Pentagon Leaders See Cyber AI as a Defensive Race, Not Just a Threat

The Pentagon’s view of cyber AI is shifting

Two senior US defense technology officials said this week that the newest generation of cyber-capable artificial intelligence should not be understood only as a threat. Speaking at the SCSP AI+Expo in Washington, Assistant Secretary for Cyber Policy Katherine Sutton and Pentagon Chief Technology Officer Emil Michael argued that tools modeled on Anthropic’s unreleased Mythos system could also become powerful instruments for defense.

The remarks reflect a more pragmatic posture inside the Defense Department as anxiety grows around AI systems that can identify and exploit software weaknesses at unprecedented speed. Rather than framing that speed purely as a new source of danger, Pentagon officials are making the case that the same capability could be used to harden vulnerable systems faster than human teams can manage today.

Sutton said the current patching model, which often unfolds over days or weeks, is no longer adequate in an environment where AI can move far faster. In her telling, the key opportunity is not abstract. It is secure code. If advanced models can rapidly detect flawed software and repair it, the military and its contractors could start reducing risk at a pace that legacy processes have never matched.

From “human speed” to machine speed

The officials’ comments centered on a simple but consequential point: vulnerabilities already exist across a sprawling software base, and AI changes the tempo at which they can be found, fixed, and exploited. Michael said those flaws are not new. What changes now is the timeline. Systems like Mythos may let defenders discover bugs faster, but they may also let attackers weaponize those same bugs faster.

That dual-use reality is what makes the moment so consequential for national security. Michael described it as a period in which the country, not just the federal government, needs to harden digital infrastructure. The Defense Department depends on a patchwork of aging software systems and code bases that have accumulated technical debt over many years. In that environment, a model that can autonomously patch vulnerable code could do more than improve operations around the margins. It could accelerate work that officials suggest should have happened long ago.

The argument is not that cyber risk disappears when AI enters the process. It is that the baseline for acceptable response times is changing. If machine-speed exploitation becomes normal, then machine-speed remediation becomes necessary. That is a major shift for institutions built around slower acquisition cycles, lengthy certification processes, and fragmented software ownership.

Why Mythos matters even if it is not unique

Much of the public discussion around the Pentagon panel has focused on Mythos itself, an Anthropic model that has drawn attention for its reported hacking abilities. But Michael sought to reduce the sense that one company or one model will define the field. He described Mythos as an early example of a broader class of cyber-capable models that major AI labs are likely to release over the next year or so.

That matters because the Pentagon is trying to think beyond a single vendor dispute. Anthropic is currently pursuing lawsuits against the government after the Trump administration and Defense Secretary Pete Hegseth banned federal use of Anthropic products. Michael himself has publicly criticized Anthropic’s chief executive. Even so, his comments at the event suggested that the strategic issue is larger than any one company relationship.

In that sense, the Pentagon appears to be signaling two things at once. First, it does not believe Anthropic holds a permanent monopoly on this kind of capability. Second, it expects a broader convergence in cyber AI as multiple firms develop models with similarly advanced functions. If that expectation holds, then the policy challenge will not be whether one particular system exists, but how government and industry adapt to a world in which many of them do.

A bigger test for defense institutions

The Pentagon’s optimism does not eliminate the risks attached to these tools. It sharpens them. A system that can find and fix vulnerabilities in seconds also compresses the time available for governance, validation, and response. Defense institutions will need to decide how much autonomy such systems can safely have, where human review remains essential, and how to deploy them across legacy networks that were not built for this pace of change.

There is also a practical question of readiness. Even if cyber models become widely available, the Defense Department still has to integrate them into real workflows. That means fitting advanced AI into a software environment defined by old platforms, inconsistent coding practices, and layers of bureaucratic control. The promise is substantial, but so is the implementation challenge.

Still, the core message from Sutton and Michael was clear. The emergence of cyber AI does not merely create a new offensive threat surface. It forces a rethink of what competent defense looks like. In that framing, success depends less on stopping powerful models from appearing than on using comparable capabilities to reduce exposure faster than adversaries can exploit it.

For the Pentagon, that turns AI from a distant modernization project into an immediate operational requirement. The race is not just to build stronger cyber tools. It is to ensure that patching, remediation, and software hardening can keep up with a threat landscape that is rapidly moving beyond human speed.

This article is based on reporting by Breaking Defense. Read the original article.