Blog

July 9, 2026

We Joined Anthropic’s Cyber Verification Program. Here’s Why It Matters in the Post-Mythos Era.

Copied to clipboard!

Updated On

July 9, 2026

Illustration of a purple gargoyle crouched at the base of a stone path. An ornate path streams above, led by a star, signifying the gap between discovery and the fix.
Anthropic’s Cyber Verification Program (CVP) is a vetting process that unlocks frontier AI models for legitimate dual-use defensive work – exploitation analysis, adversarial simulation, and threat modeling  – that the models block by default. Mitiga joined so it can apply that reasoning to make its Agentic Runtime Security detections, powered by Helios AIDR, sharper against attacks that move at machine speed.

AI compresses the attacker's timeline. The defenders who can keep up are the ones who can reason about attacks the same way attackers do. That's the premise behind Anthropic’s Cyber Verification Program, and I’m happy to share that Mitiga is now part of it.

This kind of verification goes beyond a logo for our website. It’s also a signal about how we build and about a problem the whole industry now thinks about.

What the Cyber Verification Program is, in plain terms

Frontier AI models – the largest, most capable general-purpose AI systems, like Claude or GPT – are extraordinary at cybersecurity reasoning. That’s both a problem and an opportunity because the same skill that helps a defender find a flaw helps an attacker weaponize it. So Anthropic does something sensible. By default, they block their most capable models from doing the most dangerous cyber work.

A lot of legitimate defensive work looks, on the surface, exactly like offensive work. To build good detections, you have to understand how an attacker would exploit a weakness. To stop data exfiltration, you have to study how exfiltration happens. Ask Claude or GPT out of the box to reason through that, and it will often refuse, since it can't tell your intent from an attacker's.

The Cyber Verification Program (CVP) is how Anthropic solves that issue. Think of it as a background check for defenders. There are two buckets of restricted activity:

Bucket 1: Things with no legitimate use – ransomware code, mass data theft – which stay blocked for everyone, forever

Bucket 2: “Dual-use” activities – exploitation analysis, adversarial simulation, threat modeling – which are blocked by default but can be unlocked for organizations that apply, prove a genuine defensive purpose, and pass Anthropic’s review.

Get verified, and the model stops getting in the way of the legitimate work your organization and platform needs to do. The dangerous stuff stays locked regardless. That’s the whole idea: let the defenders work at full capability, without handing the same power to everyone.

For Mitiga, that means we can apply Claude’s full reasoning to the hard, attacker-minded work that makes Agentic Runtime Security sharper without fighting the guardrails every step of the way.

Why this matters now: the patch window went negative

To understand why we cared enough to apply, look at what’s happened to the math of defense.

For most of the last decade, defenders had time. A vulnerability got disclosed, and you had weeks, sometimes months, before an exploit appeared in the wild. That cushion is gone. AI compressed the attacker’s workflow from months to hours, and the numbers have moved fast.

The exploit window, by the numbers:

EDR vs. Agentic Runtime Security
Dimension EDR (Endpoint Detection & Response) Agentic Runtime Security
Primary surface Endpoints — laptops, servers, workloads Everything else — cloud, SaaS, identity, AI, and third-party services
Where the signal comes from An agent inside the operating system The audit trail each platform emits — log-based, no agent in the workload
What it detects Known-bad files, processes, and host behavior Behavioral, indicator-of-attack signals: compromised credentials, lateral movement, and data exfiltration as they happen
Identity & AI coverage Human users on managed devices Non-human and machine identities — chatbots, copilots, autonomous agents, OAuth apps, API tokens
Response Isolate or remediate the host Revoke sessions, quarantine identities, block API calls mid-attack — fast and reversible
Data foundation Endpoint agent telemetry Long-horizon, forensic-grade distributed data lake across every domain

A negative time-to-exploit means the exploit beats the fix. There is no version of “patch faster” that wins a race that’s already lost before it starts. And it gets worse for the defender. The patch itself has become a roadmap. The moment a fix goes public, an attacker – or an AI attacker – knows exactly what changed and where to look. The thing meant to protect you now accelerates the attack against you.

What the rest of the industry says

We’re not the only ones who saw this coming. A wave of security vendors have joined the CVP, and their reasoning points in the same direction. Cycode: securing the modern attack surface “requires AI that can think the way attackers do.” MIND, the data-security company, is using verified access to study how sensitive data actually gets targeted, so their detection gets sharper.

Zafran framed the stakes most directly: “The gap between attacker AI and defender AI is closing. Defenders need to close it first.” I agree, but I'd argue there's a second move most of this conversation is missing.

Find-and-fix is necessary but not sufficient

Most of the energy around AI in security, including a lot of the CVP work, is aimed at finding and fixing vulnerabilities faster: scanning more surface area, triaging exploitability, and generating patches. That work matters, and we should all do more of it.

