US cyber agency is using Anthropic's Mythos to audit government code, sources say
Source: Reuters
July 6, 2026 4:10 PM EDT Updated 3 hours ago
WASHINGTON, July 6 (Reuters) - The U.S. cyber defense agency CISA is using Anthropic's AI model Mythos to audit government software, three people familiar with the matter said on Monday, another sign of government enthusiasm for adopting the AI startup's tools even as the company navigates an ongoing standoff with the White House.
The Cybersecurity and Infrastructure Security Agency is using Mythos to scan government code repositories for bugs that could leave the door open for foreign spies and cybercriminals, the sources said.
Anthropic did not respond to questions about the initiative. A CISA representative said last month that he would check to see if there was anything to share about the matter but did not respond to further emails.
The scanning is being done by CISA's Attack Surface Evaluation team, according to one of the sources. The team is a group within CISA that conducts digital security assessments and hacking exercises across government. Two of the sources said the audits had already uncovered a large number of vulnerabilities but did not elaborate. Reuters could not establish exactly how much government code the team had gone through or the nature or severity of the bugs it discovered.
Read more: https://www.reuters.com/world/us-cyber-agency-is-using-anthropics-mythos-audit-government-code-sources-say-2026-07-06/
rampartd
(5,744 posts)tech lords to defend such vulnerabilities for $Ts
AZJonnie
(4,259 posts)There's things AI is very good at. This is one of those things. The best place for humans in this chain is to be reviewing the findings.
CousinIT
(12,933 posts)If it uncovers vulnerabilities that need fixing (after human review of what they are and whether they're legit), then that's a good thing.
It would be almost negligent if they *didn't* use these tools to search for vulnerabilities, now that we have them. They can find them faster and easier than humans. If they produce hundreds of false positives and only a few legitimate vulnerabilities that can be fixed, it's worth it. Better that than those previously unseen vulnerabilities going unmitigated. Especially in critical systems.