U.S. Cybersecurity Agency Uses Anthropic's Mythos to Audit Government Code
Miles Bennett
CISA is scanning government codebases with Anthropic's AI model Mythos to find vulnerabilities exploitable by foreign spies and cybercriminals — making it the second US agency, after the NSA, to deploy the model on a core security mission.
What exactly is CISA doing with Mythos?
Reuters, citing three people familiar with the matter, reports that CISA's Attack Surface Evaluation team is using Mythos to scan government codebases for vulnerabilities that foreign spies and cybercriminals could exploit.
The audits have already uncovered numerous vulnerabilities, though the sources did not disclose their nature or severity; Reuters could not verify the scale of code reviewed.
This means → Mythos has moved past the demo stage and is running inside a live government security workflow.
What happened between Anthropic and the US government?
In February, Anthropic refused to remove safeguards preventing its AI from being used for autonomous weapons or domestic surveillance. The Pentagon responded by placing the company on a supply-chain risk list — a label previously reserved for foreign firms suspected of aiding espionage.
In plain terms = an American AI company got tagged with a "foreign-spy-level" risk label by its own government — for holding its safety line.
A court blocked the blacklist in March; tensions eased after Anthropic privately released the Mythos model.
Did the NSA start using Mythos even earlier?
The NSA began using Mythos in April, while the blacklist was still in force — first reported by Axios.
The New York Times later revealed that NSA analysts were impressed after testing Mythos in a classified environment.
This reflects a striking contradiction: political friction was still running hot, yet the operational side was already deploying Anthropic's tools.
What happened when the public version launched?
When Anthropic released Fable, the public version of Mythos, the White House abruptly ordered a ban on foreign users running the model, triggering a global service outage.
The ban was lifted only last week.
This means → even as agencies scaled up their internal use of Mythos, the White House remained wary of the technology leaking abroad.
Where does the relationship go from here?
CISA's adoption makes it the second core security agency to deploy Mythos after the NSA, showing that the government's operational need for Anthropic's tools has not been interrupted by political friction.
Whether the tension between Anthropic and the White House continues to ease remains the key variable to watch.
In plain terms = the government blacklisted the company with one hand and kept buying its product with the other — how long that contradiction holds is anyone's guess.
Content is for reference only, not financial advice.