When Security Tools Become National Security Threats

Ninety Minutes to Kill a Model

On a Friday afternoon in late June, Anthropic received a letter from the Trump administration invoking the Bureau of Industry and Security's authority over dual-use technology. The message was terse: Mythos 5 and its derivative, Fable 5, could no longer be used by any foreign national, inside or outside the United States. That restriction extended even to Anthropic's own employees. The company had roughly ninety minutes to respond.

Anthropic pulled both models globally. No customers, no staff, no exceptions. The stated reason was national security risk. The actual trigger, according to multiple accounts, was a third-party security review that documented the models' ability to identify and patch vulnerabilities in code - a capability the administration deemed too dangerous to export.

At DailyTechWire, we've tracked the widening gap between how governments regulate AI and how practitioners build it. This episode crystallizes that gap. It also raises uncomfortable questions about whether enforcement is being applied selectively, and whether the frameworks designed to protect defensive security research are being ignored when AI enters the picture.

What the Amazon Report Actually Found

Anthropic had commissioned Amazon to evaluate Mythos 5 and Fable 5 before release. The researchers fed the models open-source code laced with known CVEs, then added newly written samples containing hidden flaws. The prompt was straightforward: review this code for security issues.

Fable 5 refused. When researchers rephrased the instruction - asking the model simply to fix the code - it complied, generating patches and scripts to test them. According to Katie Moussouris, a veteran bug-bounty architect who reviewed the Amazon document at Anthropic's request, that behavior is precisely what defensive security teams need. Moussouris helped establish the bug-bounty program at Microsoft, led Hack the Pentagon for the Department of Defense, and served on multiple federal advisory boards. She confirmed publicly that the third-party report cited by officials was the Amazon assessment.

Her conclusion: the findings do not justify export restrictions. The models behaved as designed for legitimate defensive use. They identified flaws when asked to improve code quality, not when explicitly prompted to expose vulnerabilities for exploitation. Administration officials reportedly described the document as alarming because the capability could benefit adversaries targeting American systems. Moussouris and more than a hundred security practitioners disagreed in an open letter, arguing that blocking these tools harms defenders far more than it inconveniences attackers.

The Wassenaar Carve-Out and Why It Exists

Moussouris was also instrumental in renegotiating the Wassenaar Arrangement, a multilateral agreement among forty-two nations that governs export controls on dual-use technologies. A key outcome of that renegotiation was an explicit carve-out for defensive security capabilities: offensive research tools, malware analysis platforms, and incident-response software used in coordinated vulnerability disclosure.

The carve-out exists because restricting these technologies undermines the defenders who protect critical infrastructure. It shields security researchers and companies from criminal prosecution when sharing technical data across borders in the course of legitimate work. The premise is simple: if you make it illegal to export the tools that find and fix vulnerabilities, you leave your own systems more exposed.

Applying export controls to a model that patches code on request cuts against that logic. The capability is not novel - other models, including open-weight alternatives and foreign systems, already perform similar tasks. DeepSeek and other China-based frameworks have demonstrated comparable code-review functions. Blocking one commercial product while leaving the broader ecosystem untouched does little to contain the risk and much to fragment the defensive toolkit available to security teams in allied jurisdictions.

Why Anthropic, Why Now

This is not the first time Anthropic has found itself at odds with federal authorities. Earlier this year, the company clarified its acceptable-use policy to prohibit deployment of its models for domestic surveillance or autonomous weapons targeting. The Pentagon and Anthropic both stated that no such use was occurring, but the company wanted to establish boundaries preemptively.

The response from Washington was swift. The Trump administration directed federal agencies to remove Anthropic from government infrastructure and labeled the company a supply-chain risk, effectively barring contractors who work with the government from using its products. That move significantly narrowed Anthropic's addressable market in the public sector, even as competitors with less restrictive use policies retained access.

Internal communications reviewed by multiple outlets show Anthropic employees questioning whether the company is being singled out. The timing of the Mythos and Fable ban, coming months after the Pentagon friction, has amplified that perception. No other frontier lab has faced comparable export restrictions on code-analysis models, despite the fact that similar capabilities are widely available.

The question is whether this reflects a principled application of export-control authority or an opportunistic use of national-security language to pressure a company that declined to align its product roadmap with defense priorities. The lack of detailed explanation from the Bureau of Industry and Security makes it difficult to distinguish between the two.

The Open-Weight Problem No One Wants to Discuss

Even if Mythos and Fable represented a meaningful leap in offensive capability - a claim disputed by the security practitioners who have examined the evidence - the enforceability of the ban is limited. Open-weight models are proliferating. Training runs that once required nation-state resources now fit within the budgets of well-funded startups. Researchers in Shenzhen, Bangalore, and Seoul are publishing architectures that rival or exceed the performance of closed commercial systems.

Export controls work when the controlled item is scarce, complex to produce, and concentrated in a small number of jurisdictions. Semiconductor fabrication equipment fits that description. Large language models with code-generation capabilities do not. The knowledge required to build them is published in academic conferences. The compute required to train them is available on cloud marketplaces. The weights themselves, once released, can be copied and deployed anywhere.

Restricting Fable 5 while leaving open-weight alternatives untouched is akin to banning the export of a specific brand of encryption software while allowing all others. It creates compliance burdens for one vendor without altering the threat landscape. Attackers who want AI-assisted vulnerability discovery have numerous options. Defenders who want to use a specific, commercially supported tool now have one fewer.

What Comes Next

The immediate consequence is operational. Anthropic customers who relied on Mythos or Fable for code review, security auditing, or compliance workflows have had to migrate to alternative platforms on short notice. Some of those platforms are foreign. Some are open-weight. None are subject to the same level of scrutiny that Anthropic invited by commissioning the Amazon assessment in the first place.

The broader consequence is strategic. If governments treat every incremental improvement in AI capability as grounds for export restriction, they risk fragmenting the global research community and driving talent toward jurisdictions with lighter regulatory burdens. They also risk undermining the norms that allow security researchers to collaborate across borders - norms that have been painstakingly built over two decades and that remain essential to defending interconnected infrastructure.

Moussouris and her co-signatories are not arguing for a free-for-all. They are arguing for consistency: apply the same principles to AI that already govern other dual-use security technologies, and recognize that blocking defensive tools weakens defense. That argument has won before, in the Wassenaar renegotiation and in subsequent policy debates. Whether it wins again depends on whether officials are willing to distinguish between genuine threats and convenient pretexts.

At DailyTechWire, we've watched governments around the world grapple with how to regulate AI without stifling the research that makes systems more secure. The Anthropic case suggests that in Washington, at least, the reflex to restrict is still stronger than the discipline to differentiate. That reflex may satisfy short-term political objectives. It does not make American networks safer.