Technology
CISA uses Anthropic AI to scan government code for flaws
The U.S. Cybersecurity and Infrastructure Security Agency has begun using Anthropic’s Mythos model to scan government software for security flaws. The agency’s Attack Surface Evaluation team is carrying out the audits, combing through government code repositories for bugs that could open doors for foreign intelligence services or ordinary cybercriminals.
The move puts a frontier AI system into a job that federal security teams have long handled by hand. The reviews have already uncovered a large number of vulnerabilities, though their seriousness and the amount of code examined were not disclosed. For CISA, the appeal is speed: a model that can sift through repositories faster than a human reviewer could help agencies catch weaknesses before attackers do.

Large language models can misread code, flag harmless patterns as threats, or miss subtle flaws that a seasoned engineer would catch. They also tend to operate inside opaque systems that make it hard to see why a piece of code was flagged, what was skipped, or how much trust a reviewer should place in the output. In government cybersecurity, one false alarm can waste scarce staff time and one missed defect can expose a network.
Anthropic’s path to federal work has been complicated. Earlier this year, the company resisted pressure to remove safeguards that kept its AI from being used for autonomous weapons or domestic surveillance. That clash led the Pentagon to label Anthropic a supply-chain risk until a federal judge blocked the designation. The dispute later eased after Mythos was released privately as a model built to find and exploit cybersecurity weaknesses.

The National Security Agency has also been using Mythos since at least April.
Sources
- [1]usnews.com