CISA deploys Anthropic's Mythos to scan federal code for bugs
TL;DR
- CISA's Attack Surface Evaluation team is using Anthropic's Mythos model to scan federal code repositories for vulnerabilities, three sources told Reuters on Monday.
- Two of the sources said the audits had already uncovered a large number of vulnerabilities but declined to elaborate on scope or severity.
- The deployment follows NSA testing of Mythos since April and comes as Anthropic navigates an ongoing standoff with the White House.
A US civilian cyber agency quietly running Anthropic's most powerful AI model over federal code is the kind of step that reshuffles a lot of assumptions at once. Reuters reported on Monday, citing three people familiar with the matter, that CISA is using Anthropic's Mythos model to scan government code repositories for bugs that could leave the door open for foreign spies and cybercriminals. The scanning is being done by CISA's Attack Surface Evaluation team, the group that conducts digital security assessments and hacking exercises across government. Two of the sources told the wire service the audits had already uncovered a large number of vulnerabilities.
The reason this matters more than a routine tooling announcement is where it sits in the Anthropic-White House arc. The National Security Agency has been testing Mythos since April, and the government previously pushed Anthropic into a brief global shutdown of the public Fable version over foreign-access concerns, which was only recently lifted. In that context, Reuters frames the CISA deployment plainly as 'another sign of government enthusiasm for adopting the AI startup's tools even as the company navigates an ongoing standoff with the White House.'
For agency CISOs and anyone shipping software into the federal footprint, the practical takeaway is that an AI model this capable is now indexing federal code whether you asked for it or not. The upside is a thorough red-team pass across systems that rarely get one. The downside is that a running list of unpatched federal vulnerabilities existing anywhere is itself a target, and Anthropic's contested standing with the administration means the pipeline that surfaces those bugs is not obviously stable.
The honest caveat is that the reporting is thin on the specifics that would let you judge severity. Reuters could not establish exactly how much government code the team had gone through or the nature or severity of the bugs it discovered, and Anthropic declined to comment while a CISA representative said he would investigate whether information could be shared but did not provide follow-up responses. Take 'a large number of vulnerabilities' as sourced, not settled, and treat the scope as unknown.
The direction, though, is the part worth watching. If the CISA-Anthropic deployment holds through the standoff, expect other civilian agencies to follow the same template, and expect competing AI vendors to start pitching the same defensive-audit story into enterprise procurement conversations shortly after.
Originally reported by reuters.com
Read the original article →Original headline: Reuters: CISA's Attack Surface Evaluation Team is Using Anthropic's Mythos to Scan Government Code Repositories — Already Uncovered a 'Large Number' of Vulnerabilities