Anthropic has placed approximately six engineers inside the US National Security Agency to help customize and deploy Claude Mythos for offensive cyber operations, the Financial Times reported on June 5, citing two people familiar with the arrangement. The engineers are working as forward-deployed staff, adapting a model Anthropic has withheld from public release on misuse grounds. One person told the FT the work is aimed at infiltrating networks of named nation-state targets, including China and Iran.
Whether those engineers participate in live offensive operations is not confirmed. The standard contractor arrangement at intelligence agencies keeps model support separate from operational execution, with uniformed personnel conducting active missions. That distinction matters legally and ethically, and Anthropic has not addressed it publicly.
The disclosure arrives at a moment when Anthropic is carrying four simultaneous positions that are each individually coherent but collectively difficult to explain. First, its Institute essay from last week argued for preserving a global AI pause option as a governance safeguard. Second, Project Glasswing, the controlled-distribution program for Mythos, expanded from roughly 50 to 150 organizations on June 2, with the stated rationale that the model requires restricted access to prevent serious misuse. Third, six Anthropic engineers are now inside the NSA working on offensive applications of that same model. Fourth, Anthropic is actively suing the Pentagon over how its models get used in conflict scenarios, and a three-judge federal appeals panel is still weighing whether Defense Secretary Pete Hegseth’s supply-chain-risk designation against the company should stand.
The Pentagon case adds a particular texture. Hegseth branded Anthropic a supply-chain risk in early March, after negotiations collapsed over the company’s request to restrict Claude’s use in domestic surveillance and autonomous weapons systems. Anthropic sued on First Amendment grounds. The department this week told the appeals court it had denied a request to reconsider. A ruling is pending, and President Trump has ordered the Pentagon to remove Claude from its systems by August. The NSA, however, is a component of the Department of Defense. Anthropic is simultaneously in litigation with the department that runs the agency where its engineers are deployed.
Mythos is capable enough to make the stakes concrete. Anthropic’s red team reported in April that the model can find and exploit zero-day vulnerabilities across every major operating system and browser. A full exploit pipeline against a complex Linux target ran in under a day for less than $2,000. Britain’s AI Security Institute, testing independently, found Mythos solved 73% of expert-level tasks that no prior model could complete, and it became the first model to finish a 32-step simulated corporate network attack. Anthropic restricted initial access citing precisely these capabilities.
The Glasswing expansion has added Okta, Samsung, NATO, and the EU’s cybersecurity agency ENISA to that cohort. Partners have collectively surfaced more than 10,000 high or critical-severity vulnerabilities. An internal Anthropic scan of 1,000 open-source projects flagged 23,019 potential issues, with 6,202 rated high or critical. A researcher with early Mythos access told Reuters in May that fears about the model were overstated, noting that vulnerability-hunting AI has been available for “months if not years.” That framing, taken seriously, raises a question the controlled rollout does not resolve: if the capability is not actually rare, then the restriction has determined who holds the access, not whether the access exists.
The company’s defenders frame the NSA work as structurally necessary. “The best way to build a good defence is to build a good attack,” a person close to Anthropic told the FT. That argument has a long history in the security community and is not obviously wrong. But it does not explain the coexistence of the pause-button essay, the controlled-access safety narrative, the offensive deployment, and the active litigation against the department that oversees the NSA.
The IPO filing adds a deadline to the tension. Anthropic filed confidentially for a public offering at a valuation near $1 trillion in the same week as the FT report. Its annualized revenue is tracking toward $50 billion by the end of June, up from $9 billion at the end of 2025. When the S-1 becomes public, it will need to describe the company’s government relationships, its usage policies, and its pending litigation in the same document. Investors asking how the pause-option essay and the NSA embed coexist will get a corporate answer under penalty of securities law.
Implicator (implicator.ai), reporting by Marcus Schuler, published 2026-06-07, citing original Financial Times reporting.
