The US cyber agency is reportedly utilizing Anthropic’s Mythos to review government code, according to sources.
A federal defender is reportedly utilizing a private, offensive-grade AI model against the government’s own software, although little is officially documented about this effort. The US Cybersecurity and Infrastructure Security Agency (CISA) is employing Anthropic's AI model, Mythos, to identify bugs in government software, according to three sources familiar with the situation who spoke to Reuters. This arrangement, initially reported on July 6, exemplifies Washington’s ongoing interest in the startup's tools despite a contentious standoff with the White House.
Mythos is the same model that allegedly uncovered vulnerabilities in classified US systems during a previous government evaluation, and its entry into federal use has faced numerous challenges. It arrives at CISA at a time when Anthropic and the administration are still in disagreement over who can operate it. The sources indicated that CISA is utilizing Mythos to assess government code repositories for weaknesses that might allow foreign spies or cybercriminals to infiltrate.
The agency’s Attack Surface Evaluation team is conducting the scanning, according to one individual, and this unit performs digital security assessments and hacking exercises across the government. Two of the sources told Reuters that the audits had already identified a significant number of vulnerabilities, although no further details were provided. Reuters could not determine the amount of code reviewed or the nature and severity of the identified bugs.
Anthropic did not reply to inquiries about the initiative, and a CISA representative stated last month that he would confirm whether there was information to share but then did not follow up. No operational details have been officially verified. Every assertion regarding CISA's use of Mythos relies on unnamed sources, and both the agency and the company have declined to comment on the work, which should be considered reported rather than conclusively established.
What is more certain is the model itself. Anthropic has been promoting Mythos in 2026 as part of its cybersecurity initiative called Project Glasswing, claiming it is exceptionally good at detecting software flaws, and has expanded access to 150 organizations across over 15 countries. The company, which has filed confidentially for a US initial public offering, characterizes Mythos as highly effective at both identifying and exploiting vulnerabilities.
This dual-use capability has strained relations with Washington. Tensions reached a low in February when the San Francisco firm declined to remove protections preventing its AI from being used for autonomous weapons or domestic surveillance. The Pentagon responded by designating the company with a formal supply-chain risk status, a classification usually applied to foreign firms suspected of facilitating espionage. A judge halted the blacklisting in March.
Relations improved with the advent of Mythos. Axios reported in April that the NSA had been employing the model despite the Pentagon's prohibition, and the New York Times subsequently noted that NSA analysts who evaluated it in classified environments were favorably impressed. However, when Anthropic released a public version called Fable, the White House unexpectedly demanded that it restrict foreign use, resulting in a global halt of both models that was only lifted last week.
The situation has noteworthy implications. An agency tasked with safeguarding government networks is now relying on a private model from a firm the Pentagon had recently classified as a security threat to analyze the government’s own code. Whether this reflects pragmatic decision-making or overreach may depend on the actual findings of the audits, which neither CISA nor Anthropic has disclosed.
Currently, the details remain vague. There is no public record indicating which systems have been examined, how findings are prioritized, or what actions are taken regarding vulnerabilities once Mythos identifies them. Competitors are also exploring similar territory, with OpenAI presenting its own cyber-defense model as an alternative. What is evident is that the government's use of offensive-grade AI for defense purposes is already in progress, regardless of the administrative formalities.
Other articles
The US cyber agency is reportedly utilizing Anthropic’s Mythos to review government code, according to sources.
According to sources, CISA is allegedly utilizing Anthropic's Mythos AI to examine government code for vulnerabilities, several months after a conflict with the White House.
