Mythos: NSA Reportedly Readies It for Offense as Anthropic Publishes a Misuse Analysis
Two Mythos threads landed this cycle: TechCrunch reports the NSA is said to be readying Anthropic's Mythos for cyber operations despite a federal restriction, while Anthropic published an analysis of 832 accounts banned for malicious cyber activity, mapped to MITRE ATT&CK.
Key Takeaways
|
The same model The CyberSignal has covered on the defensive side — Project Glasswing and Mythos vulnerability discovery — is now in the news on the offensive side, both as a reported government cyber-operations tool and as the subject of its maker's own abuse telemetry.
FORT MEADE, MARYLAND — Two threads involving Anthropic's Mythos model surfaced on June 5, 2026. TechCrunch reports that the National Security Agency is said to be preparing Mythos for use in cyber operations, despite a federal restriction on using the AI maker that followed the Department of Defense designating Anthropic a supply-chain risk; the reporting indicates Anthropic deployed roughly half a dozen engineers to the NSA to help its analysts use the company's frontier cybersecurity model. Separately, Anthropic published an analysis of cyber-related misuse of its systems, examining 832 accounts banned for malicious cyber activity between March 2025 and March 2026 and mapping the observed behavior to the MITRE ATT&CK framework. Coverage from Help Net Security frames the central takeaway as AI helping lower-skill actors carry out more advanced attacks.
The CyberSignal flags this as an editor-sensitive story — it involves an AI vendor, offensive use, and government — and presents both threads factually side by side without editorializing on the policy question. The NSA reporting is single-sourced and carries a 'said to be' hedge that we preserve; Anthropic's misuse analysis is the company's own published research, and its figures are reported as the company's findings.
| Two Mythos Threads | |
|---|---|
| Field | Details |
| NSA thread (TechCrunch) | NSA said to be readying Anthropic's Mythos for use in cyber operations |
| Federal backdrop | A restriction on using Anthropic followed the DoD designating the company a supply-chain risk |
| Vendor involvement | Reporting indicates Anthropic deployed ~half a dozen engineers to the NSA; Anthropic had limited Mythos access over offensive-misuse concerns |
| Anthropic analysis | 832 accounts banned for malicious cyber activity, March 2025-March 2026, mapped to MITRE ATT&CK |
| Malware finding | 560 of 832 accounts (67.3%) used AI to help write malware |
| Lateral-movement finding | 54 of 832 actors (6.5%) used AI to assist with lateral movement |
| Risk trend | Share of actors rated medium-risk or higher rose from 33% to 56% between the first and second halves of the year |
| Framework gap | The highest-risk behaviors (AI orchestrating attack steps, real-time decisions, autonomous execution) are not yet captured as techniques in MITRE ATT&CK |
What Happened
On the first thread, TechCrunch reports that the NSA is preparing Anthropic's Mythos model for use in cyber operations, despite a federal ban on using the AI maker's technology — a restriction that followed the Department of Defense designating Anthropic a supply-chain risk. According to the reporting, Anthropic deployed around half a dozen engineers to the NSA to help its analysts use the company's frontier cybersecurity model, and the company had previously limited access to Mythos out of concern that its cybersecurity capabilities could be exploited to discover security flaws and carry out attacks. The CyberSignal notes that this thread is single-sourced reporting using 'said to be' language, and a prior TechCrunch report in April 2026 had already described the NSA reportedly using Mythos despite the Pentagon dispute; we preserve that hedge rather than presenting the offensive-use preparation as confirmed fact.
