The Mythos/NSA Breach Claim: What’s Actually Confirmed

A sourcing breakdown, not a technical exposé because for the headline claim itself, the technical detail mostly doesn’t exist in public yet.

The headline claim, and where it actually comes from

The claim driving this week’s news cycle is one quote, relayed secondhand, in a Senate hearing. On June 11, 2026, Senator Mark Warner (D-VA), vice chair of the Senate Intelligence Committee, told a hearing that General Joshua Rudd, who heads both the NSA and Cyber Command had personally told him that Anthropic’s Mythos model “broke into almost all of our classified systems, not in weeks, but in hours.” The Economist reported the quote on June 14 in a piece about the export-control ban on foreign access to Mythos 5 and Fable 5.

That’s the entire primary record for that specific sentence. There is no published incident report, no CISA or NSA technical bulletin, no vulnerability disclosure, and no independent confirmation of method, scope, or even which “classified systems” were involved. Everything beyond the quote itself, what Mythos actually did, how, and against what is reconstruction, speculation, or amplification.

It’s also worth knowing who’s making the claim. Rudd was confirmed as NSA director and Cyber Command commander on March 10, 2026, in a contested 71–29 vote, after nearly a year without a permanent leader (his predecessor, Gen. Timothy Haugh, was abruptly fired in April 2025). Rudd is a career special-operations officer – Army Ranger, Delta Force commander, multiple JSOC and Iraq/Afghanistan deployments – not a signals-intelligence or cyber career officer, and several senators, including Ron Wyden, opposed his confirmation specifically on the grounds that he lacked direct SIGINT/cyber experience. That doesn’t make his claim false, but it’s relevant context for a statement about a cyber incident made by the agency’s own director: he’s a relatively new appointee in a technical domain that wasn’t his original specialty, testifying about his own agency’s capabilities.

What Anthropic itself has said and what it doesn’t mention

Anthropic published its own statement on the export control directive (anthropic.com/news/fable-mythos-access), and it’s worth reading because it’s the most authoritative document in this story that isn’t filtered through a third party. A few specifics from it:

• Anthropic says it received the directive on June 12 at 5:21 p.m. ET. The order required suspending all access to Fable 5 and Mythos 5 for any foreign national, anywhere including Anthropic’s own foreign employees. Because checking nationality at scale wasn’t practical, Anthropic disabled both models for everyone, worldwide, not just foreign users.
• Anthropic says the directive itself did not specify the national security concern. The company’s own understanding, based on what it says was only a verbal account from the government, is that the trigger was a “potential narrow, non-universal jailbreak” of Fable 5, specifically, a technique that amounts to asking the model to read a specific codebase and identify software flaws in it.
• Anthropic says it reviewed the demonstrated technique and found it surfaced a small number of previously known, relatively simple vulnerabilities – the kind other publicly available models, including OpenAI’s GPT-5.5, can also find, and which working cybersecurity defenders already use such techniques for daily.
• Anthropic says that in the weeks before Fable’s launch, it red-teamed Fable’s safeguards with the U.S. government, the UK AI Security Institute, and outside organizations for thousands of combined hours, and that no tester found a “universal” jailbreak – one that broadly strips all of Fable’s restrictions. The company argues a universal jailbreak is a meaningfully different (and much more serious) finding than the narrow one it says it’s been shown.
• Anthropic explicitly disagrees with the action, calling it disproportionate to a non-universal jailbreak finding on a model already deployed to hundreds of millions of users, and says applying that standard industry-wide would functionally halt all frontier model releases. It frames the episode as “a misunderstanding” and says it is working to restore access.

What’s conspicuous is what Anthropic’s statement does not address: it makes no mention of an NSA classified-systems breach, the Rudd quote, or anything resembling Warner’s account. The company’s entire public framing of the dispute is about a codebase-reading jailbreak technique, not an autonomous intrusion into government networks. That doesn’t mean the Rudd claim is false – Anthropic may not have been told about it, may be deliberately not engaging with it, or the two things may genuinely be unrelated and conflated by outside commentary. But it means the company on the receiving end of the ban is, in its own public account, telling a narrower and less dramatic story than the one built around the Warner/Rudd quote.

A detail that changes the framing, and isn’t itself confirmed

Separate from both the Economist’s reporting and Anthropic’s statement, at least one other outlet describes the Rudd incident as having occurred “in a red-team exercise” meaning the NSA may have been deliberately testing Mythos’s offensive cyber capability against its own infrastructure, with the model succeeding faster and more completely than expected, rather than an external or adversarial breach. That is a materially different story than “an AI broke into the NSA,” which is how most of the social-media amplification (including the framing in widely shared posts about this) presents it.

