DEV Community

Breach Protocol
Breach Protocol

Posted on • Originally published at groundtruth.day

An AI Reportedly Broke Into Nearly All of the NSA's Classified Systems in Hours

The US government ordered Anthropic to shut down its two most powerful models, Fable 5 and Mythos 5, worldwide after a red-team exercise in which the Mythos model broke into almost all of the NSA's classified systems in hours, according to Senator Mark Warner. The directive, issued June 12, forced Anthropic to restrict and then disable the models globally.

Key facts

  • What: A senator says the head of the NSA told him a top AI model walked through almost all of America's classified systems in hours during a controlled test, reframing last week's government shutdown of the model.
  • When: 2026-06-24
  • Primary source: read the source

Warner — the vice-chair of the Senate Intelligence Committee — said that General Joshua Rudd, who runs both the National Security Agency and US Cyber Command, told him the Mythos model "broke into almost all of our classified systems, not in weeks, but in hours." The breach occurred during a sanctioned red-team drill, where the model was deliberately pointed at hardened classified networks to find vulnerabilities. That test is now described as the reason behind the government's June 12 directive, after which Anthropic shut the models off worldwide. We covered the shutdown when it happened, in the story of how Washington made a frontier model disappear. Security Affairs, quoting The Economist, first reported Warner's account.

The distinction matters. A red-team exercise is a sanctioned drill: the model was aimed at those systems on purpose, by people who wanted to find holes. That is different from an AI deciding on its own to attack a government and succeeding — nothing of the sort is being alleged. What is being alleged is still striking: that when you aim this tool at hardened, classified networks and let it work, it finds its way in fast, across almost everything, with little human steering. Security Affairs itself flags the obvious caveat, noting these are "unverified claims reported through Senate testimony, not independently confirmed facts." Nobody outside the room has seen the actual test.

The policy debate turns on a single dual-use capability. Think of hiring the world's most gifted lockpicker to audit the locks in a government building. The skill that lets them open every door in an afternoon is exactly the skill you want if your job is to find and fix weak locks. You cannot split that person into a "good half" that only fixes locks and a "bad half" that picks them, because it is one skill. Anthropic's long-running position is that its model's talent for reading software and spotting flaws is precisely this kind of dual-use ability — the same thing a defender uses to harden systems and an attacker uses to break them. The independent research group Epoch made the careful version of this argument earlier, drawing a line between two skills people keep blurring, in its piece on whether these models' cyber abilities are overhyped: finding a weakness is not the same as building a working attack from it, and a model can be unnervingly good at the first while still clumsy at the second.

The red-team claim quietly upgrades the stakes of the original shutdown. When the models were pulled, the most common read was that this was a heavy-handed but ultimately patchable safety stop — a regulator being cautious. If the red-team claim is even roughly accurate, the government was reacting to something closer to a genuine offensive capability, the digital equivalent of a tool that can pick almost any lock. That makes the no-warning, switch-it-off-globally response look less like overreaction and more like a deliberate signal to every other lab: brief us before you ship something this capable, or we will reach in and stop you. It also reframes a rival lab's recent decision to pitch itself as the safe, responsible cyber lab as a calculated move in exactly this moment.

The worry about the capability is reasonable. The way it is being communicated — through a senator paraphrasing a general in a setting where the underlying evidence is classified — is the part to hold loosely. "Almost all, in hours" is a memorable line precisely because it is dramatic, and dramatic lines are the ones most likely to get compressed and amplified on the way out of a closed hearing. Until someone publishes a test anyone can examine, the strongest claims on every side rest on inference, not on a document outsiders have read. For how outside experts are being let in to check work like this, see our story on safety testers getting inside the frontier labs. What is no longer in doubt is that the people who run America's most sensitive networks took a look at one of these models and decided they did not want it out in the world without their say-so.


Originally published on Ground Truth, where every claim is checked against the primary source.

Top comments (0)