Anthropic's Mythos AI Breached 'Almost All' NSA Classified Systems in Hours During Red-Team Test, Senator Says

Since the U.S. government barred foreign nationals from accessing Anthropic's Fable 5 and Mythos 5 models on June 12, the underlying reason for that directive has been a matter of public speculation. A quote from a Senate Intelligence Committee briefing, reported by The Economist on June 14 and amplified across social media roughly a week later, now appears to supply that missing context.

Sen. Mark Warner, vice chair of the Senate Intelligence Committee, told The Economist that Gen. Joshua Rudd, director of the NSA and head of U.S. Cyber Command, briefed him on what Mythos did during a security evaluation conducted on June 11, one day before the ban took effect.

"(This tool) broke into almost all of our classified systems, not in weeks, but in hours," Rudd reportedly told Warner, according to The Economist's June 14 report.

What the test actually was

The viral framing that Anthropic's AI "hacked the NSA" is inaccurate. The Economist's original author issued a public clarification on June 21 stating that the breach happened during an authorized, internal red-team exercise. Mythos was not acting autonomously against live NSA infrastructure. It was operating under controlled, simulated environmental conditions, paired with other defensive tools, as part of a deliberate security evaluation.

That distinction matters. A red-team test is how organizations are supposed to find vulnerabilities before adversaries do. Rudd's concern, as relayed by Warner, is that a commercial AI model demonstrated the capability at all, not that Anthropic launched an attack.

What Anthropic says

According to the Tom's Hardware report citing The Economist, Anthropic contends the flagged behavior was a narrow jailbreak, not autonomous offensive intrusion. The company says the incident amounted to asking the model to analyze a codebase and identify fixable issues, which surfaced a handful of minor, already-known bugs.

Anthropic also says the same behavior appears in competing models, specifically naming OpenAI's GPT-5.5. The company adds that when the government issued its June 12 directive, the letter Anthropic received did not specify the underlying concern. Anthropic says it was given only verbal evidence of a "potential narrow, non-universal jailbreak" that could allow Fable 5 to identify software vulnerabilities.

On the access ban itself: Anthropic said it could not practically enforce a nationality-based restriction without pulling both models globally. It disabled them for everyone and says it is working to restore access.

The strongest counterargument

The fairest version of the government's concern is this: even if the behavior was a narrow jailbreak, and even if rival models share the same vulnerability, the June 11 evaluation apparently demonstrated that a commercially available AI could navigate classified NSA systems at a speed and scale no human attacker could match. The argument for treating that as a national security emergency does not require the AI to have been acting maliciously or autonomously. It requires only that the capability exists and that foreign nationals, including some Anthropic employees, had access to the model. If a jailbreak technique can be replicated by any sufficiently motivated actor using a publicly accessible tool, the government's move to restrict foreign access while the situation was assessed is a defensible precautionary step, not an overreach.

A genuinely new kind of export control

The June 12 directive was the first time the United States applied export controls directly to an AI model rather than to the chips or hardware powering it, according to Tom's Hardware. Every previous technology-export control framework targeted physical goods or the means of production. Controlling a software model, especially one already partially deployed globally, opens questions about enforcement that no existing legal framework was built to answer.

Anthropic's decision to disable the models worldwide rather than attempt to enforce nationality-based access reflects how difficult those questions are in practice.

What remains unresolved

Three things are genuinely open as of June 23. First, Anthropic says it is preparing a formal response to the government and working toward restoring access, but no timeline has been announced. Second, the company's claim that GPT-5.5 exhibits the same jailbreak has not been confirmed or denied by OpenAI or by the NSA. If true, it raises the question of why only Anthropic's models were restricted. Third, Gen. Rudd has not made a public statement directly. Everything on the government's side flows through Sen. Warner's account of a private briefing to The Economist. Whether Rudd's characterization of the test and Anthropic's characterization can both be accurate, or whether one side is materially wrong about what happened on June 11, is the factual question that will determine whether the access ban holds.