On the second thread, Anthropic published an analysis mapping a year of AI-enabled cyber threats to MITRE ATT&CK, the standard catalog of attacker tactics and techniques. The company examined 832 accounts it banned for malicious cyber activity between March 2025 and March 2026. Its key findings: the most common AI-enabled activity related to preparing for an attack, with 560 of the 832 accounts — 67.3% — using AI to help write malware, and 54 actors (6.5%) using AI to assist with lateral movement inside compromised networks. The share of actors rated medium-risk or higher rose from 33% to 56% between the first and second halves of the year. Notably, Anthropic observed that many behaviors distinguishing the highest-risk actors — using AI to orchestrate attack steps sequentially, make real-time decisions about what to do next, and execute without human intervention — are not yet represented as attacker techniques in the MITRE ATT&CK framework, a gap the company highlights through what it calls an LLM ATT&CK Navigator.
The Same Model on Both Sides of the Ledger
The reason these two threads belong together is that they place the same model on opposite sides of the cyber ledger in the same week. The CyberSignal has covered Mythos extensively on the defensive side — Anthropic's expansion of Project Glasswing to roughly 150 critical-infrastructure organizations and the milestone where Mythos surfaced more than 10,000 vulnerabilities in a month. Now the same capability appears as a reported government cyber-operations tool and as the subject of its maker's own abuse telemetry. That duality is not a contradiction so much as the defining tension of frontier cybersecurity AI: a system good enough to find vulnerabilities at scale for defenders is, by construction, a system that can be turned toward finding them for offense — which is precisely the concern Anthropic cited in limiting access.
What the Misuse Data Says to Defenders
Set aside the policy questions and Anthropic's misuse analysis carries a concrete operational message: AI is compressing the gap between low-skill and advanced attackers. The finding that two-thirds of banned malicious accounts used AI to help write malware, and that the medium-or-higher-risk share nearly doubled across the year, points to a rising baseline capability for commodity threats. That is the same trajectory The CyberSignal has tracked from the attacker side in the Sophos discovery of an AI-orchestrated lab built to refine EDR-evasion malware, and from the discovery side in the AI-found bugs now shipping as real CVEs in commodity infrastructure. For defenders, the implication is to stop assuming that unsophisticated actors produce unsophisticated attacks.
The Framework Gap Is the Forward-Looking Warning
The most striking detail in Anthropic's analysis is what MITRE ATT&CK does not yet capture. The behaviors that mark the highest-risk actors — AI orchestrating the steps of an intrusion in sequence, making real-time decisions, and executing without a human in the loop — are agentic capabilities that the existing technique catalog was not built to describe. That gap matters because ATT&CK is the shared language defenders use to map coverage; techniques the framework does not name are techniques detection programs are less likely to be measured against. The CyberSignal has tracked the agentic-AI risk thread through coverage of AI coding agents and their failure modes, including the Claude Code GitHub Action flaw and its responsible disclosure. The forward-looking warning is that the frameworks defenders rely on need to evolve to describe autonomous, AI-orchestrated attack behavior before it becomes common.
Scope and Impact
The two threads have very different evidentiary weight, and The CyberSignal treats them accordingly. The NSA thread is single-sourced reporting characterized with 'said to be' language, building on an earlier April report about NSA use of Mythos amid the Pentagon dispute; it describes a reported preparation for offensive use, not a confirmed operational deployment, and the specifics — including the engineer count and the exact nature of the federal restriction — should be read as TechCrunch's reporting rather than established fact. The Anthropic thread is the company's own published research with stated figures and methodology; its scope is the 832 accounts Anthropic itself banned and analyzed, which is a window into misuse of Anthropic's systems specifically rather than a measure of all AI-enabled cyber activity.
The structural significance is the convergence of two trends defenders already track: governments adopting frontier AI for cyber missions, and criminal actors using the same class of models to uplift their operations. Anthropic's data quantifies the second trend with unusual specificity — a near-doubling of medium-or-higher-risk actors in a year — and its framing of capabilities ATT&CK does not yet capture is a signal that the attacker side is moving toward autonomy faster than the defender frameworks describe it. The policy thread, meanwhile, sits at the intersection of vendor terms, federal procurement, and supply-chain designations, which carries compliance and governance implications for organizations watching how government use of frontier models is permitted and restricted.