I want to be precise about the epistemic status of this detail: it does not appear in The Economist’s own account, and I can’t independently verify it. But it’s plausible on its face, the NSA has reportedly been using Mythos operationally (more on that below), which would make a self-directed red-team test a natural thing for the agency to run. If accurate, the alarming fact isn’t “we were attacked,” it’s “our own tool is more capable against our own defenses than we expected” – a different, and arguably more interesting, policy problem than an external compromise. Treat this as an open question until someone with the underlying briefing confirms it on the record.

A second, competing trigger theory: South Korea, not the NSA

Multiple outlets – Korea JoongAng Daily citing the Washington Post, and separately Android Authority citing Wired report a different proximate cause for the export control directive: that U.S. officials grew alarmed after SK Telecom, a South Korean telecom company, gained access to Mythos 5 through Project Glasswing (Anthropic’s controlled-access program, discussed below), and that officials were specifically concerned about SK Telecom’s suspected ties to China. Under this account, the directive is less about a domestic jailbreak or an NSA red-team result and more a foreign-access control problem: Washington worried that a foreign partner’s involvement in Glasswing created a path for Mythos-class capability to reach China indirectly.

This theory and the jailbreak theory aren’t mutually exclusive – both could have contributed, or one could be the real driver with the other serving as the public-facing justification. But it’s a third distinct explanation circulating in serious reporting, and it gets little attention in coverage that’s focused on the Rudd quote. I don’t have a way to adjudicate between these accounts; I’m flagging that there are at least three non-identical stories about what actually triggered the June 12 directive – a jailbreak (Anthropic’s account), an NSA capability shock (the Warner/Rudd account), and a foreign-access/China-proximity concern (the SK Telecom account) and public discussion has mostly collapsed them into one.

Background: what Mythos and Project Glasswing actually are

Some context that’s well-documented and helps explain why any of this is plausible in the first place:

Anthropic announced Claude Mythos Preview on April 7, 2026, as a frontier model with unusually strong offensive cybersecurity capability finding and, in test conditions, autonomously exploiting software vulnerabilities. Rather than release it generally, Anthropic launched Project Glasswing, a controlled-access program. It started with roughly a dozen named partners (reported lists include Amazon, Apple, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, alongside Anthropic itself), grew to roughly 40–50 organizations by April–May, and by mid-June was reported at around 150 partners across 15-plus countries, including continued participation from Google, NVIDIA, Microsoft, and Apple.

Anthropic and outside evaluators made some specific capability claims: the UK AI Security Institute reportedly assessed Mythos as a meaningful step up over prior frontier models on expert-level hacking tasks, and Anthropic said the model had found vulnerabilities in every major operating system and browser it was tested against. Some secondary sources cite a specific benchmark figure (a large jump on a recent math olympiad benchmark) and an autonomous-exploitation success rate on UK AISI’s evaluation; I’m not repeating exact numbers here because they come from blog/guide-style aggregator sites rather than from Anthropic’s own published model card or the UK AISI’s own report, and I haven’t been able to independently verify the figures against a primary document.

One useful illustration of how unreliable the secondary layer of reporting is: different aggregator sites describe Mythos discovering a decades-old zero-day in two different operating systems with two different ages – one citing a 17-year-old flaw in FreeBSD, another citing a 27-year-old flaw in OpenBSD. Both can’t be the specific example Anthropic actually cited (if either is). This is exactly the kind of detail I flagged in the earlier version of this piece as suspect, and the discrepancy is a useful concrete demonstration of why: specific technical “facts” are getting invented or garbled somewhere in the retelling chain, and I have no way to know which version (if any) is accurate, so I’m not asserting either.

The Pentagon relationship: already adversarial before any of this

The NSA’s use of Mythos sits inside a separate, already-contentious relationship between Anthropic and the Department of Defense, which is relevant background for judging how a claim like Rudd’s might be used or interpreted:

• Anthropic signed a roughly $200 million contract with the DoD in July 2025 that contractually barred use of Claude for mass domestic surveillance or fully autonomous weapons systems.
• In January 2026, Defense Secretary Pete Hegseth reportedly issued a memo demanding “any lawful use” language across all DoD AI contracts, effectively asking Anthropic to drop those restrictions. Anthropic refused.
• In late February 2026, the Pentagon designated Anthropic a “Supply-Chain Risk to National Security,” directing contractors to follow suit, and Trump separately ordered federal agencies to phase out Anthropic’s technology over six months.
• Anthropic sued in March 2026 in federal court in San Francisco, calling the designation unprecedented and unlawful and alleging free-speech and due-process violations. That case is reportedly ongoing.
• Despite the designation, Axios reported in April 2026 (citing two sources) that the NSA was using Mythos Preview anyway, primarily to scan its own environments for exploitable vulnerabilities, meaning the same agency whose director would later describe Mythos “breaking in” had reportedly already been actively deploying the model internally for weeks, under a carve-out from its own parent department’s blacklist.
• Around the same time, Anthropic CEO Dario Amodei met with White House Chief of Staff Susie Wiles and Treasury Secretary Scott Bessent; both sides called the meeting productive, and it was followed by signs of a thaw – including, weeks later, the NSA being granted continued access to Mythos Preview even after the broader Mythos 5/Fable 5 shutdown (Bloomberg reported some early Glasswing testers retained preview access despite the June 12 order).

