The Scariest Thing About Anthropic Is How Well they make Fear Resonate

Anthropic Perfected Heart-Attack Marketing. There’s No Defibrillator Coming.

If you work in security, you’ve developed a nose for heart-attack marketing. You’ve sat through vendor presentations where the threat landscape gets darker with every slide, right up until the moment the product appears. You know the move.

Anthropic has learned it too, they’re running a sophisticated version of it. But they’re not selling you the cure, they’re just making sure that you heart rate stays elevated.

When Anthropic releases a new model, the safety documentation comes first. Before the capability benchmarks, before the pricing, there’s a model card. And that model card will tell you, in careful technical language, that this model was evaluated for its potential to provide “meaningful uplift” to threat actors pursuing cyberattacks, or in some cases attacks on critical infrastructure.

Then the model ships anyway.

This isn’t accidental. It’s doing several things at once, it signals seriousness and it pre-empts criticism. This plants a very specific idea in your head: this thing is powerful enough to be dangerous, which means it must be powerful enough to be useful.

What “uplift” does in this context. Uplift is a real term in national security and biosecurity contexts. It means giving an adversary something they couldn’t have achieved without your help. Raising the threat ceiling. Anthropic borrowed it and put it in consumer-facing model documentation, which is a choice worth noticing.

When a company publishes a report saying their model was tested for cyberweapon uplift potential, the average enterprise buyer doesn’t read that and think “concerning.” They read it and think “this thing must be seriously capable.”

It functions as a capability signal dressed in safety language. That’s clever. It’s also a little manipulative, depending on how charitable you’re feeling.

The Responsible Scaling Policy as Marketing Infrastructure

Anthropic’s Responsible Scaling Policy introduced a framework of AI Safety Levels, running from ASL-1 upward. Each level represents a threshold of potential danger. As models get more capable, the safety requirements escalate accordingly.

This is presented as precautionary governance. It also functions as a release narrative. Every new model gets positioned against this scale. Every capability announcement carries the implicit message that Anthropic evaluated the danger and decided the controls were sufficient.

What you rarely see is external validation of those evaluations. Anthropic assesses their own models against their own framework and reports the results. There’s an incentive to be seen taking safety seriously, which isn’t the same as an incentive to actually find problems. That distinction matters, and it almost never gets made in the coverage.

The Firefox case: a study in headline arithmetic

The clearest example of this playbook in action is Anthropic’s Mythos announcement and the Mozilla post that followed it.

Mozilla reported that 271 vulnerabilities were identified in Firefox 150 associated with Mythos, in a post entitled “The zero-days are numbered.”  Striking claim. But a researcher who dug through the actual commit history, advisory references, and linked bugs found the picture considerably murkier.

Start with the budget framing. The often-cited “under $20,000” figure doesn’t mean Mythos found one devastating bug for that price. In Anthropic’s own writeup, that budget covered a large search process with roughly a thousand scaffolded runs and several dozen findings.  Still notable. Just a very different claim from the version people repeated.

Then there’s the accounting problem. The Firefox 150 security advisory doesn’t map to a single clean list of 271 Firefox-only bug IDs. The aggregated CVE buckets also cover Thunderbird and ESR releases, not just Firefox 150. Mozilla’s 271 figure, Bugzilla bug IDs, advisory CVEs, and individual commits are not the same unit.

And then there’s the more fundamental question: what kind of bugs were actually found?

In browser exploitation there’s a wide spectrum between a harmless correctness bug, a crash-only bug, a bug that creates a memory corruption primitive, and a bug that survives into a reliable exploit chain. If you collapse that spectrum into a single headline number, you get attention, but you lose precision.

The strongest charitable reading of the Firefox 150 data is that Mythos appears to be very good at surfacing suspicious patterns at scale. That’s already valuable. But the public evidence doesn’t support the strongest version of the claim that AI has arrived for vulnerability research.

One detail that didn’t make the headlines: one team publicly stated that their RCE and sandbox escape chain was still alive after the release.  Many fixes landed. The offensive problem wasn’t solved.

