US export-control directive halts Anthropic’s cyber-capable AI models, but experts say similar capabilities are imminent

Anthropic removed its Claude Fable 5 and Mythos 5 models from public access after the Trump administration issued an export-control directive barring “any foreign national” from using the services. The directive followed Anthropic’s public and private releases of the models, which the company had described as capable of both defensive cybersecurity tasks—such as identifying software vulnerabilities for patching—and offensive tasks like developing exploits.

The company had released Mythos Preview to a cybersecurity consortium called Project Glasswing in April, and rolled out Mythos 5 and Claude Fable 5 to broader audiences with selective guardrails. The White House restricted both models last week, asserting that Fable 5’s guardrails could be circumvented to expose Mythos 5’s full capabilities, posing a national security risk.

Security researchers and executives argue that the restriction is a temporary measure that does not address the underlying trend: AI models with advanced cyber capabilities are poised to become commonplace. Tarah Wheeler, chief security officer at TPO Group, said it is “myopic” to believe Anthropic is alone in developing such capabilities, noting that competitors are likely holding similar models in reserve.

Bruce Schneier, a researcher at Harvard and the University of Toronto, emphasized that the capability is not confined to a single model. He pointed to smaller, cheaper, and open-source models that, with refined prompting, can already match or exceed Mythos/Fable’s performance, with further improvements expected within months.

Anthropic itself warned in a blog post that many advanced uses of AI are dual-use, noting that capabilities beneficial to cybersecurity professionals and biologists could be dangerous if misused. The company’s frontier red team lead, Logan Graham, told WIRED in April that the broader message is preparation for a world where these capabilities are widely available within 6 to 24 months.

Cybersecurity leaders, including a large group that signed an open letter to the administration, argued that the export-control directive is misguided. Chris Wysopal, cofounder of Veracode, said the policy question is not whether a technology carries risk, but whether specific restrictions meaningfully reduce that risk or mainly slow progress in defensive applications.