Items to confirm against primary sources include the sourcing and status of the NSA reporting — which remains single-source and should keep its hedge — and the exact figures and methodology in Anthropic's published analysis, available through the company's own write-up and its ATT&CK Navigator. The CyberSignal does not adjudicate the policy question of whether government offensive use of a frontier model is appropriate; this brief reports the two threads and lands its defender takeaway on the measurable point in Anthropic's data, namely that the attacker skill floor appears to be rising.
Response and Attribution
For security leaders, the actionable implication comes from Anthropic's data rather than the policy debate. Raise the assumed baseline capability of commodity attackers: the evidence that two-thirds of banned malicious accounts used AI for malware development, and that the medium-or-higher-risk share nearly doubled in a year, means a low-skill actor can now field tooling and techniques that previously required more expertise. Plan detections for that compressed gap rather than assuming a long tail of unsophisticated, easily-caught attacks. Use the MITRE ATT&CK mapping in Anthropic's analysis to prioritize coverage against the techniques most often AI-assisted, and treat the agentic behaviors the framework does not yet name as an emerging gap to watch and, where possible, instrument against.
For policy-watchers and governance, risk, and compliance teams, the NSA thread is worth tracking as the government-use-of-frontier-models question intersects with vendor terms and federal restrictions. The reported tension — a federal restriction tied to a supply-chain designation alongside reported preparation to use the model for cyber operations — is the kind of situation that drives procurement and compliance precedent, and organizations evaluating their own use of frontier AI for security work will want to follow how it resolves. The CyberSignal frames this as a development to monitor rather than a settled policy outcome.
On the handling of attribution and sourcing, The CyberSignal is deliberate: the NSA offensive-use thread is single-sourced reporting that we present with its 'said to be' hedge intact and do not treat as confirmed, while Anthropic's misuse analysis is the company's own research whose figures we attribute to it. The two are presented side by side because they illuminate the same underlying reality — frontier cybersecurity AI is consequential on both the defensive and offensive sides — not because they are equally established. The defender value is the concrete, vendor-published data point that the attacker baseline is rising, which holds regardless of how the policy thread develops.
The CyberSignal Analysis
Signal 01 — The Dual-Use Tension Is Now Concrete
Frontier cybersecurity AI has always been dual-use in theory; this week made it concrete, with the same model appearing as a reported government offensive tool and as the subject of its maker's abuse data. That is the inherent tension of building a system powerful enough to find vulnerabilities at scale: the capability does not distinguish between defender and attacker intent. For organizations, the takeaway is not to resolve the policy debate but to internalize that the defensive AI capabilities they are starting to rely on have offensive mirror images — and to plan for adversaries who have access to comparable tooling.
Signal 02 — Plan for a Rising Attacker Baseline
The most useful output of Anthropic's analysis is a number defenders can act on: the share of medium-or-higher-risk actors rose from 33% to 56% in a year, and two-thirds used AI to help write malware. AI is lowering the skill floor, which means the comfortable assumption that unsophisticated actors produce easily-caught attacks is eroding. Detection and response programs should be tuned for a population of commodity attackers operating above their historical capability — better malware, faster iteration, more capable tradecraft from less skilled operators. The baseline is moving, and defenses calibrated to the old baseline will under-detect.
Signal 03 — The Frameworks Need to Catch Up to Agentic Attacks
Anthropic's observation that ATT&CK does not yet capture the highest-risk behaviors — AI orchestrating steps, making real-time decisions, and executing autonomously — is a forward-looking warning to the whole defender community. ATT&CK is the shared map of how coverage is measured, and behaviors it does not name tend to be behaviors programs are not held accountable for detecting. As agentic AI moves from research curiosity to attacker capability, the frameworks, detections, and metrics defenders depend on need to evolve to describe and measure it. Watching that gap — and instrumenting against autonomous attack behavior where possible — is part of staying ahead of the curve rather than behind it.