The stats, however, indicate we must go further. And faster. When exploitation happens before the patch exists, finding and fixing faster cannot, by itself, close the gap. This is a cost curve problem rather than a resourcing or urgency problem. AI made attacking dramatically cheaper before it made defending cheaper, and that gap doesn't close by working harder on the same playbook.

So what do you do when the window can’t be closed in time? You need a compensating control – something watching that open window, ready to detect and stop whatever comes through it, in runtime. This is the heart of how we think at Mitiga, and it’s the foundation of Agentic Runtime Security: the assumption that some exposure will always be open longer than you’d like and that the job is to anticipate, detect, interrupt, and stop the attack before it reaches the business. In other words, the gap is now the strategy.

Even Anthropic’s own guidance arrives here. Their advice to defenders isn’t only “patch faster,” it’s also “keep comprehensive logs for detection and response,” because security can’t depend on any single fix landing in time and your logs are the only ground truth across your cloud, SaaS, identity, AI, and third-party services.

On a purple background, a geometric design of a brain accesses new capabilities via a door and node.

Why the CVP matters specifically to Mitiga

To build a compensating control for AI-era attacks, you have to understand AI-era attacks at the same depth the attackers do. They know exactly how attackers reason exploits, how exfiltration patterns form, and how an adversary chains a foothold across today’s modern infrastructure. That is precisely the dual-use reasoning that the Cyber Verification Program unlocks.

We didn’t join the CVP to scan code a little faster. We joined it to build and continuously improve detections against real attacker tradecraft at the speed models run rather than the speed analysts do – so our runtime defense stays ahead of an adversary that now operates at machine speed across the entire attack surface. Verified access makes the runtime layer smarter than the threats it is designed to stop.

The bottom line

The post-Mythos era loudly proclaims that prevention alone is over. When the exploit beats the patch and the patch becomes the attacker’s map, you can’t prevent your way to safety. You need to assume the attacker gets a foothold and make sure it never results in business impact.

CVP helps us build toward that goal, and it’s what Agentic Runtime Security is for. Attackers may get in. Impact doesn’t have to. That’s Zero-Impact Breach Prevention, in runtime.

And to the AI-speed adversaries eyeing everything beyond the endpoint: Let them come.

Frequently asked questions

What is Anthropic’s Cyber Verification Program (CVP)?

It’s a vetting process from Anthropic that unlocks its most capable AI models for legitimate, dual-use defensive work — the kind the models refuse by default because, on the surface, it looks like offense. Organizations apply, prove a genuine defensive purpose, and pass Anthropic’s review; verified teams can then use full model reasoning for that work, while activities with no legitimate use, like ransomware code or mass data theft, stay blocked for everyone.

What are “dual-use” cyber activities, and why are they blocked by default?

Dual-use activities — exploitation analysis, adversarial simulation, threat modeling — help defenders and attackers about equally, so frontier models block them by default rather than guess your intent. The CVP is how a verified defender unlocks that reasoning without handing the same capability to everyone.

What does a negative time-to-exploit mean?

It means the average exploit now appears before the patch does. Google’s M-Trends 2026 puts mean time-to-exploit for newly disclosed vulnerabilities at roughly −7 days; in 2018, defenders had about 63 days. When the window is negative, “patch faster” can’t win the race, because the race is lost before it starts.

Why can’t “patch faster” close the AI-era exploit gap?

Because AI made attacking cheaper before it made defending cheaper — a cost-curve problem, not an effort problem. When exploitation beats the patch, and the patch itself hands attackers a map of what changed, finding and fixing faster can’t close the gap on its own. You also need a runtime control watching the exposure that’s still open.

How does Agentic Runtime Security act as a compensating control?

It assumes some exposure will always stay open longer than you’d like, and watches for what comes through it — anticipating, detecting, interrupting, and stopping an attack across cloud, SaaS, identity, AI, and third-party services before it reaches the business. That makes it the compensating control for the window “patch faster” can’t close.

Does verified AI access make Mitiga’s detections better?

Yes. Verified access lets Mitiga apply full frontier-model reasoning to real attacker tradecraft — how exploits get reasoned, how exfiltration forms, how a foothold gets chained — and feed those gains into Helios AIDR, the engine behind its Agentic Runtime Security. The detections improve at the speed models run, not the speed analysts do.

Related posts

EDR protects your endpoints. See what protects everything else.

Across cloud, SaaS, identity, third-party services, and AI – stopping attacks before they reach the business.

To see it in action, request a demo.

Mitiga

Let them come

No one can prevent attacks – but we can prevent their impact.Our Zero‑Impact platform unifies security across cloud, SaaS, AI, and identity.

Don't miss these stories