Anthropic defined the evaluation. Anthropic reported the results. Mozilla amplified the narrative. The security community was left doing archaeology on Bugzilla to work out what actually happened.

The threat model has a problem

Here’s what the fear marketing consistently implies: that the primary risk is a sophisticated threat actor getting access to Claude and using it to do something they couldn’t do before.

That premise deserves scrutiny, because it’s doing a lot of work and it doesn’t hold up cleanly.

The actual finding in most of Anthropic’s evaluations isn’t “Claude enables nation-state level cyberattacks.” It’s closer to “Claude can help someone who already has relevant knowledge work a bit faster on certain tasks.” That’s a real concern at the lower end of the threat actor spectrum, script kiddies moving up a level, ransomware affiliates automating recon, smaller criminal groups who previously lacked the technical depth for certain operations.

That’s worth talking about. It’s just not the cinematic story being told.

Because the adversaries Anthropic gestures at in its threat framing state-sponsored, sophisticated, persistent, targeting critical infrastructure those actors aren’t waiting for Claude. Here’s the part that never makes it into the press releases: APTs already have their own frontier models.

The adversaries Anthropic is Warning you about don’t need Claude

China-nexus threat actors are operating with access to commercial models, both frontier-class models developed domestically and outside Western usage policies. Russian state-affiliated groups have access to models built without jailbreak mitigations, without rate limits, and without terms of service. The PLA has been investing in purpose-built offensive AI infrastructure for years. These are not actors who are going to subscribe to Claude Pro and hope the guardrails don’t trigger.

The geopolitical reality is that the most capable adversaries have pursued sovereign AI development specifically to avoid dependency on Western models. They understood before most people were paying attention that access to frontier AI would be a strategic asset, and they acted accordingly.

So when Anthropic warns you that Claude could provide meaningful uplift to sophisticated threat actors and then positions its safety framework as the responsible response – ask yourself who that threat model is actually describing? It isn’t describing the actors with the capability and intent to hit critical infrastructure. Those actors are running their own inference on their own hardware with no usage policies in sight.

The uplift risk from commercial models is real, but it sits at the lower end of the capability spectrum. That’s a legitimate security concern. It just doesn’t justify the framing Anthropic uses, which consistently implies top-tier threat actors are the relevant reference point.

Who the Fear Marketing is Actually for

The cybersecurity threat framing lands hardest with three audiences.

CISOs and security leadership, who are already primed to think in threat vectors and appreciate a vendor that speaks the language. 

Enterprise risk and compliance teams, who need documented evidence that someone thought about the danger before the contract was signed. 

Policymakers and journalists, who amplify the safety narrative because it generates better coverage than benchmark numbers.

All three are commercially valuable to Anthropic. Enterprise security buyers are exactly who they want in production. Policy credibility translates into influence over AI governance, which translates into competitive advantage in a regulatory environment still taking shape.

Fear, handled carefully, opens doors.

The thing that makes this hard to dismiss

The underlying concern isn’t manufactured. AI is being used in offensive operations. The threat surface is real and expanding. 

Anthropic’s Research is often Genuinely Interesting.

The underlying concern isn’t manufactured. AI is being used in offensive operations. The threat surface is real and expanding. Some of Anthropic’s research is genuinely interesting and the defensive value of tools like Mythos is real, even if the framing around them isn’t honest.

The problem isn’t that they’re lying. It’s that they’re selecting and framing real risks in ways that consistently serve their commercial positioning. The nuance which threats are material, which are speculative, who the realistic threat actors actually are and what they already have access to gets flattened every time. What’s left is a picture that makes the danger sound bigger and more diffuse than the evidence supports, and makes Anthropic and friends sound like the only adults in the room.

Meanwhile, GPT 5.5 probably already matches this with capability, but it’s landed quietly. The adversaries being invoked are likely running their own frontier models on sovereign infrastructure, using other commercial models completely indifferent to the model card that just shipped. That’s heart-attack marketing at its most refined. No antidote required. Just keep pulses elevated and the name front of mind, it’s a marketing masterclass. By the time anyone checks the Bugzilla commits, the positioning has already landed.

Resources: