
The U.S. government’s top cybersecurity agency is using one of the world’s most powerful AI models to help uncover security flaws hidden inside government software. The move signals a growing shift in how critical systems are protected as artificial intelligence begins taking on work that once depended almost entirely on human security experts.
According to Reuters, the Cybersecurity and Infrastructure Security Agency (CISA), is using Anthropic’s Mythos AI model to examine government code for vulnerabilities that hackers could exploit. The work is being carried out by CISA’s Attack Surface Evaluation team, which conducts security assessments across federal systems.
Looking For the Flaws Before Attackers Do
Software security reviews have traditionally relied on teams of engineers manually inspecting code, running tests, and searching for weaknesses. AI is now becoming another tool in that process.
Reuters reported that Mythos has already identified numerous vulnerabilities during its work with CISA, although officials have not disclosed how many bugs were found or how serious they were. The agency has also not revealed which government systems are being examined.
But the goal, as reported, remains finding security weaknesses before cybercriminals or foreign intelligence agencies discover them first.
And this reflects a broader trend across cybersecurity, where AI is increasingly being used to speed up threat detection, analyze large amounts of code, and assist security researchers with tasks that would otherwise take much longer.
Why Anthropic’s Model Stands Out
Mythos is Anthropic’s most advanced cybersecurity focused AI model. Its ability to detect software vulnerabilities has attracted attention from both the technology industry and the U.S. government.
The model is currently available only to a limited number of approved U.S. organizations because of concerns that its advanced bug finding abilities could also be misused if widely available. Earlier this year, the U.S. government temporarily restricted access to Mythos and its related Fable model before later restoring access under new safeguards after 19 days.
Anthropic has also expanded its government offerings through Claude for Government and specialized Claude Gov models built for national security environments, reflecting its growing focus on public sector customers.
An Unusual Partnership
CISA’s use of Mythos also comes after a complicated relationship between Anthropic and the U.S. government.
Earlier this year, the company refused a Pentagon request to allow its models to be used for domestic surveillance and fully autonomous weapons, a position that led the Defense Department to designate Anthropic as a supply chain risk.
Anthropic challenged this decision in court, arguing that the blacklist was retaliation for its AI safety stance, and a federal judge later blocked the Trump administration from labeling the AI safety company a “supply chain risk.”
However, it seems that national security agencies continued using the company’s technology, with the NSA testing Mythos even before CISA adopted it to help audit government software.
Why This Matters
Finding software vulnerabilities before attackers do has always been one of cybersecurity’s biggest challenges, even more so for a country, as government systems contain millions of lines of code, making manual reviews difficult and time consuming.
CISA’s decision to add AI, especially Anthropic’s AI models, to that process suggests national agencies believe advanced models can help security teams discover issues that might otherwise remain hidden.
And if this approach continues to prove effective, it could reshape two things – how governments secure critical software against increasingly sophisticated cyber threats; and the collaborations between AI companies and governments.
