Anthropic's CEO walked into the White House this week. Not for a policy roundtable or a regulatory chat - for a demonstration of Mythos, an AI model that autonomously hunts software vulnerabilities. The model has already found over 15,000 zero-day exploits across major operating systems and browsers. Civilian agencies want access. The Pentagon, meanwhile, still has Anthropic on a blacklist.
This is not theoretical research. Mythos is scanning production codebases and finding critical flaws faster than human security teams can patch them. The kind of vulnerabilities that, in the wrong hands, could compromise infrastructure, financial systems, or government networks. The White House Chief of Staff took the meeting because this tool changes the maths of national security.
What Mythos Actually Does
Most vulnerability scanners work by checking known patterns - they look for things that have already been exploited. Mythos is different. It reasons about code the way a senior security researcher does, identifying logical flaws and edge cases that have never been documented before. Zero-days. The kind that sell for six figures on grey markets.
The model scans autonomously. No human prompting required for each run. It prioritises based on exploitability and impact, flagging the critical ones first. In testing, it found thousands of vulnerabilities across Windows, macOS, Linux, Chrome, Firefox, and Safari. Some of these flaws had been sitting in production code for years.
For civilian agencies running legacy systems - departments still using software from the early 2000s because migration is expensive - this is a lifeline. Mythos could scan their infrastructure and surface the most dangerous gaps before adversaries do. That's why they want access.
The Pentagon Problem
Here's the complication: the Department of Defence still has Anthropic on an informal blacklist. The reason is murky - it may relate to Anthropic's refusal to build weapons-focused AI, or concerns about the company's Chinese research partnerships, or simply bureaucratic inertia. Either way, while civilian agencies are lining up for Mythos access, the military side of government is shut out.
This creates a strange dynamic. The White House clearly sees the value - you don't get a meeting with the Chief of Staff unless someone senior believes the capability matters. But the Pentagon's reluctance means the tool that could harden military networks is off-limits to the people defending them.
It also raises a bigger question: if Mythos can find 15,000 zero-days, how many have already been found by models we don't know about? China and Russia are not sitting this out. The assumption that Western AI labs have a monopoly on capability is comfortable but increasingly unrealistic.
What Happens Next
The most likely outcome is selective deployment. Civilian agencies - Homeland Security, critical infrastructure departments, possibly the intelligence community - get access under strict operational security rules. The Pentagon continues its freeze until internal politics shift or someone senior overrides the blacklist.
In the meantime, Anthropic has to decide what to do with a tool this powerful. Do they offer it commercially? Do they keep it internal and run scans as a service? Do they share findings with affected vendors before exploits hit the wild? Every choice here has a security implication.
The White House meeting suggests the US government wants a say in those decisions. Not regulatory control - yet - but a seat at the table. The era of AI labs operating as independent actors, building dual-use capabilities without government input, is ending. Mythos is the reason why.
For the rest of us, the signal is clear: AI-driven vulnerability discovery is no longer experimental. It's production-ready, it's fast, and it's about to become a standard part of offensive and defensive security operations. The question isn't whether this tool exists. It's who gets to use it first.