CISA uses Anthropic Mythos AI to find bugs in government code
CISA is using Anthropic's Mythos AI to audit government software for security flaws, aiming to find bugs exploitable by foreign spies. The initiative follows a dispute between Anthropic and the Trump administration over safeguards. The NSA has also tested the model.

*this image is generated using AI for illustrative purposes only.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is using Anthropic's AI model Mythos to audit government software for potential security flaws, three people familiar with the matter said. The initiative aims to scan government code repositories for bugs that could be exploited by foreign spies and cybercriminals, highlighting the agency's growing interest in leveraging advanced AI tools for cybersecurity defense.
CISA's Attack Surface Evaluation team is conducting the scanning, according to one source. This unit specializes in digital security assessments and hacking exercises across government infrastructure. Two sources indicated that the audits have already uncovered a large number of vulnerabilities, though specific details regarding the nature, severity, or volume of code scanned were not disclosed.
The reported deployment comes after a turbulent period in Anthropic's relationship with the U.S. government. Tensions escalated earlier this year after the San Francisco-based AI startup reportedly refused to remove safeguards designed to prevent its models from being used for autonomous weapons or domestic surveillance. The dispute led the Pentagon to designate Anthropic as a supply-chain risk, although a federal judge later blocked that designation. Relations have since improved following the private release of Mythos, an AI model reportedly built with advanced cybersecurity capabilities.
Government interest in Mythos appears to extend beyond CISA. The National Security Agency (NSA) has also utilized Mythos, despite existing government blacklists. Previous reports said NSA analysts tested Mythos in classified environments and were impressed with its cybersecurity performance. Anthropic later released a public version of the model called Fable with cybersecurity safeguards. The White House reportedly pushed the company to block foreign access to the model, triggering a temporary global shutdown that was lifted last week.
Anthropic did not respond to inquiries about the specific initiative with CISA. A representative for CISA previously stated they would look into the matter but has not provided further comments. The adoption of AI models for critical security audits underscores a shift in federal cybersecurity strategies, aiming to proactively identify and mitigate risks in government software systems.
How will the discovery of vulnerabilities by Mythos influence future budget allocations for AI-driven cybersecurity tools across federal agencies?
Will the successful use of Anthropic's models prompt the Pentagon to reconsider its previous designation of the company as a supply-chain risk?
What legislative frameworks might emerge to regulate the balance between AI safety safeguards and national security requirements?






























