Who Gets to Defend Themselves?

Anthropic just released two AI models built from the same technology. The first, Mythos, is the powerful one it can find and exploit security weaknesses, and it's locked away for a small group of approved partners, big companies, and the US government.

The second, Fable, is the one the rest of us can use. It's the same model, but with a filter on top. The moment you ask it for help with offensive security, it quietly hands your request to a weaker model instead. The strong tool is for insiders. The public version has had its teeth pulled. Security has been here before and we're about to make the same mistake twice.

We've Seen This Before

Around the year 2000, there was a private, invite-only mailing list called vendor-sec. A small group of software vendors and trusted researchers shared security flaws in secret, fixing them quietly before the public found out. The idea made sense on paper: give defenders a head start, and keep the dangerous details away from criminals.

It didn't work. The details leaked anyway. Instead of stopping attacks, it just split the world in two - the people on the list knew about the flaws, and everyone else was left exposed and unaware.

So the industry changed course and started sharing flaws openly. That worked better. Not because it was reckless, but because secrecy was the real problem all along. Hiding the danger doesn't make it go away. It just decides who has to deal with it — and usually that's the people least able to. Releasing powerful AI tools in tiers is the same old mistake in a new form.

Why Locking It Down Doesn't Work

To be fair, Mythos really is impressive, and locking it up sounds reasonable: keep the dangerous tool from bad actors and give defenders breathing room.

The problem is the capability doesn't stay locked up. Other companies are already building models just as strong, and the gap between the restricted versions and the public ones is closing in months, not years. The head of AI at SANS, a respected security group, simply assumes attackers already have tools this powerful because every time the industry believed something was contained, the bad guys turned out to have it first.

So locking the tool down doesn't slow the attackers. It only decides which defenders get left behind. And it's the smaller players who lose - the small-town hospital with one part-time security person, the mid-sized factory, the corner shop running the same software as the giants. The public model was supposed to help them. Instead it blocks the exact work they need, and the real capability that gets through costs twice as much as before. The ones with the most risk and the least money get the weakest tools at the highest price. The attacker chasing them has no such limits.

A Better Way: Trust, but Stay Accountable

The answer isn't to throw the doors open - handing raw attack tools to anonymous users would be its own disaster. The better way is the one that already worked: give people access, but make them accountable for it. Open the capability to defenders broadly, but ask them to register as real, identifiable organizations instead of joining a secret club. Keep enough of a record that misuse can be traced. Test your own systems freely - just don't launch attacks at scale without your name attached.

Think of it as a sign-in sheet instead of a locked gate. A gate tries to guess in advance who deserves in, and gets it wrong. A sign-in sheet lets people in but holds them responsible. That's exactly why open sharing beat the secret list.

And none of this is permanent. The only thing separating the powerful model from the public one is a filter and a price tag - not the technology itself. There's talk of wider access coming. The question is whether it's a slightly bigger insider club, or real accountable access that reaches the small hospital before the attacker does.

We built Nua on a simple belief: defense only keeps pace when the best tools reach defenders as fast as attackers get theirs. Offensive security testing at machine speed is how that happens. Spread the capability. Tie it to responsibility.