CISA deploys Anthropic's Mythos AI to scan U.S. government code for vulnerabilities

CISA is using Anthropic's Mythos AI to scan federal code for vulnerabilities. The NSA found the model breached classified systems in hours, not weeks.

Categorized in: AI News Government
Published on: Jul 08, 2026
CISA deploys Anthropic's Mythos AI to scan U.S. government code for vulnerabilities

The Cybersecurity and Infrastructure Security Agency is running Anthropic's Mythos AI model against federal code repositories to find vulnerabilities before foreign intelligence services and criminal groups can exploit them, three sources familiar with the matter told Reuters. The operation has already uncovered a large number of security flaws, according to two of the sources, though the exact scope and severity remain undisclosed.

The operation is run by CISA's Attack Surface Evaluation team, a unit that conducts security assessments and simulated attacks across the federal government. Neither CISA nor Anthropic commented on the record. A CISA representative said last month he would check whether there was anything to share, then stopped responding.

Mythos is Anthropic's most capable model and is not available through a standard subscription. When Anthropic privately released it to select government partners, the company described it as exceptionally capable at finding and exploiting security vulnerabilities. The NSA has been using the same model since at least April, according to Axios, and analysts testing it in classified settings came away impressed.

From blacklist to deployment in under five months

The company's relationship with the U.S. government turned hostile in February when Anthropic refused to remove safeguards that prevented Mythos from being used for autonomous weapons or domestic surveillance. The Pentagon responded by designating Anthropic as a supply-chain security risk - a label previously applied only to foreign companies suspected of facilitating espionage. It was an extraordinary move against a domestic company.

A federal judge blocked the blacklisting in March. Relations began thawing after that, and the CISA deployment shows how much the dynamic has shifted. Giving the government access to the most capable version of the tool appears to have done more to repair the relationship than negotiation did. Anthropic has confidentially filed for a U.S. IPO, and having CISA, the NSA, and potentially other agencies actively deploying its most capable model puts the company in a materially different position than being on a Pentagon blacklist.

Two versions, two responses

When Anthropic launched Fable in early June - described as a public version of Mythos with cybersecurity safeguards added - the White House responded by demanding that the company ban foreign nationals from running it. That demand triggered a global shutdown of the model. It was lifted only last week, after what Reuters described as a standoff that illustrated how differently the administration treats private and public deployments of the same underlying technology.

The pattern is now clear: Mythos in government hands, scanning classified systems and federal code, gets quiet approval and active deployment. Mythos in public hands, accessible to anyone including foreign users, immediately triggers national security concerns and regulatory pressure. The rapid adoption of Mythos across multiple agencies highlights the growing role of AI for Government cybersecurity operations, where tool access and deployment decisions carry consequences that commercial deployments do not.

Hours, not weeks

Senator Mark Warner, vice-chair of the Senate Intelligence Committee, said on June 11 that General Joshua Rudd, who leads both the NSA and U.S. Cyber Command, told him directly that Mythos had breached nearly all classified systems managed by both agencies. The timeline was what made the disclosure land.

"Mythos 'broke into almost all of our classified systems, not in weeks, but in hours,'" Warner said, relaying General Rudd's account, according to The Economist. A late-June AP report added that a U.S. official said Mythos had identified vulnerabilities in highly sensitive government systems during a testing exercise - exactly the kind of result that makes agencies want to expand the program rather than wind it down.

The shift toward AI-powered vulnerability detection is reshaping the AI Learning Path for Cybersecurity Analysts across federal agencies, as tools capable of finding and exploiting flaws at machine speed become part of operational reality.

Why this matters for government professionals

This deployment is not a pilot program or a vendor proof-of-concept. It is an active, operational use of a frontier AI model inside federal systems, run by a unit that conducts real security assessments. For government cybersecurity staff, that means the output of these scans will land on desks - vulnerability reports generated at a speed and scale that manual code review cannot match. The NSA breach timeline - hours, not weeks - resets expectations for how fast adversaries armed with similar tools could move. Traditional patch cycles and vulnerability management timelines look slow against that benchmark.


Get Daily AI News

Your membership also unlocks:

700+ AI Courses
700+ Certifications
Personalized AI Learning Plan
6500+ AI Tools (no Ads)
Daily AI News by job industry (no Ads)