Accepted into Anthropic's Cyber Verification Program
Accepted into Anthropic’s Cyber Verification Program
I’m sharing some news that’s worth more than a single-line announcement.
As the founder of RTA Labs, I’ve been accepted into Anthropic’s Cyber Verification Program (CVP) — enabling verified access to Claude’s full dual-use capabilities for legitimate defensive security work: vulnerability research, exploitability analysis, offensive security tooling for authorized testing, and the wider set of practitioner workflows that frontier models are increasingly expected to support.
What the CVP Is
Anthropic has rolled out real-time cyber safeguards on its most capable models. Those safeguards split the request space into two categories:
- Prohibited use — activities with no legitimate defensive application (mass data exfiltration, ransomware development). Blocked by default. Not adjustable.
- High-risk dual use — activities with clear defensive purpose that overlap with attacker techniques (vulnerability exploitation, offensive tooling, adversarial simulation). Blocked by default unless the practitioner is verified through the CVP.
A scanner can flag that a function looks suspicious. Confirming whether it’s actually exploitable in context requires reasoning about how an attacker would reach and leverage it — exactly the kind of work default safeguards restrict. Without verified access, defenders run into guardrails that were never written with them in mind.
Why the Timing Matters
This is arriving at a moment when who gets to use frontier AI for cybersecurity has stopped being theoretical.
In June, Anthropic released Claude Fable 5 and Mythos 5 — Mythos-class models with state-of-the-art cyber capability. Within days, both were taken offline under a US government export-control directive citing national security concerns. Anthropic complied while publicly arguing the cited jailbreak was narrow and non-universal. Dozens of practitioners signed an open letter calling for access to be restored. The dispute is ongoing.
The deeper point: frontier-model access for security work is now a strategic question, not a feature question. Programs like the CVP — verified, scoped, accountable — are among the cleaner answers we’ve seen to that tension.
The Indian Context
For Indian security teams, this matters acutely.
The Digital Personal Data Protection Act, 2023 is now in active enforcement. CERT-In’s six-hour incident reporting mandate has been operational for years. India’s MSME and BFSI sectors are absorbing AI-assisted development at speed, often without the security tooling to match. And Indian organizations are not part of Anthropic’s Project Glasswing partnership — meaning the most advanced model-driven vulnerability discovery is, for now, predominantly a US and select-Western capability.
That creates an asymmetry. Adversaries don’t wait for regulatory clarity. Defenders need access to comparable reasoning capability — under verified, accountable terms — to keep pace with what attackers will soon have anyway, with or without permission.
Operating inside the CVP framework is one part of how Indian-built security tooling stays at the frontier rather than perpetually one cycle behind.
What This Changes for the Work Ahead
Verified access changes three things concretely for what I’m building at RTA Labs:
Exploitability reasoning. When a scan surfaces a finding, the right next question is “is this exploitable in context?” Verified access enables frontier reasoning on that question without working around guardrails.
Building defensive tooling without friction. Adversarial simulation, exploit-path reasoning, red-team scenario generation — much of this lives in the dual-use category. Building tools that do this work well requires models that engage with the reasoning rather than refusing it.
Alignment with where the industry is going. Verified, scoped, accountable access is the direction the industry will increasingly move. Operating inside that framework from the start is part of being a serious participant.
The next step on the platform side is organizational and Platform-level CVP verification for RTA Labs as we move tooling into customer environments — work that’s already in motion.
The Posture We Operate From
All complex systems drift toward disorder. The defender’s job is to restore order faster than entropy can degrade it. Frontier models can compress every step of that loop — finding, verifying, fixing — but only when defenders have calibrated access to the work.
Access without responsibility is reckless. Restriction without nuance is corrosive. The CVP is a serious attempt at the middle path, and I’m glad to be operating inside it.
If you’re a security team, auditor, or developer working in AI-assisted environments — particularly under DPDP, CERT-In, or sectoral compliance regimes — I’d like to talk.
Visit rtalabs.in to get in touch.
— Shashank Vivek, Founder, Rta Labs
RTA Labs builds systems that bring structure and trust to complex AI environments. Order. Truth. Trust.