So the institutional relationship behind the Rudd claim is not a simple “outside agency discovers it was hacked” story – it’s two organizations that were already in active legal conflict over Anthropic’s products, while one of them was simultaneously relying on those same products operationally.

Two separate disputes, often conflated

It’s worth keeping two arguments apart, because coverage routinely merges them:

Dispute 1 – How bad was the jailbreak, as Anthropic itself describes it? Per Anthropic’s own statement, the disclosed technique was non-universal, surfaced previously-known minor flaws, and is replicable on other public models. If that’s the complete picture, the proportional response is a patch, not an export ban.

Dispute 2 – Does the jailbreak even matter, separate from how bad this particular one was? Outside security commentators have argued the jailbreak framing misses the point: no model can be guaranteed permanently jailbreak-proof, so the real question is whether the underlying capability ceiling – autonomous offensive cyber action at the level described in Mythos’s own capability claims is something that should be broadly reachable at all, patched or not. Anthropic’s own statement concedes this point in part, acknowledging that “perfect jailbreak resistance is not currently possible for any model provider” and that universal jailbreaks will likely eventually be found for any safeguard system.

The export-control mechanism the administration actually used – a blunt, foreign-access-control tool rather than a narrower request to patch a specific exploit – maps more cleanly onto the second framing (or onto the SK Telecom/foreign-access theory above) than onto “we found one non-universal jailbreak and want it fixed.”

Timeline

• July 2025 – Anthropic signs ~$200M DoD contract with restrictions on surveillance and autonomous-weapons use.
• January 2026 – Hegseth memo reportedly demands DoD contracts drop those restrictions; Anthropic refuses.
• Late February 2026 – Pentagon designates Anthropic a “Supply-Chain Risk”; Trump orders federal phase-out.
• March 10, 2026 – Joshua Rudd confirmed as NSA director / Cyber Command commander, 71–29.
• March 2026 – Anthropic sues over the supply-chain designation.
• April 7, 2026 – Mythos Preview announced; Project Glasswing launched with initial partners.
• April 17–20, 2026 – Amodei meets Wiles and Bessent; Axios reports NSA is using Mythos despite the DoD blacklist.
• June 2, 2026 – Trump signs EO directing NSA/Treasury/CISA to build a classified pre-release benchmarking process within 60 days.
• June 9, 2026 – Fable 5 launches publicly, ahead of that framework being operational.
• June 11, 2026 – Reported Amazon-discovered jailbreak of Fable 5; same day, Warner relays the Rudd quote in committee.
• June 12, 2026, 5:21 p.m. ET – Commerce export control directive arrives; Anthropic disables both models worldwide within hours.
• June 14, 2026 – The Economist publishes the Rudd quote.
• ~June 17–18, 2026 – Ciauri speaks in Seoul, says access should return within days; Korean press ties the order to the SK Telecom/China angle.
• June 19, 2026 – Bloomberg reports some early Glasswing testers retained preview access throughout.
• As of June 21, 2026 – Both models remain offline for general/foreign access; no firm restoration date announced.

What I’m still not including and why

Beyond the FreeBSD/OpenBSD discrepancy above, several other claims are circulating with specific-sounding detail I haven’t been able to trace to a primary source:

• An exact headcount of Anthropic engineers embedded at NSA
• Specific year-over-year adversary-AI-usage statistics attributed to a named threat-intel vendor
• Specific prediction-market odds on when Fable 5 returns

These appear in aggregator or newsletter-style sites rather than reporting that names its sourcing chain, and I’m not repeating them as fact.

Current status

As of June 21, 2026, Mythos 5 and Fable 5 remain disabled for general and foreign access. Ciauri said in Seoul that the company is confident access will return within days, though that statement predates any confirmed agreement and several observers have noted it reflects optimism rather than a guaranteed timeline. Separately, Bloomberg reported that some of Mythos’s earliest Project Glasswing testers never lost access to the preview version, despite the broader shutdown, suggesting the suspension has not been applied uniformly. Anthropic’s Glasswing partner count is now reported around 150 organizations across 15-plus countries.

The bigger structural point

Underneath the breach claim is a real and separate policy story: this is a case of an administration using export controls – usually a tool aimed at foreign adversaries – against an American company’s access to its own product, applied even to its own employees and to close allies. It’s layered on top of an already-adversarial relationship between the company and the Pentagon, a national-security agency that was reportedly using the restricted product anyway under an informal carve-out, and at least three distinct, only partially overlapping explanations for why the ban happened at all. That tangle – a tool simultaneously blacklisted by one part of the government, relied on by another part of it, and now exported-controlled by a third, is the part of this story that’s actually well-documented, and it’ll likely outlast whatever the precise truth of the Rudd quote turns out to be.