CISA Uses Anthropic’s Mythos to Scan Federal Software

CISA is using Anthropic’s Mythos AI to scan federal software for vulnerabilities; its Attack Surface Evaluation team has reported finding a large number of flaws.

The Cybersecurity and Infrastructure Security Agency is using Anthropic’s Mythos AI to scan code repositories across multiple federal agencies for security vulnerabilities. The program is led by CISA’s Attack Surface Evaluation team and began in recent months, according to three people familiar with the effort.

Those people described the audits as having uncovered a “large number” of flaws. Officials have not released details on severity, which agencies were affected, or how much code was reviewed. CISA and Anthropic declined to provide on-the-record comments.

The process uses Mythos to flag potential defects and to prioritize areas for human review and patching. Agency teams typically combine automated detection with manual verification to reduce false positives and to assess whether a flaw can be exploited.

A U.S. official separately reported that an Anthropic model identified weaknesses in highly sensitive government systems during a test. The National Security Agency is also believed to be using Mythos in some operations.

Earlier this year, Anthropic resisted federal requests to remove built-in safeguards that limit its models’ use for autonomous weapons and domestic surveillance. The Pentagon classified Anthropic as a supply-chain risk. The company temporarily restricted public access to a model called Fable after federal concerns about foreign access; that restriction was lifted recently.

Officials have not said if any identified vulnerabilities have been patched or if they were exploited. Federal practice often delays public disclosure of cyber findings until mitigations are in place or disclosure would not harm national security.

The use of commercial large language models and code-analysis systems for government cybersecurity work has grown. Some officials and contractors are pairing automated scanning with traditional security practices to speed discovery and response while noting issues around accuracy, oversight and supplier trust.

Articles by this author

No posts found.