The AI Cyberattack Threat Is Real. The “Lock It in a Lab” Story Isn’t.

There’s a new RAND paper out where Michael Sulmeyer argues that artificial intelligence is about to unlock strategic cyber capabilities that have been stuck at the tactical level for two decades. If you buy his premise, the policy implication follows neatly: governments should restrict frontier AI models the way they restrict advanced semiconductors.
The trouble is that the government has already run a live experiment with that idea, and it lasted less than three weeks. The Biden administration’s January 2025 Framework for AI Diffusion did add controls on advanced closed-weight AI models to the export-control regime, but it was never enforced. The Commerce Department announced its rescission on May 13, 2025, two days before its compliance date, calling it “ill-conceived and counterproductive.” Then, on June 12, 2026, the Commerce Department (through the Bureau of Industry and Security) sent Anthropic a letter requiring suspension of foreign-national access to its Fable 5 and Mythos 5 models. Because Anthropic had no reliable way to verify nationality in real time, it suspended both models for everyone – a de facto global kill switch.
And then the government reversed itself. The controls on Mythos 5 were partially lifted on June 26–27 for a set of trusted U.S. organizations, and on June 30, 2026, the restrictions were lifted entirely, with Fable 5 rolling back out globally the next day. Notably, one reason cited for the reversal was that Chinese open-source models were beginning to show similar cyber capabilities anyway. The whole episode is a compressed demonstration of the argument that follows: you cannot lock up a capability that isn’t actually concentrated.
And because it’s RAND, the case for trying sounds good, until you check the underlying data.
What Does the RAND Paper Claim About AI and Cyberattacks?
Sulmeyer’s core thesis from his RAND perspective paper is straightforward: cyber operations have been tactical because three constraints bind their strategic employment.
- Confidence is low compared to kinetic weapons
- Classification prevents integration across command structures
- Capacity is the bottleneck; a 2025 paper by Richard Danzig put the number of master-level operators at roughly 1,000 in the United States, with only a handful responsible for most successes
Agentic AI supposedly fixes the capacity constraint based on an interpretation of a November 2025 incident where a Chinese state-sponsored threat actor allegedly manipulated Anthropic’s Claude Code into attempting infiltration of roughly thirty global targets with 80 to 90 percent autonomous activity. In theory, one small team could now oversee many simultaneous operations instead of a handful, making strategic cyberattacks viable.
This argument would be convincing if the capability didn’t already exist outside gated access.
Wasn’t Anthropic’s Mythos Supposed to Be That Key?
Back in April 2026, Mythos arrived with quite a lot of fanfare, featuring CVEs in FreeBSD, OpenBSD, Linux kernel, and Firefox. Media outlets frame it as the end of software security while Anthropic rolled out Glasswing to twelve launch partners plus subsidized organizations, pricing Mythos initially at $25/$125 per million tokens. Based on pricing at the time, that was roughly five times Opus and far above GPT-5.2 at $1.75/$14 and Gemini 3.1 Pro at $2/$12. Several of the non-Anthropic launch partners are also Anthropic investors, and JPMorgan sits simultaneously as a launch partner and as an underwriter for the AI lab that, on June 1, 2026, confidentially filed for an IPO at a $965 billion valuation, on a reported $47 billion revenue run-rate.
The marketing aligns with RAND’s premise, because if frontier models are the critical bottleneck, restricting access makes logical sense. That’s provided you ignore everything else that happened in the first half of 2026.
Does the Evidence Support Frontier Models as the Bottleneck?
Multiple independent investigations contradicted the gated-access claim within months of each other. Vidoc Security tested the public, patched cases with GPT-5.4 and Claude Opus 4.6 using an open-source coding agent and cleanly reproduced FreeBSD and Botan (3/3 on both models), with Opus 4.6 also reproducing the OpenBSD case. Separately, AISLE – the AI-security firm led by Stanislav Fort, not to be confused with some government AI Security Institute – evaluated many models against Mythos’s showcase bugs, where all eight tested models detected the FreeBSD NFS bug, including a 3.6B-active-parameter model running at about $0.11 per million tokens.
Sean Heelan ran experiments with agents on Opus 4.5 and GPT-5.2 against a zero-day in QuickJS, where the agents succeeded in building over 40 distinct exploits across 6 different scenarios. Opus 4.5 solved all but two, and the hardest task took GPT-5.2 about 50M tokens and just over 3 hours to solve, for a cost of roughly $50 for that single agent run.
Niels Provos put it bluntly in his blog: vulnerability discovery is an orchestration problem, not a frontier-model problem, while Devansh’s primary-source analysis argued the media overstated Mythos’s exclusivity. Mythos’s flagship “fully autonomous” FreeBSD find – the NFS/RPCSEC_GSS stack overflow, CVE-2026-4747 (a FreeBSD kernel bug, not a Linux one) – was reproduced with widely available public models, including small open-weights ones. The “thousands of severe zero-days” claim rests on 198 manually reviewed reports with an 89% inter-rater agreement rate, which leaves meaningful room for misinterpretation.
