Anthropic probes unauthorized access to cybersecurity-focused AI model

Anthropic is actively investigating reports that unauthorized individuals gained access to its cybersecurity-focused AI model, Claude Mythos Preview, through a third-party contractor portal and public web mapping tools. The company emphasized its commitment to security while confirming the incident remains under review.

Anatomy of the Incident: How Access Was Obtained

According to sources familiar with the matter, a small group obtained entry to the model by exploiting a vendor environment linked to Anthropic’s systems. Investigators suspect the group used public internet reconnaissance techniques to pinpoint the model’s location within the company’s infrastructure. While initial reports suggested the group was only experimenting with the model’s capabilities, Anthropic has not yet confirmed the full scope of the access or the group’s intentions.

The investigation follows the model’s recent debut as part of Anthropic’s "Project Glasswing," a limited preview release distributed to a select group of trusted partners. The initial cohort included major technology firms and organizations such as:

• Amazon
• Microsoft
• Apple
• Cisco
• Mozilla

Mozilla, one of the early participants, disclosed that the model assisted in identifying and resolving 271 vulnerabilities in Firefox during testing. The model’s demonstrated ability to analyze code for potential security flaws has attracted interest from financial institutions and government agencies seeking to strengthen their cybersecurity postures.

Capabilities and Industry Skepticism

Claude Mythos Preview has drawn attention for its purported capability to detect security vulnerabilities across operating systems and web browsers. Some cybersecurity experts, however, have expressed reservations about the model’s reliability and potential misuse. Alex Zenla, Chief Technology Officer of cloud security firm Edera, warned that AI-powered cyber threats could evolve into a significant challenge if such tools fall into the wrong hands.

The model’s release coincides with broader discussions about the role of AI in cybersecurity. While defenders leverage AI to identify vulnerabilities, attackers may also adopt these tools to automate exploits. This dual-use nature underscores the need for robust access controls and transparency in AI model deployment.

Broader Implications for AI and Security

The incident highlights the challenges of managing access to cutting-edge AI tools, particularly in enterprise environments where third-party integrations are common. Anthropic’s ongoing review will likely scrutinize its vendor management protocols and the security of its developer-facing portals.

Additionally, the situation unfolds against a backdrop of evolving regulatory scrutiny. The U.S. Department of Defense recently classified Anthropic as a "supply chain risk," though the company has engaged in discussions with the Trump administration to address these concerns. The outcome of these talks could influence Anthopic’s future collaborations with government agencies and contractors.

As AI models become more sophisticated, incidents like this serve as a reminder of the critical balance between innovation and security. Companies must prioritize safeguarding their tools while ensuring responsible access to prevent unintended consequences.