CISA Reportedly Uses Anthropic Mythos to Scan Government Software for Flaws

Related

OpenAI Reportedly Secures U.S. Clearance to Launch GPT-5.6

What happened OpenAI has reportedly received approval from the U.S....

Alibaba to Ban Claude Code Over Alleged Backdoor Risks

What happened Alibaba is reportedly preparing to ban Anthropic’s Claude...

Anthropic to Restore Claude Fable Access After Export Controls Lifted

What happened Anthropic said it will begin restoring access to...

Share

What happened

CISA is reportedly using Anthropic’s Mythos AI model to scan federal government software for security vulnerabilities. The effort is focused on reviewing code repositories across federal agencies so security teams can identify and patch flaws before they are exploited by foreign intelligence services or cybercriminals.

The audits are reportedly being led by CISA’s Attack Surface Evaluation team, which conducts digital defense assessments and simulated hacking exercises across federal environments. The AI-driven initiative has already found a large number of software vulnerabilities, though details about the severity of the flaws, the affected agencies, and the amount of software reviewed have not been disclosed.

Neither CISA nor Anthropic provided formal on-the-record comments about the reported operation. The NSA is also believed to be using Mythos in its own work, and a U.S. official recently said one of Anthropic’s AI models identified vulnerabilities in sensitive government systems during a testing exercise.

The reported use of Mythos comes after earlier tensions between Anthropic and federal officials over restrictions on how its models could be used. The company had resisted demands to remove safeguards limiting use for autonomous weaponry or domestic surveillance, and the Pentagon later designated Anthropic as a supply-chain risk. Even with that tension, federal use of the model appears to be expanding in vulnerability discovery and software assurance work.

Who is affected

Federal agencies are directly affected because the reported audits involve government code repositories and software systems.

CISA teams, agency security teams, and software owners may also be affected as AI-assisted reviews identify vulnerabilities that need triage, validation, prioritization, and remediation.

Government contractors and vendors may face downstream impact if vulnerabilities are found in software they built, maintain, or support for federal agencies.

Why CISOs should care

This shows how AI models are moving from advisory use into active vulnerability discovery. Security teams are no longer using AI only to summarize alerts or draft reports; they are beginning to apply it directly to source code review and software assurance.

For CISOs, the key issue is validation. AI may accelerate discovery, but findings still need human review, exploitability assessment, prioritization, and secure remediation before they become actionable security outcomes.

The government context also matters because federal adoption can influence enterprise expectations. If agencies begin using frontier AI for large-scale code review, private-sector organizations may face pressure to evaluate similar tooling for their own software risk programs.

The reported tension around Anthropic also highlights a governance challenge. CISOs must balance the security value of powerful AI models against supply-chain concerns, usage restrictions, data exposure, and vendor trust.

3 practical actions

  1. Pilot AI-assisted code review with human validation: AI can help identify flaws at scale, but security teams should require expert review before treating findings as confirmed vulnerabilities.
  2. Define data handling rules for AI security tools: CISOs should decide which repositories, secrets, regulated data, and sensitive systems can be analyzed by AI models, and under what deployment or access conditions.
  3. Prepare vulnerability triage capacity: AI scanning may produce a large volume of findings. Organizations should strengthen workflows for severity review, ownership assignment, remediation tracking, and verification of fixes.

Read more about AI in cybersecurity:

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.