The pattern is clear across these independent studies:
| Source | Date | Finding | Model Used |
|---|---|---|---|
| Sean Heelan | Jan 2026 | 40+ exploits across 6 scenarios | Opus 4.5, GPT-5.2 |
| Vidoc Security | Apr 2026 | Reproduced FreeBSD and Botan 3/3 (OpenBSD on Opus 4.6) | GPT-5.4, Claude Opus 4.6 |
| AISLE (Stanislav Fort) | Apr 2026 | All 8 tested models detected FreeBSD NFS bug | Incl. 3.6B model at ~$0.11/M tokens |
| Devansh analysis | Apr 2026 | Mythos’s showcase FreeBSD bug reproduced by public models | Public models |
AISLE’s first round of tests handed models the vulnerable function directly, often with contextual hints, which the authors themselves described as “an upper bound” on autonomous performance. But AISLE then addressed that objection directly, building nano-analyzer, a simple whole-codebase scanner that they pointed at the full 7.5-million-line FreeBSD kernel with generic prompts and no hand-scoped snippets – and it still found CVE-2026-4747 with models as small as 3.6B active parameters, at over 100x lower cost than Mythos.
The point isn’t that Mythos is unimpressive; AISLE explicitly grants that it “almost certainly is [capable] to an outstanding degree.” The point is that the discovery side is broadly accessible today, even if the hardest exploitation work may remain more frontier-dependent.
The moat isn’t model access. It’s system engineering – scaffolding, file ranking, crash oracles, validation pipelines.
What Happens When You Build the Pipeline Without a Frontier Model?
Intruder released new findings in July 2026, the same month as the RAND paper. They built what they call a “vulnerability vending machine” using pre-Mythos models where Sonnet handled triage, Opus handled exploitation, and Joern provided static analysis while program slicing solved the context dilution problem. The pipeline ran fully automated from discovery through exploitation with no human in the loop.
Their output was CVE-2026-3985, a blind SQL injection in the Creative Mail WordPress plugin with over 300,000 active users. This wasn’t a CTF challenge or sanitized benchmark because it was production software that was also found independently by Dmitrii Ignatyev of CleanTalk Inc. Anyone with API credits and basic engineering competence can replicate this.
The capability has already industrialized.
What Policy Follows From Each View?
These two worldviews lead to two different policy recommendations, and the export-control episode shows a government that reached for the RAND framing and then abandoned it within weeks.
| If RAND Is Right | If Evidence Is Right |
|---|---|
| Frontier models are the bottleneck | Public models suffice; system engineering is the moat |
| Action: Restrict API access, control model exports | Action: Patching speed, asset visibility, remediation cycles |
| Example: January 2025 AI Diffusion Rule (rescinded May 2025) | Example: Focus on discovery-to-fix timeline |
| Example: June 12, 2026 Anthropic directive (lifted June 30) | Threat is dispersed, not concentrated |
Note the timeline carefully, because it undercuts any simple story of RAND driving the crackdown: the June 12 directive predates the July RAND paper, so the paper cannot have caused the action. What it does show is an rationale for a worldview the government was already moving towards, just that they were making it up as they went along. The directive was the result of a single reported jailbreak of Fable 5 surfaced by Amazon researchers. After review, Anthropic concluded the technique “did not expose any unique Mythos-level cyber capabilities,” and the company has argued elsewhere that the underlying vulnerabilities are the kind other publicly available models can find without any bypass at all. In other words, the government’s own trigger event turned out to be evidence of dispersal.
Why This Timing Matters
RAND’s framing rationalizes model restriction at exactly the moment when capability has dispersed beyond any lab’s control. The export-control episode is the tell: the government reached for the “restrict frontier AI like semiconductors” instrument, discovered it couldn’t sort users by nationality, watched allies and industry balk, noted that Chinese models were closing the gap regardless, and walked it back in eighteen days.
The gap between theoretical bottleneck and practical reality is where the real policy failure lives. Organizations with strong governance, disciplined engineering, and clear accountability can make models like Mythos genuinely useful. Those still relying on partial visibility, slow remediation, and optimistic assumptions will find the technology simply shows them what they already know – they won’t have enough resources to fix the vulnerabilities in this new game of whack-a-mole.
The threat isn’t concentrated in a few labs with exclusive API access, because attackers can use the same public APIs everyone else has. Open-source agents can replicate the scaffolding, and the binding constraint is money for tokens, not clearance for access. Policy should focus on reducing the time between discovery and remediation, not on restricting model weights – particularly after a live test of that policy approach collapsed in under three weeks.
The “manufactured” part of this narrative isn’t the threat, which is real. It’s the claim that the threat is bottled up in a handful of labs. The data doesn’t support that, and neither, in the end, did the government’s own enforcement.