Dear Secretary Lutnick and National Cyber Director Cairncross,

We, the undersigned executives and technical leaders from across the United States and its allies, write to you to ask you to lift the export control directives on Anthropic’s Fable and Mythos large language models and commit to an open, scientific and transparent process of handling AI risk assessments in the future.

First, we would like to state that we believe that:

• AI is having significant impacts on cybersecurity, including by greatly reducing the difficulty of finding flaws in software and writing exploits for those flaws.
• Anthropic’s Mythos-class models are quite good at finding flaws and weaponizing exploits.
• However, they are not uniquely good at these tasks, and many of the undersigned individuals regularly use other foundation and open-source models for security audits and red-teaming every day.
• Anthropic has built multiple protections into the Fable model to prevent its use for cyber offensive uses. These protections were so aggressive as to be the source of humor in the cyber community on launch day.
• It is essential to provide AI to coders and security teams so they can find and fix flaws in their own newly-written as well as decades of legacy code faster than our adversaries.
• The Chinese open-weight models are only months behind the best American models, and those are the models we know about. It seems likely that the PRC government has access to private capabilities beyond what has been published.
• To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous.

It is our understanding that underlying model capabilities in the original research that triggered this action:

• Were focused on determining whether a human-prompted section of code was insecure. This is a necessary capability in any model that is intended to write secure code and should not be considered an offensive capability.
• Can be replicated on GPT-5.5, Opus, Sonnet and even Chinese models like Kimi 2.7. The justification for this unprecedented action was that Fable provides a unique “uplift” of capabilities beyond other AI models, but AI has been finding bugs and generating working exploits at superhuman levels since last year.
• Anthropic is addressing the research. As security professionals, we recognize that our work does not lead to a simple end-state where a system is fully safe, and the purpose of research like this is to enable continuous improvement, not to ban the technology.

As a result, this action has taken the best models away from defenders, created market uncertainty, and risked America’s AI leadership without any real risk to justify it.

Not all of us agree that AI regulation is the right way forward. But if this Administration’s laudable goal of securing our nation’s critical infrastructure is going to include models being regulated, then the regulations should be:

1. Grounded in scientific evaluations developed with input from industry and academia;
2. Created through a democratic rule-making process;
3. Enforced transparently and fairly with appropriate time given to remediate; and
4. Used only to the minimal extent necessary to ensure the safety of the American public.

Thank you for your consideration and partnership in helping us maintain America’s lead in technology while protecting critical software and systems.

Signed,

Affiliations are included for reference only and do not indicate organizational endorsement.

