World July 6, 2026 04:10 PM

U.S. Cyber Agency Deploys Anthropic’s Mythos to Scan Government Code, Sources Say

CISA team reportedly using AI model to identify vulnerabilities as Anthropic navigates tensions with the White House

By Hana Yamamoto
Share
Twitter Reddit Facebook LinkedIn

Three individuals familiar with the matter say the Cybersecurity and Infrastructure Security Agency (CISA) has been using Anthropic’s AI model Mythos to examine government software repositories for security flaws. The work is reportedly conducted by CISA’s Attack Surface Evaluation team and has uncovered numerous vulnerabilities, while the broader relationship between Anthropic and U.S. government agencies remains strained amid legal and policy disputes.

U.S. Cyber Agency Deploys Anthropic’s Mythos to Scan Government Code, Sources Say
Summarize with
ChatGPT Perplexity Claude Grok Gemini

Key Points

  • CISA is reportedly using Anthropic’s Mythos to scan government code repositories for bugs - impacts government IT and cybersecurity sectors.
  • The scanning work is attributed to CISA’s Attack Surface Evaluation team, which conducts assessments and simulated attacks across government systems - impacts public sector security operations.
  • Sources say the audits have found a large number of vulnerabilities, though the exact scope and severity of those findings remain unspecified - impacts risk assessment and incident response functions.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been employing Anthropic’s AI model Mythos to review government software code, according to three people familiar with the initiative. The model is being applied to scan code repositories for defects that could permit exploitation by foreign intelligence services or cybercriminals, the sources said.

Anthropic provided no comment on the project when contacted. A CISA spokesperson had said last month that they would look into whether there was information to share about the matter, but did not reply to subsequent follow-up messages, according to the sources.

One source identified the group performing the scans as CISA’s Attack Surface Evaluation team - a unit within the agency tasked with conducting digital security assessments and orchestrating hacking exercises across government systems. Two of the people who spoke about the work said the audits had already revealed a large number of vulnerabilities, but they did not provide details on the character or seriousness of those flaws.

The extent of the code reviewed so far and the precise nature of the bugs uncovered could not be independently confirmed. The sources did not specify how many repositories had been examined or whether any immediate remedial actions had been taken within the affected agencies.


Anthropic’s recent interactions with U.S. agencies

Anthropic, which has confidentially filed for a U.S. initial public offering, has experienced a rocky relationship with parts of the U.S. government. The ties deteriorated in February after the company declined to remove safeguards that block use of its technology for autonomous weapons or domestic surveillance. That decision prompted the Pentagon to apply a formal supply-chain risk designation to the company - a designation that has previously been reserved for foreign firms suspected of facilitating espionage.

That blacklisting action was later blocked by a judge in March, and tensions have eased following Anthropic’s private release of Mythos, which observers describe as highly capable at identifying and exploiting cybersecurity vulnerabilities.

The National Security Agency, the U.S. government’s signals intelligence agency, is reported to have used Mythos as early as April despite the prior supply-chain designation. Reports indicate that NSA analysts tested Mythos in classified settings and were impressed with the model’s performance, according to reporting cited by the sources.

When Anthropic made a public iteration of Mythos available under the name Fable - including what the company described as cybersecurity safeguards - the White House reportedly demanded that the model be restricted so that foreigners could not run it. That demand led to a global shutdown of the model that was lifted only last week.

The NSA and the White House did not immediately respond to requests for comment on these developments.


What is known and what remains unclear

Available information confirms that CISA is using Mythos to probe government code and that its Attack Surface Evaluation team is carrying out these scans. Sources say the audits have uncovered numerous vulnerabilities, but specifics such as the scope of the review, the severity of discovered bugs, and any subsequent mitigation steps have not been disclosed. Anthropic and CISA declined to provide further public details.

Risks

  • Limited public detail on the scope and severity of vulnerabilities discovered creates uncertainty for agencies and markets reliant on federal IT stability - impacts government IT and cybersecurity vendors.
  • Ongoing tensions between Anthropic and U.S. government bodies, including prior supply-chain risk designation and White House restrictions, introduce regulatory and procurement uncertainty - impacts AI suppliers and defense contractors.
  • Partial or temporary model shutdowns and access restrictions - such as those invoked for the public Fable release - could disrupt continuity of AI-assisted security workflows for agencies and external partners.

More from World

Venezuela Toll Climbs to 3,535 as Thousands Remain Displaced After Twin Quakes Jul 6, 2026 Mbappe Condemns Paraguayan Senator After Racist Attack Following France Win Jul 6, 2026 Balogun’s World Cup Moment Places U.S. Citizenship Debate in the Spotlight Jul 6, 2026 Trump Says Talks Are Bringing Ukraine War Resolution Closer Than Expected Jul 6, 2026 U.N. Group Deems Detention of Gaza Doctor Arbitrary, Seeks Immediate Release Jul 6, 2026