TL;DR
Axios reported on April 19 that the NSA is one of the handful of organizations with access to Anthropic’s Mythos Preview, the company’s most capable and most restricted model. That wouldn’t be a story on its own, except for one thing: the Pentagon, which the NSA reports up through, officially labeled Anthropic a “supply-chain risk” in February. The same building that told contractors to get off Anthropic is running Mythos for offensive cyber work inside its own intelligence arm. A federal judge has already paused the blacklist. Anthropic’s CEO was in the White House two days ago.
What Axios actually reported
The Axios scoop by Sara Fischer and Ashley Gold, published late Sunday, is narrow and pointed. At least one U.S. intelligence agency, the NSA, has been granted access to Mythos Preview, a model Anthropic has kept off the market for everyone except a small whitelist. Axios couldn’t get the NSA, the Pentagon, ODNI, or Anthropic to comment on the record, which is par for the course on stories like this. Every relevant shop pleaded “no comment” and the piece still made the front page of Hacker News because of what the silence implies.
Mythos Preview has been public knowledge since the late-March leak that this blog covered at the time, but the access list has stayed deliberately opaque. In early April, Anthropic named 12 Project Glasswing launch partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself. The company also said over 40 additional organizations that build or maintain critical software got access, without naming them. The Axios piece is the first time a specific unnamed entity has been confirmed, and the NSA is a big one to confirm first.
The Pentagon’s February blacklist
To understand why this is a story at all, rewind to February. Defense Secretary Pete Hegseth’s office pushed Anthropic to drop its usage policy restrictions on two specific categories: mass domestic surveillance and fully autonomous weapons. The demand, as TechCrunch reported on February 27 and corroborated in the current Axios piece, was that Anthropic should make Claude available for “all lawful purposes”. In other words, if it’s legal under U.S. law, the model should do it.
Anthropic said no. The company’s usage policy explicitly carves out those two categories, and dropping them would gut the entire acceptable-use framework the company has built its brand around. Hegseth’s response was to formally designate Anthropic a supply-chain risk and direct DoD contractors to wind down use. That designation is a big lever. It doesn’t only hit the Pentagon itself; it cascades out through the cleared contractor base.
March: a judge pauses the ban, calls it “First Amendment retaliation”
On March 26, Judge Rita Lin of the Northern District of California issued a preliminary injunction against the supply-chain risk designation. Her ruling didn’t mince words. Lin wrote that “punishing Anthropic for bringing public scrutiny to the government’s contracting position is classic illegal First Amendment retaliation,” and that “nothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for expressing disagreement with the government.” The injunction blocked Trump’s broader directive that would have banned all federal agencies from using Claude.
That wasn’t the last word. On April 8, the DC Circuit declined to stay the Pentagon’s procurement blacklist while litigation continues, letting DoD keep Anthropic off its own contracting list even though Lin’s broader federal-agency ban remains paused. The net status is awkward. Anthropic can work with most of the federal government, but the Pentagon itself is formally barred from buying from the company. Some DoD components, apparently, never stopped either way.
What Mythos Preview actually does
This is the part that makes the NSA angle less surprising, even if the Pentagon’s awkward position stays awkward.
Mythos is Anthropic’s heaviest model to date. The angle that concerns us here is its cyber capability. In red-teaming Anthropic ran on Mythos Preview, the model found thousands of high-severity vulnerabilities, including some that had been sitting in widely-used open-source code for decades. This builds on the pattern this blog covered earlier when Claude turned up 500 zero-days across open-source projects — Mythos pushes that capability further. The headline finds:
| Vulnerability | Age when found | Software |
|---|---|---|
| Memory-corruption bug | 27 years | OpenBSD |
| Codec parsing flaw | 16 years | FFmpeg |
| Privilege-escalation issue | Multiple | Linux kernel |
| Browser-side exploits | Various | Major browsers (unspecified) |
The reason Anthropic restricted Mythos to a whitelist is exactly this. The same capability that finds bugs in open-source software finds bugs in whatever else you point it at. The company kept the model off general availability and cited its offensive-cyber capability as the reason for the limited cohort. If you’re the NSA and your day job includes offensive cyber operations, this is the first model that has ever looked like it could materially change the tempo of that work. Given that, NSA access is closer to what you’d expect than what you’d be shocked by.
The contradiction, spelled out
Stack the facts in a single column:
- Feb 2026: Defense Secretary designates Anthropic a supply-chain risk, orders contractors to disengage.
- March 2026: Federal judge pauses the designation.
- April 17, 2026: Anthropic CEO Dario Amodei meets with White House Chief of Staff Susie Wiles and Treasury Secretary Scott Bessent to discuss government use of Mythos.
- April 19, 2026: Axios reports NSA, inside the Defense Department umbrella, has been cleared for Mythos Preview.
The working theory that fits all of this: the Pentagon’s civilian leadership wanted leverage to get Anthropic to drop its usage policy, the intelligence community just wanted the tool, and the intelligence community won. Or: the designation was always about policy posture more than genuine supply-chain concerns, and individual agencies were quietly carved out. Either read, the public story from February (“Anthropic is a risk, back away”) and the private reality in April (“the NSA is running it”) don’t line up.
