CISA uses Anthropic's Mythos to audit government code for vulnerabilities, sources say

CISA is using Anthropic's Mythos AI to audit government software for security flaws. The audits have already uncovered a large number of vulnerabilities, sources say.

Categorized in: AI News Government
Published on: Jul 07, 2026
CISA uses Anthropic's Mythos to audit government code for vulnerabilities, sources say

The Cybersecurity and Infrastructure Security Agency (CISA) is using Anthropic's AI model Mythos to audit government software for security flaws, three people familiar with the matter said. The move signals growing government appetite for advanced AI tools in defensive cybersecurity, even as Anthropic navigates a high-profile clash with the White House over safety constraints.

The scanning is led by CISA's Attack Surface Evaluation team, a unit that conducts digital security assessments and hacking exercises across the federal government. Two of the sources said the audits have already uncovered a large number of vulnerabilities, though they did not detail the volume, nature, or severity of the bugs found. CISA and Anthropic did not respond to requests for comment.

Widespread vulnerability discovery

The operation shows how quickly agencies are moving to embed AI into security workflows. The Attack Surface Evaluation team routinely probes government code for weaknesses that foreign spies or cybercriminals could exploit, and adding Mythos aims to accelerate that work. Government cybersecurity professionals should expect AI-augmented auditing to become standard practice, and structured training can help teams adapt. An AI Learning Path for Cybersecurity Analysts covers methods for applying machine learning to vulnerability detection and threat hunting.

Anthropic's rocky government relationship

The CISA engagement comes despite months of friction between Anthropic and the U.S. government. In February, the Pentagon gave the company a supply-chain risk designation after it refused to remove AI safeguards that prevent use in autonomous weapons or domestic surveillance. A judge blocked the blacklisting in March, and tensions eased following the private release of Mythos, which security officials say excels at finding and exploiting cybersecurity vulnerabilities. The National Security Agency has been using Mythos since at least April, Axios has reported, and the New York Times said NSA analysts tested the model in classified settings and were impressed. Last week, the White House quietly lifted a global shutdown of Fable - the public version of Mythos - after demanding that Anthropic ban foreign users from running it.

Why this matters for government

The CISA deployment marks a shift from experimentation to operational use for AI-driven code auditing. Adversaries probe federal networks constantly, and the sheer volume of government code makes manual review insufficient. Tools like Mythos can dramatically reduce the time needed to identify critical flaws, though they also raise questions about procurement, compliance, and workforce realignment. Technology leaders in government should track how these tools are evaluated and approved, because the precedent will influence AI policy across agencies. For ongoing analysis of public-sector AI adoption, the AI for Government resource hub offers updates on new use cases and training priorities.


Get Daily AI News

Your membership also unlocks:

700+ AI Courses
700+ Certifications
Personalized AI Learning Plan
6500+ AI Tools (no Ads)
Daily AI News by job industry (no Ads)