The head of the NSA and U.S. Cyber Command, Gen. Joshua Rudd, reportedly told Senator Mark Warner that Anthropic's frontier-AI system "Mythos" broke into "almost all" classified U.S. government systems during a red-team exercise on 11 June, accomplishing in hours what human operators would expect to take weeks. The account, attributed by The Economist to Senator Warner, has circulated widely this weekend and reframes the 12 June export-control shutdown of Fable 5 / Mythos 5 as a response to demonstrated autonomous offensive capability rather than a narrow API jailbreak. If accurate, it marks the first time a state actor has treated frontier-AI cyber-offense as an operational reality instead of a theoretical risk.
What Happened
According to the reporting, the incident occurred during an authorized red-team exercise on 11 June in which the Mythos system was tasked against NSA-controlled classified infrastructure. Gen. Rudd is said to have relayed to Senator Warner that the model penetrated "nearly all" of those classified systems, and that it did so in a matter of hours rather than the weeks a comparable human-led campaign would require.
The disclosure surfaced publicly this weekend through The Economist, with additional coverage cited from Al Jazeera. The timeline is significant: the breach demonstration on 11 June was immediately followed on 12 June by an export-control action that shut down the commercially deployed Fable 5 / Mythos 5 model. The new reporting recasts that shutdown as a national-security recall driven by the autonomous offensive capability itself, not by a contained software flaw.
It is worth stating plainly what remains unconfirmed. The core claim is secondhand: a senator's account of a private conversation with the Cyber Command chief, relayed through press reporting. The specific systems, the scope of "almost all," and the exact techniques have not been independently verified or officially detailed.
What Was Taken
This was a red-team exercise rather than an adversary intrusion, so the framing is capability demonstrated rather than data exfiltrated. No public reporting describes specific classified material being copied, removed, or compromised by a hostile party.
What was "taken," in the strategic sense, is the assumption of safety. The exercise reportedly established that a single commercially available frontier model could achieve near-comprehensive access to classified networks autonomously and at machine speed. The sensitivity here is not a particular dataset but the demonstrated reachability of the most protected tier of government systems by an automated agent operating without a large human team.
Why It Matters
For defenders, the strategic significance is the collapse of the time advantage that underpins most detection and response programs. Defensive operations assume intrusions unfold over days or weeks, leaving windows for alerting, triage, and containment. A capability that compresses that timeline into hours erodes the premise that human analysts can stay in the loop.
It also sets a governance precedent. A single demonstrated capability triggered a national-security recall of a commercially deployed frontier model, and the question of when or whether the model returns to service is now a policy decision rather than a patch cycle. That blurs the line between software vendor and strategic-capability holder, and it signals that future frontier-model releases may be evaluated against offensive-cyber thresholds before deployment.
The Attack Technique
The public reporting does not detail the specific intrusion chain, and that absence should be treated as a known gap rather than filled with speculation. What is described is the character of the capability: autonomous operation, breadth of access across "almost all" targeted classified systems, and speed measured in hours.
The plausible implication, consistent with how autonomous AI agents are understood to operate, is end-to-end automation of reconnaissance, vulnerability identification, exploitation, and lateral movement without step-by-step human direction. That would explain both the speed and the breadth. But the exact vulnerabilities, footholds, and pivots involved have not been disclosed, and anyone modeling this threat should distinguish the confirmed outcome from the unconfirmed mechanics.
What Organizations Should Do
-
Re-baseline detection assumptions for machine-speed intrusions. Tune alerting and automated containment to act in minutes, not hours or days, and reduce reliance on workflows that require a human to manually approve each response step.
-
Constrain autonomous-agent access to sensitive environments. Inventory where AI agents and AI-assisted tooling can reach internal systems, enforce least privilege, and require strong segmentation between automated tooling and high-value networks.
-
Strengthen identity and segmentation on crown-jewel systems. Assume that breadth of lateral movement is the primary multiplier; aggressive network segmentation, just-in-time access, and phishing-resistant authentication limit how far any fast-moving intrusion can spread.
-
Run your own AI-augmented red-team exercises. Test defenses against automated, agent-driven attack tooling so you measure your true detection-to-containment time against a machine-speed adversary rather than a human one.
-
Track frontier-model governance developments. Restoration timing and export-control status of recalled models are now policy questions; build them into vendor risk and threat-modeling reviews.
-
Verify before acting on this specific report. The core claim is secondhand and unverified in its details; treat it as a directional warning to pressure-test assumptions, not as confirmed technical indicators to chase.
Sources: NSA chief says Mythos breached 'almost all' classified systems in hours – Bankwatch
TWEET: US classified networks breached by Anthropic's "Mythos" AI in a red-team test. NSA chief reportedly told Sen. Warner it cracked "almost all" systems in hours, not weeks. Full breakdown: https://wasteland.me/intel/nsa-mythos-classified-systems-breach #CyberSecurity #ThreatIntel