CISA uses Anthropic AI to scan government software for vulnerabilities
CISA has begun using Anthropic’s Mythos AI to scan government code repositories, a move that could speed bug hunting but also raises new oversight risks.

CISA has been using Anthropic’s Mythos AI model to scan government code repositories for vulnerabilities that could leave the door open to foreign spies and criminal hackers. The effort puts the Cybersecurity and Infrastructure Security Agency’s Attack Surface Evaluation team at the center of a broader federal push to use advanced AI for defensive security work inside government systems.
The deployment matters because CISA is not a pilot project office. The agency describes itself as the nation’s cyber defense agency and says it provides cybersecurity assessments and other risk-management services, including risk and vulnerability assessments that produce tailored risk analysis and mitigation guidance for customers. Its Roadmap for AI says the agency intends to promote beneficial uses of AI to enhance cybersecurity capabilities, protect AI systems from cyber threats and deter malicious use of AI against critical infrastructure.

Anthropic has positioned Mythos 5 as its latest update for Mythos Preview and says it is currently available only to a small group of vetted partners. The company says models with Mythos-level cybersecurity capabilities are powerful enough to be misused in cyberattacks, which is why access is restricted and safeguards are in place. In its research on Mythos Preview, Anthropic said the model is strikingly capable at computer-security tasks, and the company has said it expects models like Mythos Preview to generate a large volume of cybersecurity findings that the software industry will need to manage.
The White House has already pushed agencies toward faster adoption. A June 2, 2026 executive order directed agencies to prioritize AI for cyber defense of national-security systems, Defense Department information systems and civilian federal systems. A June 5, 2026 National Security Presidential Memorandum said the national security enterprise should accelerate AI adoption and remove unnecessary barriers to deployment while maintaining oversight and supply-chain security.
That backdrop helps explain why Mythos is moving from tests into operational use. In June 2026, a U.S. official said Anthropic’s model found vulnerabilities in highly sensitive government computer systems during a testing exercise with intelligence agencies, including the National Security Agency. The reported CISA rollout suggests that the same class of model is now being trusted to review code at scale, not just to assist with chat or coding tasks.
The promise is speed and reach: software repositories that would take human analysts far longer to inspect can be searched quickly for weaknesses. The risk is that false positives, opaque model behavior and the transfer of sensitive code into private-sector tools could outrun the government’s own governance rules. For federal agencies that run critical infrastructure systems and national-security networks, the question is no longer whether AI can find bugs, but what human oversight and procurement safeguards will govern it before it becomes standard.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


