Pentagon deploys Anthropic’s Mythos for cyber patching while exiting supplier
TL;DR:
- The Pentagon is using Anthropic’s Mythos model to find and patch software vulnerabilities across the US government, even as it continues to execute its plan to remove Anthropic’s products from defence operations in the coming months.
- Defense Department Chief Technology Officer Emil Michael called it a “national security moment” — Mythos has capabilities particular to defensive cyber, but the model’s advantage will be temporary as OpenAI, xAI and Google rivals catch up.
- Anthropic sued the Trump administration in March to reverse a Pentagon supply-chain risk designation that blocked broader deployment.
The deployment is part of “Project Glasswing”, Anthropic’s controlled programme allowing select organisations to use the unreleased Claude Mythos Preview for defensive cybersecurity. Mythos, according to Anthropic, can detect decades-old vulnerabilities in browsers, infrastructure and software at machine speed — the same capability driving a parallel scramble across US banks.
What “deploy while ditching” actually means
This is procurement under contradiction. The DOD has formally declared Anthropic a supply-chain risk and is winding down product use, but is simultaneously paying for access to Mythos because the alternative — leaving known vulnerabilities unpatched at a moment when adversaries can find them just as fast — is judged worse. Michael’s framing is that the capability gap is real but temporary; once OpenAI’s GPT-5.5-Cyber and a likely Google equivalent ship at parity, the Pentagon plans to switch suppliers and complete the Anthropic exit without operational disruption.
UK MoD and AISI parallel
The shape of this story matters far more to UK defence and security buyers than the names involved. The UK AI Security Institute (AISI), the Ministry of Defence and the Cabinet Office all face the same structural decision: how to use frontier models for defensive purposes when those models are produced by a small number of US firms with limited UK government accountability. The Pentagon’s approach — deploy now under tight controls, plan a multi-supplier exit on a fixed timeline — is exactly the playbook UK procurement teams will be modelling against. The NCSC’s 10 questions for AI vulnerability discovery, published last week, already reads like a checklist designed for precisely this scenario.
Looking forward
Watch two markers. First, the timing of OpenAI’s and Google’s parity releases — Anthropic’s temporary advantage in cyber-focused models is exactly what makes the Pentagon dependency uncomfortable, and a credible alternative shifts US government leverage immediately. Second, the outcome of Anthropic’s lawsuit against the blacklisting will set precedent for how AI firms can challenge supply-chain risk designations, with direct relevance to how UK suppliers might contest equivalent UK government decisions in years to come.