Vulnerabilities Bullish 7

3 Sources: CISA Deploys Anthropic Mythos AI to Audit Government Code for Bugs

· 5 min read ·
Share

Key Takeaways

  • CISA is using Anthropic’s AI model Mythos to scan federal code repositories for security weaknesses, uncovering a large number of vulnerabilities.
  • The move accelerates the government’s capacity to hunt down exploitable bugs, though it raises questions about AI-driven false positives and oversight.
  • This exclusive report signals a pivotal shift in how the U.S.
  • defends its digital infrastructure.

Mentioned

Anthropic company Mythos product CISA Government Agency U.S. Department of Defense (Pentagon) government agency U.S. federal judge legal entity U.S. government (federal) government

Key Intelligence

Key Facts

  1. 1CISA’s Attack Surface Evaluation team is using Anthropic’s Mythos AI model to scan government code repositories for security vulnerabilities.
  2. 2The audits have already uncovered a large number of bugs, though exact figures, severity, and the amount of code scanned remain undisclosed.
  3. 3Anthropic previously faced a Pentagon supply-chain risk designation in February 2026 after refusing to remove AI safeguards against autonomous weapons and domestic surveillance.
  4. 4A federal judge blocked that designation in March 2026, and tensions between Anthropic and the U.S. government have since begun to ease.
  5. 5Anthropic has confidentially filed for an initial public offering, a step that could be bolstered by this high-profile federal contract.
  6. 6The deployment marks one of the first known uses of a large language model for government-wide secure code auditing, setting a precedent for AI in federal cybersecurity.

Analysis

Advantages of AI Code Audit
  • Scans millions of lines of code at machine speed, catching patterns humans miss
  • Consistent analysis without fatigue, reducing manual review backlogs
  • Can prioritize findings based on severity, helping defenders focus on critical flaws
Risks and Challenges
  • Large language models may hallucinate false positives or miss context-dependent vulnerabilities
  • Lack of transparency in AI decision-making complicates accountability if a missed bug leads to a breach
  • Overreliance on AI could erode human expertise in vulnerability research and secure code review

Analysis

Federal defenders are turning to artificial intelligence to stay ahead of adversaries, and a new exclusive reveals that CISA is now using Anthropic's Mythos AI to proactively audit government software for vulnerabilities that could be exploited by criminals or nation-state spies. The deployment by the Attack Surface Evaluation team puts advanced language models directly into the heart of public-sector cybersecurity, scaling code analysis far beyond what human teams alone can achieve.

The U.S. Cybersecurity and Infrastructure Security Agency has quietly started using Anthropic’s AI model Mythos to audit federal code repositories for vulnerabilities, according to three sources familiar with the matter. This exclusive report reveals a deepening, though still uneasy, embrace of the AI startup’s tools by the very government that only months ago sought to blacklist it. The development underscores both the escalating demands of digital defense and the high-stakes politics surrounding advanced AI. CISA’s Attack Surface Evaluation team, the internal group responsible for probing federal networks for weaknesses, is employing Mythos to automate the tedious but critical task of scanning millions of lines of code for bugs that foreign spies or cybercriminals could exploit. While the scale and severity of vulnerabilities uncovered remain cloaked in operational secrecy, two sources indicated that the audits have already flagged a large number of issues—an outcome that, if confirmed, would represent a significant validation of AI’s role in proactive cyber defense.

Cybersecurity and Infrastructure Security Agency has quietly started using Anthropic’s AI model Mythos to audit federal code repositories for vulnerabilities, according to three sources familiar with the matter.

The backdrop is anything but ordinary. Anthropic, a San Francisco-based AI company founded by former OpenAI researchers, has long positioned itself as a safety-first developer, embedding constitutional AI principles into its models to refuse harmful outputs. That ethos collided with the Pentagon in early 2026, when the company refused to remove safeguards that prevented its AI from being used for autonomous weapons or domestic surveillance. The Department of Defense responded in February by slapping Anthropic with a formal supply-chain risk designation—a label previously reserved for foreign firms suspected of facilitating espionage. The move effectively barred the company from federal contracts and cast a shadow over its enterprise ambitions. That extraordinary action was blocked by a federal judge in March, a judicial stay that allowed Anthropic to continue operating while the legal and political dust settled. By July, the relationship had thawed sufficiently for CISA to quietly deploy Mythos on sensitive government systems, an irony not lost on observers: the agency entrusted with defending the nation’s cyber infrastructure is now relying on the same AI maker once deemed a supply-chain threat.

The implications for federal cybersecurity are substantial. Manual code review, the traditional method for vetting software used by agencies, is slow, expensive, and unable to keep pace with the volume of new patches and applications. AI models like Mythos can process entire repositories at machine speed, flagging suspicious patterns, outdated libraries, or hardcoded credentials that might otherwise slip through. By integrating AI into its attack surface assessments, CISA potentially multiplies its capacity to harden government systems against adversaries ranging from state-sponsored hacking groups to ransomware gangs. Yet the move also introduces new risks. Large language models are prone to hallucinations—generating plausible but incorrect findings—and can miss context-specific vulnerabilities that a human auditor would catch. Moreover, the opaque nature of AI decision-making raises questions about accountability when a missed bug leads to a breach. The lack of public detail about how many bugs were found, their severity, and how the AI’s output is validated highlights the nascent and still experimental character of this deployment.

What to Watch

From an industry standpoint, the CISA contract is a powerful signal for Anthropic as it inches toward a public listing. The company has confidentially filed for an initial public offering, a milestone that would be the largest for an AI model maker. Demonstrating that their flagship model Mythos is trusted for national-security functions counters the narrative that AI safety constraints hobble commercial utility. It may also open the door to similar deals across other government departments and allied nations, creating a lucrative pipeline. For CISA, the success of this pilot could accelerate the adoption of AI-assisted code review as a standard practice, potentially reshaping federal IT procurement to favor platforms with baked-in AI auditing capabilities. The broader AI ecosystem is watching: this case could set a precedent for how performance and safety claims are weighed against regulatory history when agencies purchase AI services.

Looking ahead, the arrangement faces tests on multiple fronts. The legal truce with the Pentagon could unravel if Anthropic’s stance on weaponization is challenged anew, especially given the evolving norms around AI in defense. For CISA, the challenge will be to establish rigorous benchmarks for AI-assisted auditing—defining acceptable false-positive rates, integrating human oversight, and ensuring that findings translate into actual patches. As cyber threats grow more sophisticated, the partnership between federal defenders and AI innovators will likely deepen, but only if the trust deficit can be bridged with transparency and demonstrable results. The coming months may reveal whether Mythos becomes a permanent fixture in the government’s security toolkit or a cautionary tale about overhyped AI in critical missions.

Timeline

Timeline

  1. Pentagon Blacklists Anthropic

  2. Judge Blocks Designation

  3. CISA Deploys Mythos for Code Audits

From the Network

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.