The Cybersecurity and Infrastructure Security Agency (CISA) is using Anthropic's AI model Mythos to audit government software for security flaws, three people familiar with the matter said. The move signals growing government appetite for advanced AI tools in defensive cybersecurity, even as Anthropic navigates a high-profile clash with the White House over safety constraints.
The scanning is led by CISA's Attack Surface Evaluation team, a unit that conducts digital security assessments and hacking exercises across the federal government. Two of the sources said the audits have already uncovered a large number of vulnerabilities, though they did not detail the volume, nature, or severity of the bugs found. CISA and Anthropic did not respond to requests for comment.
Widespread vulnerability discovery
The operation shows how quickly agencies are moving to embed AI into security workflows. The Attack Surface Evaluation team routinely probes government code for weaknesses that foreign spies or cybercriminals could exploit, and adding Mythos aims to accelerate that work. Government cybersecurity professionals should expect AI-augmented auditing to become standard practice, and structured training can help teams adapt. An AI Learning Path for Cybersecurity Analysts covers methods for applying machine learning to vulnerability detection and threat hunting.
Anthropic's rocky government relationship
The CISA engagement comes despite months of friction between Anthropic and the U.S. government. In February, the Pentagon gave the company a supply-chain risk designation after it refused to remove AI safeguards that prevent use in autonomous weapons or domestic surveillance. A judge blocked the blacklisting in March, and tensions eased following the private release of Mythos, which security officials say excels at finding and exploiting cybersecurity vulnerabilities. The National Security Agency has been using Mythos since at least April, Axios has reported, and the New York Times said NSA analysts tested the model in classified settings and were impressed. Last week, the White House quietly lifted a global shutdown of Fable - the public version of Mythos - after demanding that Anthropic ban foreign users from running it.
Why this matters for government
The CISA deployment marks a shift from experimentation to operational use for AI-driven code auditing. Adversaries probe federal networks constantly, and the sheer volume of government code makes manual review insufficient. Tools like Mythos can dramatically reduce the time needed to identify critical flaws, though they also raise questions about procurement, compliance, and workforce realignment. Technology leaders in government should track how these tools are evaluated and approved, because the precedent will influence AI policy across agencies. For ongoing analysis of public-sector AI adoption, the AI for Government resource hub offers updates on new use cases and training priorities.
Your membership also unlocks: