Claude Mythos Found a 27-Year-Old Vulnerability — Then the White House Stepped In: 4 Things You Need to Know
Mythos found a vulnerability that survived 27 years of human review. Now the White House is controlling who can access it. Here's the full story.
A 27-Year-Old Bug, 50 Organizations, and a White House Veto
Claude Mythos found a vulnerability in OpenBSD that had survived 27 years of human review. Then the White House blocked Anthropic from expanding Mythos access from 50 to 120 organizations. Those two facts, sitting next to each other, tell you most of what you need to know about where AI and national security policy are colliding right now.
You don’t need to be a security researcher to feel the weight of that first number. Twenty-seven years. OpenBSD is one of the most security-focused operating systems ever built — its developers have been auditing code for decades, and the project has a long-standing reputation for catching exactly this kind of thing. Mythos found something they missed. That’s not a marketing claim. That’s a result.
Here are 4 things buried in this story that matter for anyone building with or around frontier AI.
The Vulnerability That Spooked the Fed
The OpenBSD finding wasn’t a one-off curiosity. It was part of a broader pattern that started making serious institutions nervous.
When Anthropic first began giving Mythos access to a limited set of organizations — roughly 50 at that point — the reactions weren’t the kind you’d expect from a product launch. The Federal Reserve reportedly held an emergency meeting. Banks that got access came away spooked. These aren’t organizations that scare easily, and they’re not on Anthropic’s PR team. They saw what the model could do and took it seriously.
Other agents start typing. Remy starts asking.
Scoping, trade-offs, edge cases — the real work. Before a line of code.
The OpenBSD bug is the sharpest illustration of why. A 27-year-old vulnerability means this wasn’t a recently introduced flaw sitting in some poorly-maintained codebase. It was baked into software that has been reviewed, audited, and depended on by security-conscious engineers for nearly three decades. Mythos found it. That changes the calculus on what “secure” means.
For context on where Mythos sits in Anthropic’s model hierarchy: it’s above Opus, which has been the largest class of model the public has had access to. Mythos represents a new tier entirely, with compute requirements that make it impractical for most everyday use cases. It’s not a faster Sonnet. It’s something different in kind. If you’re thinking about what this means for code-level security work specifically, Remy is worth understanding — it’s MindStudio’s spec-driven full-stack app compiler that takes a markdown spec with annotations and compiles it into a complete TypeScript app, including backend, database, auth, and deployment. As Mythos-class models get integrated into compilation pipelines, the surface area for automated vulnerability detection at the spec level becomes a real design question.
How the White House Ended Up Running an Informal Licensing Regime
Anthropic wanted to add 70 more organizations to its Mythos access list, bringing the total to 120. The Wall Street Journal reported that the White House said no.
The stated reasons are worth examining carefully, because they reveal something about how AI governance is actually happening — not in legislation, but in phone calls and access lists.
The first reason was national security. Wider access to a model capable of finding decades-old vulnerabilities in critical software creates obvious offensive risk. That argument is coherent, even if you disagree with where the line gets drawn.
The second reason is more interesting: the White House reportedly expressed concern that Anthropic might not have enough compute to serve both the expanded list of organizations and the federal government. The implication being that if Mythos demand scales faster than available infrastructure, the government doesn’t want to be standing in line behind 70 additional companies.
Anthropic disputes that compute is the limiting factor. They’ve recently signed new deals with Amazon, Google, and Broadcom. But those buildouts take time to come online, and there’s been persistent talk that Anthropic miscalculated how much compute it would need. The compute shortage is real and has been tightening Claude’s availability in ways that affect ordinary users, not just government clients.
What’s striking about the White House intervention is what it isn’t. There’s no law. No formal licensing framework. No legislative body that voted on this. No published criteria for which organizations qualify. The government is effectively deciding who gets access to a specific AI model by making phone calls to the company that built it. That’s a soft licensing regime in practice, even if it isn’t one on paper.
No laws were officially passed. There’s nothing formal on the books. But the outcome — 50 organizations in, 70 organizations out — is functionally identical to what a licensing regime would produce.
The Benchmark Numbers That Put This in Context
The OpenBSD finding is vivid, but the AISI data is what gives it structural weight.
The UK’s AI Security Institute runs a benchmark called the Last Ones — a 32-step simulated corporate network attack that AISI estimates would take a human expert roughly 20 hours to complete end-to-end. Mythos completed it in 3 out of 10 attempts. GPT-5.5 subsequently completed it in 2 out of 10 attempts, making it the second model to demonstrate this capability.
On expert-level cyber tasks, GPT-5.5 scored 71.4% and Mythos scored 68.6%. Close enough that the gap is less meaningful than the fact that two separate frontier models are now operating at roughly the same level on these evaluations.
The GPT-5.5 numbers include one data point that’s hard to shake: a reverse engineering challenge that would take a human expert approximately 12 hours was solved in 10 minutes and 22 seconds at an API cost of $1.73. Less than two dollars. That’s not a marginal improvement in speed. That’s a different category of capability.
OpenAI, meanwhile, is rolling out GPT-5.5 Cyber to its own list of “critical defenders” — the same framing Anthropic uses for its Mythos access program. Both labs are doing essentially the same thing: controlled distribution to vetted organizations, with the stated goal of getting these tools into the hands of people who will use them defensively before they diffuse more broadly.
