US Cyber Agency CISA Uses Anthropic's Mythos to Audit Government Code

CISA is using Anthropic's AI model Mythos to scan government code repositories for vulnerabilities, according to newly surfaced details, even as Anthropic navigates an ongoing standoff with the White House.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region3 min read
Cybersecurity analysts reviewing code audit results in a security operations environment

Cybersecurity analysts reviewing code audit results in a security operations environment

The US Cybersecurity and Infrastructure Security Agency is using Anthropic's AI model Mythos to audit government software, according to sources familiar with the matter. It marks another sign of government enthusiasm for the AI developer's tools, even as Anthropic continues to navigate a tense relationship with the White House.

What CISA is actually doing

The scanning work is being carried out by CISA's Attack Surface Evaluation team, a unit within the agency responsible for digital security assessments and hacking exercises across government. Reports indicate the team is using Mythos to scan government code repositories for bugs that could otherwise leave the door open to foreign intelligence services and cybercriminals. Two sources told Reuters the audits have already uncovered a substantial number of vulnerabilities, though the exact scope of code reviewed and the severity of what was found has not been disclosed publicly.

A relationship that has been anything but smooth

The context here matters. Anthropic, which has confidentially filed for a US initial public offering, has had a difficult relationship with the federal government. Tensions peaked earlier this year after the company declined to remove safeguards preventing its AI from being used for autonomous weapons or domestic surveillance, prompting the Pentagon to apply a formal supply chain risk designation, a label typically reserved for foreign entities suspected of facilitating espionage. That designation was blocked by a judge, and relations have eased somewhat since the private release of Mythos, which is described as an AI model particularly capable at finding and exploiting cybersecurity vulnerabilities.

The National Security Agency has reportedly been using Mythos since as early as April, despite the earlier blacklist, with NSA analysts said to have tested it in classified settings and come away impressed with its capabilities. When Anthropic later released a public version called Fable, which included what the company described as additional cybersecurity safeguards, the White House demanded restrictions on foreign access, triggering a temporary global suspension of the model that was only lifted last week.

Why this matters beyond Washington

For enterprise security leaders across the Gulf, the significance is less about the specific agency and more about the direction of travel. A national cyber defence body choosing to operationalise a frontier AI model for code auditing, at the same time regional governments are investing heavily in their own AI enabled security capability, is a strong signal of where vulnerability discovery is heading. Enterprises building or procuring code review and vulnerability management tooling should expect AI assisted auditing to move from an experimental capability to a baseline expectation considerably faster than most roadmaps currently assume.

The unresolved tension between Anthropic and parts of the US government, playing out alongside quiet adoption by agencies including the NSA and now CISA, is also a useful case study in how security value and policy friction can coexist. Organisations evaluating frontier AI vendors for sensitive security work should watch how this relationship develops, since it speaks directly to questions of export control, model access, and vendor stability that matter well beyond US borders.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Threat IntelligenceVulnerability ScanningGovernment CybersecurityAI Code Audit