Fable and Mythos Recall Targets the Wrong AI Cyber Risk

? alex-stamos’s central claim is that the government response to Anthropic’s Fable and Mythos models focused on the wrong moment. Mythos is powerful, and likely the best publicly known bug-finding model, but Stamos said the decisive break in AI cyber capability had already happened last year with the Opus 4 and GPT-5 series.

That earlier crossing matters more than the branding around Mythos. Stamos said there are perhaps 50 or 100 top human bug finders, and he knows a couple dozen of them. They are expensive and do not scale. Models do: with enough money, power, GPUs, and access, their labor can be multiplied. The change he observed in the vulnerability-discovery world in mid-to-late last year was not that one named model appeared; it was that amateurs suddenly started producing results that looked superhuman.

His analogy was a high-school track meet where every kid posts Olympic world-record times. “You’d be like, man, they’re juicing,” he said. In vulnerability discovery, the “juicing” was the arrival of models good enough to find bugs at elite levels.

That framing shaped his account of the Fable pull-down. Amazon hosts Anthropic models through Bedrock, including in classified environments such as AWS Secret Cloud or Top Secret Cloud if agencies like the NSA are using them. Stamos said it was reasonable for Amazon to test Anthropic’s models while preparing to host Fable, and that Amazon found issues with Fable’s protections — the safeguards intended to distinguish it from Mythos.

The escalation, as Stamos described it, was not a normal technical remediation process. Amazon sent results to Anthropic. Anthropic and Amazon disagreed during the week over the seriousness of the findings. Stamos said he did not have the exact details, but according to his account and “according to reporting,” Amazon CEO Andy Jassy mentioned the issue to someone at the White House; the White House “freaks out”; Anthropic asked for more technical detail; and the White House could not clearly provide what it wanted. Anthropic proposed fixing the issues collaboratively rather than taking the model down.

Instead, around 5 p.m. Pacific on Friday, the Commerce Department signed an order designating the models export controlled. In Stamos’s description, that meant no foreigner — including foreign citizens who had helped build the models — could touch them. He noted that whether the administration had that legal authority is disputed. Anthropic nevertheless complied rather than immediately seeking a temporary restraining order, and because it could not ensure no foreign citizen would see the models, it pulled down both Mythos, which had been privately accessible, and Fable, which had been public.

The central technical question is whether the models justified that reaction. Stamos’s answer was deliberately split. Mythos is real, he said, but the story being told around it is inflated.

Mythos, by his assessment, is “almost” certainly the best bug-finding model known publicly. He qualified that by saying no one knows what Chinese labs have privately. On open known security evaluations, however, he said Mythos scores best. But he rejected the idea that it is the “avenging cyber god” implied by some of Anthropic’s framing. Compared with models such as Opus 4.8 and GPT-5.5, Stamos placed Mythos ahead on bug finding and exploit development — but not orders of magnitude ahead.

Ranjan Roy had been arguing with Alex Kantrowitz about whether Anthropic’s warnings and restricted access around models like Mythos reflected a real capability jump or a communications strategy. Roy’s skepticism came from how coordinated the rollout appeared: the danger narrative, the exclusivity, and publicity around a model breaking containment while someone was “eating a sandwich in a park” made the product feel, to him, like marketing.

Roy’s practical question was what the new dangerous capability actually is — what it looks like, what it feels like, and what problem it creates.

Stamos did not give Roy a clean win. Mythos is not “pure marketing,” he said. It is powerful, particularly for bug finding and exploit writing. But he also agreed that Anthropic had played up the model too much. The capability is material, but not unique enough to justify treating Mythos as the singular point of danger.

That distinction is central to his criticism of the government’s response. Fable, he said, uses the same model weights as Mythos, but Anthropic placed protections on it to stop it from doing the “really nasty stuff” Mythos can do. Amazon’s complaints concerned those protections. But Stamos said a number of people had looked at the complaints, and Anthropic had pushed back. Even with Amazon’s jailbreaks, he argued, Fable could not be made to do things unavailable from Opus, GPT-5, or multiple Chinese models.

“You can just ask GPT-5 to go find these bugs and it will go do it for you,” Stamos said. “You can just ask Kimi, which is an open source Chinese model, it will go write you these exploits.”

That makes the action against Fable incoherent to him. Fable could be tricked into certain bug-finding behavior, but not into the most powerful Mythos-style activity — such as grinding on the Linux kernel all day to find many bugs, an activity he said could cost hundreds of thousands of dollars at full price. The strongest capabilities, in his account, had not been jailbroken.

Stamos used a blunt comparison: if a pedestrian is hit by an F-150 at 80 miles per hour or a McLaren at 200 miles per hour, the practical outcome is the same. Mythos may be the Formula 1 car, while models such as Kimi or GLM-5.2 are the F-150. Removing the fastest car does not remove the danger. It may only harm defenders who need the best coverage.

The attacker, he said, needs only one or two bugs to chain together. Defenders need to find and fix as much as possible.

Stamos said about 150 people had signed an open letter opposing the action because, in their view, it hurt defenders and damaged the U.S. AI industry. He characterized the letter’s message plainly: this was “really stupid.”

? alex-stamos wanted the debate moved away from whether models can find bugs. Setting a standard that U.S. AI models cannot find vulnerabilities would be a severe mistake, he argued, because vulnerability recognition is required for defensive work.

A model that writes software has to understand what a security flaw looks like in order not to write one. If American LLMs are made “dumb about security,” they will create more security flaws, not fewer. Stamos said the technique Amazon used was to trick Fable into finding bugs in individual lines of code. But that ability is also necessary for writing secure code.

