International

Why Is the US Using Anthropic’s Secret AI Model Mythos to Audit Government Code? Here’s What It Means

The US Cybersecurity and Infrastructure Security Agency (CISA) is reportedly using Anthropic’s unreleased artificial intelligence model, Mythos, to audit government software for cybersecurity flaws, according to a Reuters report citing three people familiar with the matter.

The AI model is being used to scan government code repositories for vulnerabilities that could potentially be exploited by foreign intelligence agencies or cybercriminals. The development is noteworthy given the Trump administration’s earlier efforts to restrict Anthropic over supply-chain security concerns.

Why Is CISA’s Use of Mythos Significant?

According to the Reuters report, CISA is using Mythos rather than Anthropic’s publicly available Claude models. Mythos is designed specifically for advanced cybersecurity tasks and has demonstrated the ability to identify, exploit and remediate software vulnerabilities, including those affecting financial and banking systems.

Following its launch, Mythos was made available only to approved organisations and has not yet been released publicly.

The reported deployment is particularly significant because the Pentagon designated Anthropic as a supply-chain risk earlier this year. Although a judge later blocked the blacklisting in March, the episode highlighted tensions between the company and the Trump administration.

Separately, Axios reported that the National Security Agency (NSA) had already been using Mythos as of April despite the earlier restrictions. The New York Times later reported that NSA analysts testing the model in classified environments were impressed with its performance.

If the reports are accurate, the development suggests that US national security agencies are increasingly relying on Anthropic’s technology despite previous concerns raised by the administration.

Which Government Systems Are Being Audited?

Reuters reported that Mythos is being used to examine government code repositories rather than public-facing websites.

The audits are reportedly being conducted by CISA’s Attack Surface Evaluation (ASE) team, which carries out cybersecurity assessments and authorised penetration testing across federal government systems.

Neither CISA nor Anthropic has disclosed which government departments or agencies are participating in the programme. The report also did not specify how much code has been reviewed or provide details about the vulnerabilities that have been identified.

Could Financial Agencies Be Included?

Since the ASE team works across multiple federal agencies, systems operated by departments such as the US Department of the Treasury, the Securities and Exchange Commission (SEC), the Internal Revenue Service (IRS) and the Department of Commerce could potentially be included in future or ongoing assessments.

Also Read:China Landslide: 5 Dead, 12 Still Missing After Village Buried in Gansu Province

However, Reuters did not identify any specific agencies involved.

Earlier this year, the Treasury Department, State Department and Department of Health and Human Services confirmed they were complying with a government directive to phase out Anthropic tools following the earlier restrictions.

Does This Mean US Government Software Is Insecure?

According to Reuters’ sources, the AI-powered audits have already identified a significant number of software vulnerabilities.

However, cybersecurity experts note that this should not be interpreted as evidence that government software is fundamentally broken. Large organisations routinely conduct code audits because legacy applications, outdated software libraries and programming errors naturally accumulate over time.

AI-powered tools such as Mythos can analyse vast amounts of code far more quickly than traditional manual reviews, enabling security teams to detect and fix vulnerabilities before they can be exploited by hackers or foreign adversaries.

Back to top button