Logo
TLCTC
Blog / Tech Enablers Overlay

From model access to state power

Fable 5, Mythos 5, and why the contest over frontier AI is not about who builds the strongest model — but about who can turn it into action first, and whose clock runs faster.

BK
Bernhard Kreinz
~14 min read

For decades, nation-state cyber capability meant intelligence services, cleared personnel, classified tooling, zero-day stockpiles, global infrastructure, and large operational budgets. Frontier artificial intelligence adds a new variable to that list — and it is not the one most commentary assumes.

The question is no longer who has the strongest model. It is who receives it first, who is permitted to use it, who can operationalise it — and whose Δt is shorter.

The events surrounding Anthropic's Claude Fable 5 and Claude Mythos 5 over the past sixty days show that frontier-model access has stopped being a commercial product decision. It has become an instrument of national-security policy. But the popular reading — AI makes attackers stronger — is incomplete to the point of being misleading. The same capability that finds and weaponises a flaw also finds and removes it. What changed is not the catalogue of things that can go wrong. What changed is the speed at which both sides can move through it.

This piece reads the episode through the Top Level Cyber Threat Clusters (TLCTC). The discipline the framework imposes here is simple and unfashionable: keep the model, the government, and the export-control letter out of the threat clusters, where they do not belong, and put them where they do — in the layers that describe who can do what, how fast.

01 / EvidenceThe sixty-day timeline

Five public developments, in sequence, trace a single arc: from a controlled defensive programme to a global access cut-off ordered by a single government.

07 April 2026
Project Glasswing begins

Anthropic gives Claude Mythos Preview to a selected group of cybersecurity and infrastructure organisations — major tech firms, cloud providers, security vendors, financial institutions, the Linux Foundation. The purpose is explicitly defensive, and the model is deliberately withheld from general release because of its cyber capabilities. Access is already being allocated by capability, trust, and purpose rather than by who can pay.

05 May 2026
Early government access expands

Microsoft, Google, and xAI agree to give the U.S. government pre-release access for national-security testing. The relevant standards body has reportedly completed 40-plus evaluations, some of models not yet public — occasionally with safeguards reduced so underlying capability can be measured. "Early access" stops meaning "buy it sooner" and starts meaning "see it before anyone else."

22 May 2026
Defensive capability becomes measurable

Anthropic reports that ~50 Glasswing partners used Mythos Preview to find more than 10,000 high- or critical-severity vulnerabilities in important software. It is a vendor-reported figure, not an audited one — but the operational implication holds: discovery has outrun the capacity to verify, disclose, patch, and deploy. The bottleneck moves from finding to fixing.

02–05 June 2026
Privileged access becomes policy

An executive order directs a classified benchmarking process for frontier cyber capabilities and a voluntary framework letting developers hand covered models to the federal government up to 30 days before other trusted partners — with the government helping choose those partners. Days later, a national-security memorandum makes the goal explicit: a "decisive and enduring AI advantage," and closing the gap between public models and those available to the national-security workforce. The advantage is no longer incidental. It is stated.

09 June 2026
Fable 5 and Mythos 5 ship — split by access

Two configurations of one underlying model. Fable 5: broadly available, with safeguards restricting sensitive cyber and biological assistance. Mythos 5: substantially greater dual-use capability, restricted to vetted defenders and infrastructure providers through Glasswing, with expansion "in consultation with the U.S. government." A capability hierarchy, justified as safety — and functioning, unavoidably, as an allocation of power.

12 June 2026
Exclusion power is demonstrated

An export-control directive requires Anthropic to suspend access to both models for any foreign national — inside or outside the U.S., including foreign-national employees. Unable to draw that line cleanly at speed, Anthropic disables both models for everyone. The parties dispute the proportionality; they do not dispute that one government had the legal authority to switch the models off worldwide. The question shifts from who gets it first to who can decide that others get nothing.

02 / ClassificationA model is not a threat

This is where most analysis goes wrong, and where TLCTC earns its keep. A model is not a cyber threat. A government is not a cyber threat. An export-control decision is not a cyber threat. Under Axiom IV, threats and actors stay separate: actors use attack clusters, and actor identity never determines how an attack step is classified.

So Fable 5 and Mythos 5 do not become an eleventh cluster. They belong in the Tech Enablers Overlay and the Actor Capability Landscape — the layers that track which clusters an actor can exercise, how skilfully, in what sequence, and how fast. The technology does not invent a new way for systems to fail. It changes how efficiently actors exercise the ten ways that already exist.

Tech Enablers Overlay — entry
Technology enabler:   Mythos-class frontier AI (incl. agentic configs)
Adoption status:      Observed
Primary actor groups: Nation-State · CI defenders ·
                      Cybersecurity vendors · Vetted research orgs

Principal amplification:   #1  #2  #3  #7
Secondary amplification:   #4  #9
Primary temporal effect:   Reduction of Δt
#1-specific mode:          Scope expansion (agentic) + Δt

That last line is the one the first draft of this analysis missed — and it is the most important one. Let me explain why.

