The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is using the Mythos model developed by artificial intelligence startup Anthropic to audit U.S. government software code, according to three people familiar with the matter.

CISA is using the Myth model to scan government code repositories for software flaws and security vulnerabilities that could be exploited by foreign intelligence agencies or cybercriminals, sources said. This work is handled by CISA's internal "Attack Surface Evaluation" team, which specializes in conducting digital security assessments and simulated attack and defense exercises for various government agencies. Two of the sources said the audits had uncovered a large number of vulnerabilities, but did not disclose the number or details; it was unclear how much government code the team had covered or the nature and severity of the vulnerabilities found.
Regarding related issues, Anthropic did not respond to reporters’ requests for comment. A CISA spokesman said last month that it would confirm whether the content could be made public, but did not respond to further email inquiries.
Anthropic has had a tumultuous relationship with the U.S. government. In February, the San Francisco-based company clashed with the Pentagon over its refusal to remove safeguards from its products that banned autonomous weapons and domestic surveillance. The U.S. Department of Defense subsequently designated Anthropic as a formal "supply chain risk," a label usually reserved for overseas companies suspected of assisting foreign espionage. This unprecedented "blacklist" measure was stopped by a judge in March, and relations between the two parties have since eased.
A key node in the relaxation was Anthropic's private launch of the "Myth" model to the government. This artificial intelligence system was described as "extremely capable" in discovering and exploiting network security vulnerabilities. According to previous media reports, the US National Security Agency (NSA) began to use "Myth" in actual work as early as April, even though Anthropic was still blacklisted at that time. The New York Times quoted sources as saying that some NSA analysts who tested the Myth in a top-secret environment were impressed by its capabilities.
At the same time, Anthropic has also launched a public-facing version of "Myth" called "Fable." This public model has network security protection added to its design, restricting users from directly using it to carry out actual attacks. But shortly after "Fable" went online, the White House suddenly asked Anthropic to ban foreign users from accessing the model. The request triggered a global access block to the Fable model, and it was only last week that the U.S. government officially lifted export control restrictions on the model. Currently, the U.S. government continues to test and evaluate Anthropic’s technology within its national security agencies, while maintaining a delicate game with the company over regulatory and security boundaries.