The core policy distinction is simple: identifying a vulnerability is not the same as operationalizing it. The boundary Stamos proposed is not “bug finding.” It is exploit creation and offensive operations: building exploit chains, doing long-running offensive work, and other capabilities that move from identifying a flaw to using it.

That distinction also framed his view of Anthropic’s own model access strategy. Kantrowitz asked whether, if Mythos represented a real material capability, the safeguards around it might resemble what Anthropic had done: controlled release, gated access, and restrictions. Stamos said both Anthropic and OpenAI appear to have paths involving know-your-customer access. OpenAI, he said, has a public level where users can request cyber capabilities and a private level; Anthropic, he believed, had only the private route for Mythos.

He considered some gating reasonable. But he thought Anthropic’s Glasswing access had not been broad enough. Before the export-control order, some critical infrastructure companies that should have had access did not.

Ranjan Roy’s skepticism about Glasswing came from its exclusivity. People using it described access almost like being admitted to a club, he said: they had Mythos, they were spending heavily, and the access itself carried status. His question was what a rollout designed to help defenders should look like.

? alex-stamos separated the marketing feel from the actual work. Glasswing, he said, was fixing real bugs. It had found about 10,000 bugs. But it had fixed only about 1,000, a 10-to-1 found-to-fixed ratio he considered undesirable.

That throughput problem matters because finding the bug is only one part of the defensive process. Stamos said his company had joined Project Athena, which he described as a Chainguard-run effort to fix open-source bugs using Mythos. That work is difficult not simply because vulnerabilities must be identified, but because open-source remediation requires finding the people with commit access and getting fixes merged.

At the same time, Stamos argued that many companies do not need Mythos to get started. If they ran a modern AI security tool against their codebase, they might find 80% of those bugs. Many organizations are discovering old, poor-quality code for the first time and treating the result as if only Mythos made it possible.

When one CEO asked him how to get into Mythos, Stamos said he told the CEO not to wait. Use Opus 4.8 now, he said, and expect to find “70% of the bugs you care about.”

The practical advice was therefore not to wait for access to the most restricted model or for the government to settle its position. Stamos’s view was that defenders already have capable tools, and delay leaves known classes of vulnerable code unexamined.

The argument against the export-control order depended heavily on ? alex-stamos’s rejection of a common premise: that U.S. labs are years ahead of adversaries. He called that false.

While Fable was shut down, he said, Zhipu AI shipped GLM-5.2, a Chinese open-weight model. According to Stamos, GLM-5.2 is MIT licensed, users can download the weights from Hugging Face, include it in products, and retrain it. He also said it is within percentage points of the top closed Anthropic and OpenAI models on several evaluations, including coding and other intelligence tasks. He cautioned that its bug-finding ability had not yet been well tested.

The point was not that GLM-5.2 is definitely equivalent to Mythos in cybersecurity. It was that, in Stamos’s account, the best known Chinese model is already close to top U.S. models on relevant general capabilities — and the best Chinese cyber model may not be announced publicly. “Unlike American labs, the Chinese are not going to announce their Mythos,” he said.

That makes a defensive-only American policy look dangerous to him. If U.S. companies restrict their own models while comparable or near-comparable Chinese models remain available as open weights, the practical effect is not to remove capability from the world. It is to push users toward models outside the U.S. frontier ecosystem.

Stamos framed the competition in strategic terms. The United States should be accelerating its capability to find and fix vulnerabilities, not voluntarily reducing access to tools that help defenders. Export-control logic aimed at Fable and Mythos makes little sense to him when other models can perform similar tasks without refusal.

Alex Kantrowitz raised one condition that had been discussed for Fable’s return: that Anthropic prevent it from being jailbroken. ? alex-stamos’s reaction was to question whether that is possible at all.

He referred to a NIST paper that he described as “kind of a Gödel incompleteness theorem” argument, saying it is impossible to make a model completely non-jailbreakable. He then returned to the functional problem: Fable must understand security flaws in order to do its job.

The only workable path, in his view, is definitional. Anthropic might try to define “jailbreak” according to its system card: different levels of cyber capability, where finding a couple of bugs and knowing what a bug is remains allowed, while building exploit chains and conducting long-term offensive activity is prohibited. If the standard is defined that way, Stamos said, Anthropic can be fine.

The dangerous alternative is that the Trump administration defines a jailbreak as any ability to find any vulnerability in code. If that happens, he said, the American AI and cybersecurity industries would be forced toward Chinese models.

That concern was sharpened by a report Stamos said Politico had published in the preceding hours: Anthropic and the Trump administration were negotiating AI safety standards. His unease was not about the existence of standards, but about who might define them and how technically grounded they would be. He joked darkly about whether Commerce Secretary Howard Lutnick was writing an evaluation.

The standard Stamos wants is clear: move the restriction line toward exploitation, not vulnerability identification. Defenders must be able to find and fix flaws. If policy collapses those categories, the result is not safety; it is disarmament.

The export-control order did not merely remove a model. ? alex-stamos said it introduced a new operational risk for companies building on U.S. AI providers: the possibility that a model could be pulled at 5 p.m. on a Friday because of government action.

Fable had only been out for a week, so most companies had not yet put it into critical production paths. Had it been out for a month, he argued, the sudden removal could have caused pagers across the country to go off as systems failed. The lesson CIOs and CTOs are drawing, according to Stamos, is to sign contracts for open-weight model backups on different hosts. They may not use Chinese hosts, he said, but they may use Chinese models through LLM routers as resilience against political risk.

That is the self-inflicted wound: making U.S. AI unreliable at the same moment Chinese competition is pressing hardest.