03 / The argumentThe cluster everyone forgets: #1 Abuse of Functions

It is natural to file frontier AI under #2 Exploiting Server, #3 Exploiting Client, and #7 Malware. Those are the clusters where "the model finds the bug and writes the exploit" lives. But that framing quietly understates the shift, because it is purely a speed story: the vulnerability classes are unchanged, the model just traverses them faster. Δt compression. Real, but reproducible by anyone with a comparable model.

#1 Abuse of Functions is a different kind of amplification — and it is where agentic AI changes the game structurally rather than just quickly.

Recall the cluster: in #1 the attacker turns a system's intended, legitimate functionality against its protection goals. No implementation flaw is required. There is nothing to patch, because nothing is broken. The control surface is design, configuration, and authorisation logic — not code correctness. Historically this is the least tractable cluster to defend, precisely because no scanner flags "behaving as designed."

An agent is, by construction, a legitimate-function-invocation engine. It chains API calls, queries, tool uses, and privileged operations the system is designed to permit. Point that capability at a protection goal and you get #1 at machine speed and machine scale:

  • enumerating and chaining permitted operations to reach a violation no single call would trigger;
  • discovering authorisation-logic gaps — over-broad scopes, transitive trust, confused-deputy paths — through systematic legitimate probing;
  • composing multi-step abuse sequences across systems faster than human-paced detection logic expects.
Why this is not a #7 story

R-EXEC still holds: if the agent's actions cause execution of Foreign Executable Content, that is a separate #7 step. But a large class of agentic abuse never crosses into #7. No FEC, no exploit primitive, no malware artifact — the agent only ever invokes functions the system offers. Pure #1. That is exactly the path that detection tuned for #7 artifacts will miss.

So the claim for #1 is stronger than "Δt reduced." It is scope expansion: the model raises not just the speed but the reachable depth of legitimate-function abuse — how many permitted-operation chains an actor can practically discover and execute. That capability dimension is absent from the #2/#3/#7 speed story.

#1 →[ scope + Δt expanded by agentic AI ]→ [protection-goal violation]
   (no #7 step required; abuse stays within intended functionality)

And here is the line that connects #1 straight back to the geopolitics: the amplification of #1 scales with the operationalisation stack, not with the model weights. An agent's #1 power is only as large as the privileged, legitimate functions it can be wired into. A commercial customer wires it into a SaaS tenant. A state with classified environments, integration authority, and deployment reach wires it into functions of an entirely different consequence. That is precisely why the access advantage is a Champions League advantage rather than a head-start: the #2/#3/#7 velocity edge anyone with the model can copy; the #1 reach edge depends on the whole apparatus around it — and only a few actors have that apparatus.

04 / MechanismWhy #2, #3 and #7 still move

Anthropic reported that Mythos Preview could identify complex vulnerabilities, convert them into exploit primitives, and combine those primitives into complete attack chains — outperforming other evaluated models on several exploit-development benchmarks. In TLCTC terms that lands cleanly:

  • #2 Exploiting Server — assisting discovery and exploitation of implementation flaws in server-role software.
  • #3 Exploiting Client — the same, where vulnerable software consumes attacker-controlled content in a client role.
  • #7 Malware — where exploitation results in execution of Foreign Executable Content, R-EXEC requires a separate #7 step.
#2 →[ Δt reduced by AI-assisted analysis ]→ #7
#3 →[ Δt reduced by AI-assisted analysis ]→ #7

The model is the enabler, never a cluster. It is shown alongside the arrow, not on the path.

05 / The other halfThe defender's mirror

The public reflex is that more exploit capability favours attackers. That is the half of the story that gets told. The defender holds structural advantages the attacker does not:

  • authorised access to source code, architecture, and configuration;
  • production telemetry, asset inventories, patch and deployment authority;
  • the ability to test continuously, change the environment, and remove the vulnerability entirely.

An attacker needs one exploitable path. A defender can point the same model at the whole codebase: identify weakness classes, verify reachability, generate candidate patches, test them, and deploy across the estate. Glasswing was built around exactly this — and Anthropic says it has already moved the limiting factor from finding flaws to verifying, disclosing, and patching them. Frontier AI, in other words, can strengthen cause-side prevention across clusters:

Against #2 / #3 / #1

  • source-code review, fuzzing, vulnerability discovery
  • reachability and exploitability verification
  • patch generation and validation, regression testing
  • enumeration of authorisation-logic and config surface (the cause-side of #1 — historically the hardest to test)

Against #7 & across paths

  • malware and suspicious-script analysis
  • behavioural-rule and execution-policy generation
  • detection engineering, sandbox and telemetry analysis
  • correlating weak signals to reconstruct likely sequences and anticipate the next step

06 / The real contestΔt against Δt

The decisive effect is not new classes of attack. The ten generic vulnerabilities are unchanged. The effect is that AI compresses the time between steps — for both sides.

