On Transparent AI Cyber Protections

Dear Secretary Lutnick and National Cyber Director Cairncross,

We, the undersigned executives and technical leaders from across the United States and its allies, write to you to ask you to lift the export control directives on Anthropic’s Fable and Mythos large language models and commit to an open, scientific and transparent process of handling AI risk assessments in the future.

First, we would like to state that we believe that:

• AI is having significant impacts on cybersecurity, including by greatly reducing the difficulty of finding flaws in software and writing exploits for those flaws.
• Anthropic’s Mythos-class models are quite good at finding flaws and weaponizing exploits.
• However, they are not uniquely good at these tasks, and many of the undersigned individuals regularly use other foundation and open-source models for security audits and red-teaming every day.
• Anthropic has built multiple protections into the Fable model to prevent its use for cyber offensive uses. These protections were so aggressive as to be the source of humor in the cyber community on launch day.
• It is essential to provide AI to coders and security teams so they can find and fix flaws in their own newly-written as well as decades of legacy code faster than our adversaries.
• The Chinese open-weight models are only months behind the best American models, and those are the models we know about. It seems likely that the PRC government has access to private capabilities beyond what has been published.
• To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous.

It is our understanding that underlying model capabilities in the original research that triggered this action:

• Were focused on determining whether a human-prompted section of code was insecure. This is a necessary capability in any model that is intended to write secure code and should not be considered an offensive capability.
• Can be replicated on GPT-5.5, Opus, Sonnet and even Chinese models like Kimi 2.7. The justification for this unprecedented action was that Fable provides a unique “uplift” of capabilities beyond other AI models, but AI has been finding bugs and generating working exploits at superhuman levels since last year.
• Anthropic is addressing the research. As security professionals, we recognize that our work does not lead to a simple end-state where a system is fully safe, and the purpose of research like this is to enable continuous improvement, not to ban the technology.

As a result, this action has taken the best models away from defenders, created market uncertainty, and risked America’s AI leadership without any real risk to justify it.

Not all of us agree that AI regulation is the right way forward. But if this Administration’s laudable goal of securing our nation’s critical infrastructure is going to include models being regulated, then the regulations should be:

1. Grounded in scientific evaluations developed with input from industry and academia;
2. Created through a democratic rule-making process;
3. Enforced transparently and fairly with appropriate time given to remediate; and
4. Used only to the minimal extent necessary to ensure the safety of the American public.

Thank you for your consideration and partnership in helping us maintain America’s lead in technology while protecting critical software and systems.

Signed,

Affiliations are included for reference only and do not indicate organizational endorsement.

