The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been employing Anthropic’s AI model Mythos to review government software code, according to three people familiar with the initiative. The model is being applied to scan code repositories for defects that could permit exploitation by foreign intelligence services or cybercriminals, the sources said.
Anthropic provided no comment on the project when contacted. A CISA spokesperson had said last month that they would look into whether there was information to share about the matter, but did not reply to subsequent follow-up messages, according to the sources.
One source identified the group performing the scans as CISA’s Attack Surface Evaluation team - a unit within the agency tasked with conducting digital security assessments and orchestrating hacking exercises across government systems. Two of the people who spoke about the work said the audits had already revealed a large number of vulnerabilities, but they did not provide details on the character or seriousness of those flaws.
The extent of the code reviewed so far and the precise nature of the bugs uncovered could not be independently confirmed. The sources did not specify how many repositories had been examined or whether any immediate remedial actions had been taken within the affected agencies.
Anthropic’s recent interactions with U.S. agencies
Anthropic, which has confidentially filed for a U.S. initial public offering, has experienced a rocky relationship with parts of the U.S. government. The ties deteriorated in February after the company declined to remove safeguards that block use of its technology for autonomous weapons or domestic surveillance. That decision prompted the Pentagon to apply a formal supply-chain risk designation to the company - a designation that has previously been reserved for foreign firms suspected of facilitating espionage.
That blacklisting action was later blocked by a judge in March, and tensions have eased following Anthropic’s private release of Mythos, which observers describe as highly capable at identifying and exploiting cybersecurity vulnerabilities.
The National Security Agency, the U.S. government’s signals intelligence agency, is reported to have used Mythos as early as April despite the prior supply-chain designation. Reports indicate that NSA analysts tested Mythos in classified settings and were impressed with the model’s performance, according to reporting cited by the sources.
When Anthropic made a public iteration of Mythos available under the name Fable - including what the company described as cybersecurity safeguards - the White House reportedly demanded that the model be restricted so that foreigners could not run it. That demand led to a global shutdown of the model that was lifted only last week.
The NSA and the White House did not immediately respond to requests for comment on these developments.
What is known and what remains unclear
Available information confirms that CISA is using Mythos to probe government code and that its Attack Surface Evaluation team is carrying out these scans. Sources say the audits have uncovered numerous vulnerabilities, but specifics such as the scope of the review, the severity of discovered bugs, and any subsequent mitigation steps have not been disclosed. Anthropic and CISA declined to provide further public details.