Attacker clock

discovery
→ exploit construction
→ validation
→ deployment

Defender clock

discovery
→ verification
→ patch construction
→ testing → deployment

Both clocks speed up. The variable that decides the outcome is the comparison between them:

Δt(defender remediation)  <  Δt(attacker weaponisation)   → AI improves security
Δt(attacker weaponisation) <  Δt(defender remediation)    → AI increases exposure

This is why counting model capabilities is not enough. A model that surfaces 10,000 vulnerabilities is not a defensive win on its own. It becomes one only when findings turn into deployed controls before exploitation arrives. The honest question for any organisation is whether its verification, disclosure, patching, and deployment pipeline can keep pace with a discovery engine that no longer waits for humans.

07 / ModelA two-dimensional capability landscape

The conventional Actor Capability Landscape measures the ability to attack. The Fable/Mythos episode shows it should carry two related but separate profiles.

Offensive vector

  • discover vulnerabilities
  • develop exploits
  • chain attack steps
  • generate FEC
  • automate targeting
  • expand reachable #1 abuse paths (agentic)
  • reduce attack-path Δt

Defensive vector

  • discover weaknesses first
  • validate findings
  • generate and safely test fixes
  • deploy at scale
  • harden authorisation logic (#1 cause-side)
  • detect hostile model use
  • reduce remediation Δt

A government with privileged access can gain on both vectors at once: stronger operational tools for its intelligence and military organisations, earlier defensive capability for its agencies, critical-infrastructure operators, and domestic vendors. That duality is the point — the same access structure produces higher state offensive potential and higher state defensive resilience. The strategic question is how those are governed, separated, audited, and distributed.

08 / DependencyEurope and capability sovereignty

The 12 June directive reportedly drew no line between adversarial states, neutral states, and close allies — foreign nationals, full stop. For organisations outside the United States, that exposes a dependency: you may rely on U.S.-controlled models for vulnerability research, software assurance, and defensive operations, while remaining subject to access decisions taken under another state's national-security authorities.

This is not automatically a #10 Supply Chain Attack. No attacker has exploited a trusted component at a Trust Acceptance Event. It is a different animal: a strategic third-party dependency and capability-sovereignty issue. Naming it correctly matters — calling it #10 would smuggle an adversary into a story that, so far, has none.

The answer is not isolation. It is resilience: diversified providers, sovereign evaluation capacity, regional compute, open-weight fallbacks, contractual continuity, local tooling, independent verification infrastructure, and shared trusted-access arrangements among allies.

The lesson is not "never use U.S. models." It is: do not build a national defensive capability whose continued operation depends entirely on another state's permission.

09 / CaveatPersistent, not permanent

"Permanent" is too strong. "Persistent" and "institutionalised" are better supported. The advantage holds while frontier models are built under U.S. jurisdiction, the government keeps effective legal authority over providers, closed models stay meaningfully ahead of open weights, rivals lack equivalent domestic capability, and U.S. agencies operationalise early access faster than adversaries can reproduce it.

It weakens through stronger non-U.S. labs, capable open-weight models, leakage or replication, sovereign compute, legal or political change, faster diffusion — or simply superior operationalisation by another state. Because model possession alone is not capability. Capability is the stack:

model + compute + tools + data + integration
      + skilled personnel + legal authority
      + organisational processes + operational deployment

The U.S. government currently appears to be building that entire stack. That is more consequential than temporary access to one model — and, as the #1 argument showed, it is exactly the stack on which agentic abuse-of-function capability depends.

10 / ConclusionThe power to allocate intelligence

The Fable 5 / Mythos 5 timeline is a progression: controlled defensive access → pre-release government evaluation → formal early-access policy → national-security adoption → trusted-partner influence → foreign-access restriction. Frontier-model access has become part of national cyber power.

Mythos-class AI is not a new threat cluster. It is an observed technology enabler that raises actor capability across the existing ten — especially #1, #2, #3 and #7 — and compresses attack-path Δt.

The same enabler raises the defender's ability to discover and remove the generic vulnerabilities #2 and #3 depend on, to harden the authorisation logic behind #1, to strengthen controls against #7, and to compress remediation Δt.

The future will not be decided by whether attackers or defenders "have AI." Both will. It will be decided by access, integration, operational discipline, and speed. The decisive contest is no longer who has the strongest model. It is:

Who receives it first?
Who may use it?
Who can operationalise it — and across which functions?
And whose Δt is shorter?

Keep the model out of the clusters. Put it where it belongs — in the layer that decides how fast, how deep, and for whom the ten ways a system can fail are now reachable. That is the discipline. The rest is allocation of power.

Sources
  1. Anthropic — Claude Mythos
  2. Reuters — Microsoft, Google and xAI to give US government early access
  3. Anthropic — Project Glasswing: An initial update
  4. The White House — Promoting Advanced AI Innovation and Security
  5. The White House — NSPM-11
  6. Anthropic — Claude Fable 5 and Claude Mythos 5
  7. Anthropic — Statement on the US government directive
  8. Reuters — US blocks foreign access to Anthropic's most advanced models
  9. red.anthropic.com — Exploit Evals
TLCTC — Top Level Cyber Threat Clusters · v2.1 · CC BY 4.0
Framework: tlctc.net · Repository: github.com/Barnes70/TLCTC
Cause-oriented · actor-agnostic · deterministic classification.