• Alex StamosChief Product Officer, Corridor
• Derek AbdineCEO, Furl
• Feross AboukhadijehCEO, Socket
• Ben AdidaExecutive Director, VotingWorks
• Iftach Ian AmitFormer CSO, Founder and CEO at Gomboc.ai
• Omkhar Arasaratnam
• Matthew ArenoCTO
• Abhishek AryaPrincipal Engineer, Google and Founder, OSS-Fuzz
• James Nicholas AshworthAI Village
• Emily AustinPrincipal Security Researcher
• Megan BakerCISO, Georgian
• Kevin BankstonSenior AI Governance Advisor, Center for Democracy & Technology
• Kurt BaumgartnerCo-Founder, TLPBLACK
• Andrew BechererCISO, Socket
• Brian BehlendorfOpen Source Pioneer
• Anthony BettiniCEO, VulnCheck
• Manish Bhatt0-day Connoisseur, OWASP
• Matt BishopDistinguished Professor, University of California Davis
• Christopher Bleckmann-DreherPrincipal Offensive Security, Mercedes-Benz
• JP BourgetCEO, Blue Cycle
• Aaron BrownHead of Security, Mercor
• Jack CableCEO & Co-founder, Corridor
• Jon CallasIndiana University
• Justin CalmusCISO
• Jeffrey CarusoAuthor and Researcher
• Sven CattellAI Village
• Jason ChanRetired CISO
• Anupam ChanderProfessor of Law and Technology, Georgetown
• Matthew CreagerCo-Founder, Keycard
• Andrew CunjeCISO, Appian
• Dino A. Dai Zovi
• J. Michael DanielPresident & CEO, Cyber Threat Alliance
• Sam Davison
• Drew DennisonCTO & Co-Founder
• Justin DollyChief Security Officer, Ory Corp
• Justin D'SouzaCEO, Asymptote Labs
• Donald E. Eastlake 3rdPrincipal Engineer
• Moona Ederveen-SchneiderFounder, Resilia Connect
• Casey John EllisFounder, disclose.io and Bugcrowd
• Gary EllisonFormer VP Trust and Product Security
• Chris EngCybersecurity Executive
• Maggie Engler
• Sergej EppMulti-CISO
• Gadi EvronFounder and CEO, Knostic
• Ed FeltenCo-founder and Chief Scientist, Offchain; former Deputy U.S. CTO
• Jaime FigueresPresident, Fundación Costarricense de Inteligencia Artificial Responsable (FAIR Costa Rica)
• Joe FitzPatrickFounder, SecuringHardware.com
• Robert FlyCEO/Co-Founder, detections.ai
• Richard F. FornoTeaching Professor, UMBC
• Erick GalinkinAI Security Research Scientist
• Harley Geiger
• Steve GentryCISO
• Daniel GoreckiCISO/Founder, NGC Risk
• Andy GrantHead of Security Assurance, Zoom
• Yael Grauer
• Matthew D. GreenAssociate Professor, Johns Hopkins University
• Joseph Lorenzo HallDistinguished Technologist, Internet Society
• Arabella HallawellCMO, Sovera Security
• Andrew HayCOO, Damovo
• Tyler HealyCISO, DigitalOcean
• Ariel Herbert-VossCEO, RunSybil
• Michael HicksCecilia Fitler Moore Professor and Director of the Schlein Center for Cybersecurity, University of Pennsylvania
• Cyrus HodesCo-founder, Stability AI, Venture Partner Lionheart Ventures
• Christofer HoffCyber Security Executive
• Keith HoodletDirector, Security Research
• Rick HowardCEO, Cybersecurity Canon Project
• Jared HunterRocket Software, Inc.
• Mikko HypponenCRO, Sensofusion Finland
• Vlad IonescuCTO, RunSybil
• Dipendra JainFounder
• Jeevan JutlaCEO, Gecko Security
• Chad KalmesCISO, Benchling
• Dhillon KannabhiranFounder, Hack In The Box
• Eoin KearyCEO & Founder, Edgescan
• Jake KingFounder, Minimal Software Research
• Dr. Joseph KiniryCEO and Chief Scientist, Sigil Logic
• Jonathon KlobucarSecurity Engineer
• Benjamin KnaussCEO, Racter Holdings
• Mitja Kolsek0patch co-founder
• Martin KoopmanManaging Director, Aditat AI
• Madeline LawrenceCo-Founder, Aikido Security
• Nate LeeCEO/Founder, TrustMind and CloudsecAI
• Joe LevyCEO, Sophos
• Ian LivingstoneCEO
• Max LoefflerResearcher, Goodfire
• Dan LorencCEO, Chainguard
• Mark LovelessSecurity Architect
• Myke LyonsCISO, Cribl
• Greg MartinCEO of Ghost Security
• Ross MaticanInvestor, Halcyon Ventures
• Jack McGivneyCISO, Anaplan
• Jeff McJunkinSANS Instructor and Author
• Ross McKercharCISO, Sophos
• Sandra McLeodCISO, Zoom Communications
• Amanda MinnichAI Security Researcher, Microsoft
• Rich MogullAnalyst, Security Executive
• Joe MolesCTO, Furl
• Christopher Monson, Ph.D.Founding Engineer, Abundant Security
• Katie MoussourisCEO, Luta Security
• Vinh NguyenFormer Chief Responsible AI Officer, National Security Agency
• T.C. (Theodore) NiedzialkowskiCISO, Head of Security & IT; former Opendoor, Nextdoor, Federal Reserve National Incident Response Team
• Charles NwatuSecurity Leader, GRC Engineering
• Dave Ockwell-JennerHead of Information Security, Narvar
• Carey ParkerFirewalls Don't Stop Dragons
• Efrain Orsini JrDirector of Security Operation & Deputy CISO, SilverSky
• Bryan Payne
• Vesko Pehlivanov
• Stephen D PelletierCEO
• John PetersonCTO, Sophos
• Riana PfefferkornPolicy Fellow, Stanford HAI
• Niels ProvosSecurity Blueprints LLC
• Nils PuhlmannCISO
• Muralidharan RamachandranFounder & Strategic Advisor
• Ashwin RamaswamiCTO & Co-founder, Corridor
• Jason RebholzCEO, Evoke Security
• Gavin ReidCISO, Human Security
• Jonathan Reiter
• Mark RisherFmr. Head of Google Identity
• Esteban Rodriguez
• Marc RogersCTO, NBHD.ai
• Olivia RoseCISO
• Jason RossOWASP GenAI Red Team co-lead
• Jim RouthAdvisor
• Bob RudisDistinguished Engineer, Applied AI
• Dragos RuiuCanSecWest
• Mike SampleCTO, Minimal.dev Software
• Chris SandulowCISO, Confluent
• Joshua SaxeCo-Founder, Abundant Security
• Ty SbanoCISO, Webflow
• Alex SchapiroCo-Founder, Strix
• Bruce SchneierHarvard University and the University of Toronto
• Cory ScottCenter for Cybersecurity and Privacy Protection, CSU|LAW; Former CISO
• Joshua ScottCISO, Hydrolix
• James ShankDirector of Threat Operations, Expel
• Akram SheriffCo-Founder/CTO (Ex-Cisco Systems, Ex-Hippocratic.ai)
• Ram Shankar Siva KumarAffiliate, Berkman Klein Center for Internet and Society at Harvard University
• Matthew SouthworthCSO, Priceline
• Eugene H. SpaffordDistinguished Professor, Purdue University
• John N StewartPresident, Talons Ventures
• John StringerDivisional CTO, ImageNet Consulting
• Talha TariqChief Technology Officer (Security), Vercel
• Glenn ThorpeSr. Director – Applied AI, Intelligence
• Per ThorsheimFounder, PasswordsCon
• Rachel TobacCEO, SocialProof Security
• Emily VandewatervCISO, Elteni Cybersecurity Consulting
• John VillasenorProfessor of Electrical Engineering, Law, and Public Policy, UCLA
• Paul VixieInternet Pioneer
• Jason WaitsCISO, Inductive Automation
• Nancy WangVenture Partner, Felicis Ventures
• Steven WeberProfessor of the Graduate School, UC Berkeley School of Information
• Tarah WheelerChief Security Officer, TPO Group
• Jeff WilliamsCISO, Sigma360
• Royce D. Williamspublic-interest technologist
• Dave WillnerCofounder, Zentropi
• Allen Wilson3x CISO
• Beau WoodsFounder/CEO, Stratigos Security
• Chris WysopalCo-founder, Veracode
• Josh YavorCEO, Credible Security
• Philip ZimmermannAssociate Professor Emeritus of Cybersecurity, Delft University of Technology