?
The morning's most important AI stories, straight to your inbox. No fluff.