The AISI is careful to note that these are simulated environments. There are no active defenses, no triggered alerts, no defensive tooling responding in real time. It’s closer to a PvE scenario than an actual contested network. AISI explicitly says they don’t know how these models would perform against real-world hardened systems. That caveat matters. But the time and cost curves are collapsing regardless of what the real-world ceiling turns out to be.
What’s Actually Buried Here: The Unauthorized Discord Group
Here’s the detail that got less attention than it deserved.
While Anthropic was managing a carefully controlled list of 50 organizations with Mythos access, there was apparently an unauthorized Discord group that had access to the model. The investigation is still ongoing. The source material describes it as unclear whether to call it a “leak,” but the basic fact is that people outside the official access program had access.
This is the tension at the heart of the entire access-control debate. The White House is making decisions about which 50 or 120 organizations get official access. But if the model is accessible through unofficial channels — whether through a Discord group, a prompt injection, a misconfigured API endpoint, or something else — then the official list is a partial picture at best.
Dean Abal, an AI policy analyst with former government experience, framed this clearly: the White House’s intervention might be the right short-term call, but long-term it’s “building a dam against a tsunami.” His core argument is that these capabilities will diffuse in the next 6 to 18 months regardless — from Western labs, from open-source Chinese models, from wherever. The question isn’t whether the capability spreads. It’s whether defenders have it before attackers do.
David Sax offered a counter-framing worth taking seriously: stop mystifying Mythos. It’s not a doomsday device. It’s one of the first of what will be many models capable of automating cybersecurity tasks, the same way AI is automating coding tasks. These models don’t create new vulnerabilities — they find ones that already exist. The OpenBSD bug was always there. Mythos just found it faster than any human auditor did.
The defender imperative, in Sax’s framing, is to get these tools into trusted hands quickly rather than treating access restriction as a durable solution.
The Dual-Use Problem Doesn’t Resolve Cleanly
There’s a common response to all of this from technically sophisticated engineers: “Smart people could already find these vulnerabilities. What’s new?”
The answer is in the distribution, not the ceiling.
A world-class security researcher can find a 27-year-old OpenBSD bug given enough time and the right incentives. But that researcher is a tiny fraction of the global population. They’re comparing AI capability to their own capability, which is already exceptional. For the other 99% of people — people who don’t have the technical background, the language access, or the institutional resources — the comparison isn’t “AI vs. expert.” It’s “AI vs. nothing.”
A model that can find critical vulnerabilities for $1.73 in API costs doesn’t just improve what experts can do. It changes who can attempt it at all. That’s the actual risk surface, and it’s why the White House’s concern isn’t entirely paranoid even if their specific intervention is imperfect.
This is also why the compute question matters beyond the immediate policy dispute. Mythos is computationally expensive — it’s a new model class above Opus, and running it at scale against every major company’s infrastructure would require infrastructure that doesn’t fully exist yet. That constraint is temporary. As Anthropic’s deals with Amazon, Google, and Broadcom come online, the compute ceiling rises. When it does, the access-control question becomes harder, not easier.
Platforms like MindStudio are already handling the orchestration layer for teams building with multiple models — 200+ models, 1,000+ integrations, a visual builder for chaining agents and workflows. As Mythos-class capabilities eventually become more accessible, the question of how to build responsibly on top of them becomes an infrastructure question as much as a policy one.
What to Watch For
The immediate watchpoint is straightforward: does the White House’s block hold, and under what conditions does it get revisited?
Anthropic’s position is that wider access to Mythos serves defenders. The White House’s position is that wider access creates risk and potentially degrades government compute priority. Those positions aren’t obviously reconcilable, and there’s no formal process for resolving them — which means the outcome will depend on relationships, trust, and whatever the next capability demonstration looks like.
The broader watchpoint is the unauthorized access investigation. If the Discord group had genuine Mythos access, the official list of 50 organizations is already a fiction. That would change the policy conversation significantly — not because it makes the White House wrong to restrict access, but because it reveals that restriction alone isn’t sufficient.
Everyone else built a construction worker.
We built the contractor.
One file at a time.
UI, API, database, deploy.
For teams building security tooling or working with AI agents on code analysis, the cybersecurity capability gap between Mythos and earlier Claude models is worth understanding concretely. Mythos scores 83.1% on cybersecurity benchmarks versus Opus 4.6’s 66.6%. That gap is large enough to matter for what you can actually build. And for a broader picture of where Mythos sits against the previous generation, the capability comparison between Mythos and Opus 4.6 lays out the full benchmark spread.
And if you’re tracking your own API usage as you push these models harder — Peter Steinberger’s open-source Codex Bar tool is worth installing. One line, shows quota usage for both Codex and Claude Code, session and weekly. Small thing, genuinely useful.
The deeper question — whether technical safeguards can outpace access diffusion, whether defenders can get ahead of attackers before these capabilities become commodity — doesn’t have a clean answer yet. What’s clear is that a 27-year-old bug in one of the most security-audited operating systems in existence got found by a model, and the government’s response was to control who gets to ask the next question.
That’s not nothing. It’s also not enough.