• Alex StamosChief Product Officer, Corridor
• Feross AboukhadijehCEO, Socket
• Ben AdidaExecutive Director, VotingWorks
• Omkhar Arasaratnam
• James Nicholas AshworthAI Village
• Emily AustinPrincipal Security Researcher
• Megan BakerCISO, Georgian
• Kevin BankstonSenior AI Governance Advisor, Center for Democracy & Technology
• Andrew BechererCISO, Socket
• Manish Bhatt0-day Connoisseur, OWASP
• Christopher Bleckmann-DreherPrincipal Offensive Security, Mercedes-Benz
• JP BourgetCEO, Blue Cycle
• Aaron BrownHead of Security, Mercor
• Jack CableCEO & Co-founder, Corridor
• Jon CallasIndiana University
• Justin CalmusCISO
• Jeffrey CarusoAuthor and Researcher
• Jason ChanRetired CISO
• Anupam ChanderProfessor of Law and Technology, Georgetown
• Andrew CunjeCISO, Appian
• Dino A. Dai Zovi
• Sam Davison
• Drew DennisonCTO & Co-Founder
• Justin DollyChief Security Officer, Ory Corp
• Moona Ederveen-SchneiderFounder, Resilia Connect
• Casey John EllisFounder, disclose.io and Bugcrowd
• Gary EllisonFormer VP Trust and Product Security
• Chris EngCybersecurity Executive
• Maggie Engler
• Sergej EppMulti-CISO
• Gadi EvronFounder and CEO, Knostic
• Jaime FigueresPresident, Fundación Costarricense de Inteligencia Artificial Responsable (FAIR Costa Rica)
• Robert FlyCEO/Co-Founder, detections.ai
• Richard F. FornoTeaching Professor, UMBC
• Erick GalinkinAI Security Research Scientist, NVIDIA
• Harley Geiger
• Steve GentryCISO
• Daniel GoreckiCISO/Founder, NGC Risk
• Andy GrantHead of Security Assurance, Zoom
• Yael Grauer
• Matthew D. GreenAssociate Professor, Johns Hopkins University
• Joseph Lorenzo HallDistinguished Technologist, Internet Society
• Andrew HayCOO, Damovo
• Tyler HealyCISO, DigitalOcean
• Ariel Herbert-VossCEO, RunSybil
• Michael HicksCecilia Fitler Moore Professor and Director of the Schlein Center for Cybersecurity, University of Pennsylvania
• Christofer HoffCyber Security Executive
• Vlad IonescuCTO, RunSybil
• Dhillon KannabhiranFounder, Hack In The Box
• Eoin KearyCEO & Founder, Edgescan
• Jonathon KlobucarSecurity Engineer
• Benjamin KnaussCEO, Racter Holdings
• Mitja Kolsek0patch co-founder
• Martin KoopmanManaging Director, Aditat AI
• Madeline LawrenceCo-Founder, Aikido Security
• Nate LeeCEO/Founder, TrustMind and CloudsecAI
• Joe LevyCEO, Sophos
• Dan LorencCEO, Chainguard
• Mark LovelessSecurity Architect
• Greg MartinCEO of Ghost Security
• Ross MaticanInvestor, Halcyon Ventures
• Jack McGivneyCISO, Anaplan
• Sandra McLeodCISO, Zoom Communications
• Rich MogullAnalyst, Security Executive
• Katie MoussourisCEO, Luta Security
• Vinh NguyenFormer Chief Responsible AI Officer, National Security Agency
• T.C. (Theodore) NiedzialkowskiCISO, Head of Security & IT; former Opendoor, Nextdoor, Federal Reserve National Incident Response Team
• Charles NwatuSecurity Leader, GRC Engineering
• Efrain Orsini JrDirector of Security Operation & Deputy CISO, SilverSky
• Bryan PayneVP of Product & Software Security, Adobe
• John PetersonCTO, Sophos
• Niels ProvosSecurity Blueprints LLC
• Muralidharan RamachandranFounder & Strategic Advisor
• Ashwin RamaswamiCTO & Co-founder, Corridor
• Jason RebholzCEO, Evoke Security
• Gavin ReidCISO, Human Security
• Jonathan Reiter
• Mark RisherFmr. Head of Google Identity
• Olivia RoseCISO
• Jim RouthAdvisor
• Bob RudisDistinguished Engineer, Applied AI
• Dragos RuiuCanSecWest
• Chris SandulowCISO, Confluent
• Joshua SaxeCo-Founder, Abundant Security
• Cory ScottCenter for Cybersecurity and Privacy Protection, CSU|LAW; Former CISO
• Joshua ScottCISO, Hydrolix
• Ram Shankar Siva KumarAffiliate, Berkman Klein Center for Internet and Society at Harvard University
• Matthew SouthworthCSO, Priceline
• Eugene H. SpaffordDistinguished Professor, Purdue University
• Talha TariqChief Technology Officer (Security), Vercel
• Glenn ThorpeSr. Director – Applied AI, Intelligence
• Per ThorsheimFounder, PasswordsCon
• Rachel TobacCEO, SocialProof Security
• Emily VandewatervCISO, Elteni Cybersecurity Consulting
• John VillasenorProfessor of Electrical Engineering, Law, and Public Policy, UCLA
• Paul VixieInternet Pioneer
• Jason WaitsCISO, Inductive Automation
• Nancy WangVenture Partner, Felicis Ventures
• Tarah WheelerChief Security Officer, TPO Group
• Jeff WilliamsCISO, Sigma360
• Royce D. Williamspublic-interest technologist
• Dave WillnerCofounder, Zentropi
• Chris WysopalCo-founder, Veracode
• Josh YavorCEO, Credible Security