CISA’s Mythos Audits Find ‘Large Number’ of Bugs in Govt Code, 3 Sources Say
Key Takeaways
- CISA is leveraging Anthropic’s advanced AI model Mythos to proactively scan government software for security flaws, revealing a significant vulnerability discovery.
- This adoption marks a new frontier in automated vulnerability management despite Anthropic’s fraught relationship with the Pentagon.
Mentioned
Key Intelligence
Key Facts
- 1CISA’s Attack Surface Evaluation team is using Anthropic’s AI model Mythos to scan government code repositories for vulnerabilities, according to three people familiar with the matter.
- 2The audits have already uncovered a “large number” of vulnerabilities, two sources said, though the number, nature, or severity of the bugs remains undisclosed.
- 3Anthropic confidentially filed for a U.S. initial public offering, signaling its intent to go public despite unresolved tensions with the government.
- 4In February 2026, the Pentagon designated Anthropic a supply-chain risk after the company refused to remove AI safeguards against autonomous weapons and domestic surveillance; a federal judge blocked the blacklisting in March 2026.
- 5Relations between Anthropic and the U.S. government began to ease after the private release of Mythos, described as an AI model extremely capable at finding and exploiting cybersecurity vulnerabilities.
Analysis
- Identifies 'large number' of vulnerabilities, strengthening federal cyber posture
- Automates red-team-style code review, dramatically speeding up vulnerability mitigation
- Leverages Mythos’s described 'extremely capable' exploit-finding abilities
- Reliance on a company previously designated a supply-chain risk by the Pentagon
- Unresolved safeguards dispute raises worries about how the model handles sensitive government code
- Opaque results: lack of disclosure on bugs impedes independent assessment of impact
Analysis
For cybersecurity professionals, the revelation that CISA’s red team is deploying a frontier AI model to hunt for hidden bugs in federal codebases signals a paradigm shift. It suggests that AI-driven threat hunting is no longer theoretical but operational inside the government’s own cyber defense agency—and it’s already bearing fruit, with sources indicating a “large number” of flaws unearthed. The development raises critical questions about trust, supply chain risk, and the future of automated penetration testing.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has quietly begun using Anthropic’s advanced AI model Mythos to audit federal software for vulnerabilities, according to three people familiar with the matter. The deployment, carried out by CISA’s Attack Surface Evaluation team—a unit that conducts aggressive digital security assessments and red-team exercises across the government—marks a significant milestone in the intersection of frontier AI and national cyber defense. The news, reported exclusively by Reuters on July 6, 2026, reveals that Mythos is being used to scan government code repositories for bugs that foreign spies and cybercriminals could exploit. While the exact scale, nature, or severity of the discovered flaws remains unclear, two sources indicated that the audits had already uncovered a “large number” of vulnerabilities. The adoption comes amid a complex, often hostile relationship between Anthropic and the U.S. government, highlighting a paradox: the same administration that once blacklisted the startup is now relying on its most potent cyber tool.
Cybersecurity and Infrastructure Security Agency (CISA) has quietly begun using Anthropic’s advanced AI model Mythos to audit federal software for vulnerabilities, according to three people familiar with the matter.
The context of this standoff is crucial. In February 2026, the Pentagon took the extraordinary step of designating Anthropic a supply-chain risk—a label typically reserved for foreign companies suspected of espionage—after the San Francisco-based company refused to remove safety guardrails that prevented its AI from being used for autonomous weapons or domestic surveillance. The move sent shockwaves through the tech and defense communities, casting a shadow over Anthropic’s federal prospects. In March, a federal judge blocked the blacklisting, and tensions began to ease following the private release of Mythos, a model described as “extremely capable at finding and exploiting cybersecurity vulnerabilities.” The CISA engagement suggests that the operational value of Mythos has, at least for now, outweighed political and ideological concerns within certain corners of the government.
For the cybersecurity industry, the implications are profound. CISA’s use of an AI model to proactively hunt for vulnerabilities in live government code signals a shift from traditional static analysis and manual penetration testing toward continuous, AI-driven attack surface management at scale. If Mythos can indeed surface a “large number” of bugs that might have otherwise gone undetected, it could fundamentally alter the federal government’s vulnerability remediation rhythm, shrinking windows of exposure for nation-state adversaries. However, trust remains a delicate issue. There is no public information on how Mythos handles sensitive code, whether it stores or learns from scanned repositories, or how the results are validated. Given the recent history of supply-chain risk designation, some security professionals may question the wisdom of feeding source code to a company that was, until a few months ago, formally considered a threat to national security.
What to Watch
From a geopolitical lens, the move also underscores the accelerating AI arms race in cybersecurity. Foreign intelligence services are undoubtedly using similar or more advanced AI tools to find zero-days in U.S. systems. By deploying Mythos defensively, CISA is essentially fighting fire with fire, trying to find and patch holes before adversaries do. Yet the opacity around the bugs discovered—their severity, number, or whether they were already exploited—makes it impossible to gauge the full impact. The lack of official comment from both CISA and Anthropic adds to the fog, though a CISA representative had, in June, promised to look into the matter without further response.
For Anthropic, the CISA deployment is a double-edged sword. On one hand, it is a powerful proof point for Mythos’s capabilities and could accelerate adoption among other government agencies and large enterprises, especially as the company has confidentially filed for an initial public offering. On the other hand, the company continues to navigate a minefield of government relations; the very safeguards that sparked the Pentagon conflict are central to its identity as a responsible AI developer. The story illustrates a broader trend: as AI systems become critical infrastructure themselves, the line between technology vendor and geopolitical actor blurs. CISA’s quiet embrace of Mythos suggests that, in the high-stakes world of government cybersecurity, results can trump rhetoric—but the long-term sustainability of that dynamic remains uncertain. Moving forward, the industry will watch closely for any formal announcement, the scale of vulnerability findings, and whether Congress or oversight bodies scrutinize the arrangement.
Timeline
Timeline
Pentagon designates Anthropic a supply-chain risk
After Anthropic refused to remove AI safeguards preventing use in autonomous weapons or domestic surveillance, the Pentagon applies an unprecedented supply-chain risk label, typically reserved for foreign espionage threats.
Federal judge blocks Pentagon blacklisting
A U.S. judge halts the supply-chain risk designation, easing immediate pressure on Anthropic and opening the door for renewed government cooperation.
Reuters reports CISA using Mythos for government code audits
Three sources confirm that CISA’s Attack Surface Evaluation team is actively using Anthropic’s Mythos to scan government code repositories for vulnerabilities, revealing a “large number” of bugs.
Sources
Sources
Based on 2 source articles- Raphael Satter (my)Exclusive-US cyber agency is using Anthropic's Mythos to audit government code, sources sayJul 6, 2026
- economictimes.indiatimes.comUS cyber agency is using Anthropic's Mythos to audit government code, sources sayJul 7, 2026
From the Network
How we covered this story
Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled cybersecurity-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |