cd /news/ai-safety/us-cyber-agency-is-using-anthropics-… · home topics ai-safety article
[ARTICLE · art-49211] src=thenextweb.com ↗ pub= topic=ai-safety verified=true sentiment=· neutral

US cyber agency is using Anthropic’s Mythos to audit government code, sources say

The US Cybersecurity and Infrastructure Security Agency is using Anthropic's AI model Mythos to audit government code for vulnerabilities, according to three anonymous sources. The arrangement comes despite a recent Pentagon blacklisting of Anthropic over safety concerns, highlighting a thaw in relations as Washington embraces the startup's tools for cybersecurity.

read3 min views5 publishedJul 7, 2026
US cyber agency is using Anthropic’s Mythos to audit government code, sources say
Image: Thenextweb (auto-discovered)

A federal defender is reportedly pointing a private, offensive-grade AI model at the government’s own software, though almost nothing about the work is on the record.

The US Cybersecurity and Infrastructure Security Agency is using Anthropic’s AI model Mythos to hunt for bugs in government software, according to three people familiar with the matter who spoke to Reuters.

The arrangement, first reported on 6 July, is the latest sign that Washington’s appetite for the startup’s tools has outlasted a bruising standoff with the White House.

Mythos is the same model that reportedly found flaws in classified US systems during an earlier government test, and its path into federal hands has been anything but smooth. It lands at CISA even as Anthropic and the administration keep sparring over who is allowed to run it.

According to the sources, CISA is pointing Mythos at government code repositories to flag vulnerabilities that could let foreign spies or cybercriminals in.

The scanning is being carried out by the agency’s Attack Surface Evaluation team, one person said, a unit that runs digital security assessments and hacking exercises across government.

Two of the sources told Reuters the audits had already turned up a large number of vulnerabilities, though none would elaborate. Reuters said it could not establish how much code the team had reviewed, or the nature and severity of the bugs.

Anthropic did not respond to questions about the initiative, and a CISA representative said last month he would check whether there was anything to share, then went quiet.

None of the operational detail is confirmed on the record. Every claim about CISA’s use of Mythos rests on anonymous sources, and both the agency and the company have declined to describe the work. It should be read as reported, not settled.

What sits on firmer ground is Mythos itself. Anthropic has spent 2026 marketing the model, part of a cybersecurity push it calls Project Glasswing, as unusually good at finding software flaws, and it has widened access to 150 organisations across more than 15 countries.

The company, which has confidentially filed for a US initial public offering, describes Mythos as extremely capable at both finding and exploiting vulnerabilities.

That dual-use quality is exactly what soured relations with Washington. Ties hit a low in February, when the San Francisco company refused to strip out safeguards blocking its AI from being used for autonomous weapons or domestic surveillance.

The Pentagon responded with a formal supply-chain risk designation, a label normally reserved for foreign firms suspected of enabling espionage. A judge blocked the blacklisting in March.

The thaw came with Mythos. Axios reported in April that the NSA had been using the model despite the Pentagon ban, and the New York Times later said NSA analysts had tested it in classified settings and come away impressed.

But when Anthropic released a public version called Fable, the White House abruptly demanded it bar foreigners from running it, triggering a global shutdown of both models that lifted only last week.

The optics are hard to miss. An agency charged with defending government networks is now leaning on a private model from a company the Pentagon recently treated as a security risk, to read the government’s own code. Whether that reads as pragmatism or overreach may depend on what the audits actually found, and neither CISA nor Anthropic is saying.

For now, the scope stays murky. There is no public accounting of which systems have been scanned, how findings are triaged, or what happens to the vulnerabilities once Mythos surfaces them. Rivals are circling the same ground, with OpenAI pitching its own cyber-defence model as an alternative. What is clear is that the government’s experiment with offensive-grade AI on defensive duty is already under way, whatever the paperwork says.

Get the TNW newsletter #

Get the most important tech news in your inbox each week.

── more in #ai-safety 4 stories · sorted by recency
── more on @cisa 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/us-cyber-agency-is-u…] indexed:0 read:3min 2026-07-07 ·