There’s a narrower legal read, too. Judge Lin’s March injunction sits on top of the Pentagon’s blacklist, and the DC Circuit’s April 8 refusal to stay it only applies to Pentagon procurement, not to federal agencies generally. NSA, being a Defense Department component, doesn’t fit neatly inside either ruling. Axios didn’t nail down whether NSA’s Mythos access runs through a non-DoD contracting vehicle, a Glasswing research carve-out, or something else. Whichever it is, the optics of DoD telling contractors to disengage while NSA keeps running Mythos are rough.
Why this is more than a procurement fight
Two reasons to care if you don’t follow government contracting.
First, the IPO subtext. Anthropic is reportedly in early talks with Goldman Sachs, JPMorgan, and Morgan Stanley about an October 2026 IPO at a valuation north of $800 billion, as Bloomberg first reported. Government penetration is a big input to that story. A few months ago the narrative was “the Pentagon is pushing Anthropic out”; if the replacement narrative is “federal agencies actually can’t do without Mythos,” that’s a very different pre-IPO backdrop. I covered the revenue side of that run-up last week. This is the government-relations side of the same curve.
Second, the precedent. The Pentagon’s “all lawful purposes” demand, if it had held, would have been the template for how other governments approach frontier-model vendors. The judge’s March injunction pushed back on that template. The NSA’s continued use quietly further undermines it. If the big story of 2025 was whether frontier vendors could say no to their own labs, the story of 2026 is whether they can say no to governments. Anthropic is currently running the live version of that experiment. Early evidence suggests the answer is yes, even when DoD is screaming about it.
What to watch next
A few things will tell you how this resolves over the next month or two:
- The next court hearing on the supply-chain designation. If the injunction is made permanent, the Pentagon’s leverage is gone and the NSA’s use becomes unremarkable. If it’s reversed, expect a very messy public fight inside DoD.
- Whether more Glasswing names leak. If other three-letter agencies (CIA, DHS, DOE) are confirmed, the “policy designation, not real risk” read gets a lot stronger.
- Anthropic’s next policy update. If Mythos general availability expands with tighter usage-policy language around law-enforcement use cases, read that as the company closing the gap quietly.
- What Amodei signals publicly after the White House meeting. An Anthropic government-specific tier or product line would change the picture: a real carve-out rather than a one-off. The GovCloud precedents at AWS and Azure suggest the shape this could take.
Sources
- Scoop: NSA using Anthropic’s Mythos despite Defense Department blacklist, Axios (April 19, 2026). The original report that broke the story.
- NSA Uses Anthropic Mythos While Pentagon Calls It Supply Chain Risk, Implicator.ai. Corroboration with the February to March timeline.
- US security agencies adopt Anthropic’s Mythos despite Pentagon risk label, DigiTimes. Independent confirmation and context.
- Anthropic Attracts Investor Offers at an $800 Billion Valuation, Bloomberg (April 14, 2026). The IPO context behind the government-relations story.
FAQ
What is Anthropic’s Mythos Preview?
Mythos Preview is Anthropic’s most capable model, released on a restricted basis to roughly 40 organizations. It was announced alongside Project Glasswing, Anthropic’s program for coordinating with critical-infrastructure software vendors on vulnerability disclosure. The company kept general availability off the table because internal testing showed the model had unusually strong offensive-cyber capability, finding thousands of high-severity bugs in widely-used open-source software during red-teaming.
Why did the Pentagon label Anthropic a supply-chain risk?
In February 2026, Defense Secretary Pete Hegseth’s office pushed Anthropic to drop usage-policy restrictions on mass domestic surveillance and fully autonomous weapons. Anthropic refused. The Pentagon then designated Anthropic a supply-chain risk and directed DoD contractors to disengage. A federal judge paused that designation with a preliminary injunction in March 2026, questioning whether usage restrictions amounted to the kind of hostile behavior that label requires.
Is the NSA part of the Pentagon?
The NSA is a Defense Department agency. It sits under the Secretary of Defense organizationally, even though it also answers to the Director of National Intelligence for intelligence-community coordination. That’s what makes the April 19 scoop odd: the same cabinet department that designated Anthropic a risk is running Anthropic’s most capable model inside one of its biggest component agencies.
Which organizations have Mythos Preview access?
Anthropic publicly named 12 Project Glasswing launch partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself. Over 40 additional organizations that build or maintain critical software got access without being listed publicly — per the Axios report, that group includes at least some U.S. government agencies such as the NSA. Anthropic cited the model’s offensive-cyber capabilities as the reason for keeping the list small.
What happens next with the Pentagon fight?
The March injunction is preliminary, so the underlying legal case is still open. Meanwhile Anthropic’s CEO Dario Amodei met with senior White House officials on April 17, reportedly to discuss government use of Mythos, which suggests the resolution will be worked out politically rather than in court. Watch for other federal agencies being confirmed as Mythos users and for any Anthropic announcement of a government-specific tier.
Bottom line
The NSA is running the same model the Pentagon told everyone else to stay away from. Either the designation was always more about leverage than risk, or the intelligence side got a quiet carve-out, or both. With Anthropic’s IPO on the October calendar and revenue past $30 billion ARR, the company’s government-relations posture is about to shape the valuation story more than its usage policy. The Pentagon fight looked in February like it might knock Anthropic back. Four months later, the pressure appears to have flipped direction.