Reuters reports that the CISA is said to be using Anthropic’s Mythos AI model to scan federal government software for security vulnerabilities. The CISA’s Attack Surface Evaluation team is using the model to audit source code and identify flaws that could be exploited by cybercriminals or nation-state actors.
The initiative is part of a pilot program to evaluate whether AI can accelerate software security reviews across government systems. Reuters reports that Mythos has identified multiple vulnerabilities during testing, although specifics on the number of vulnerabilities, severity, or affected software are not disclosed.
Bronwen Aker, AI Research & Strategy Analyst, Black Hills Information Security:
The federal government can’t seem to decide what it thinks about AI in general, or Mythos, in particular. One week Anthropic is a supply-chain risk, the next week CISA is handing Mythos the keys to scan federal code for vulnerabilities. That inconsistency would be bad enough to start with, but because it’s not clear what Mythos is actually scanning, it’s much, much worse. Is this government-written code, or software built by third-party contractors and vendors? In-house bugs are one problem. Vendor bugs running across federal systems are a supply chain problem, and the public has a right to know which one this is.
Chris Traynor, Penetration Tester at BHIS and Instructor at Antisyphon:
Software code review and analysis is nothing new. Realistically, most issues found are not exploitable without very specific conditions being met (i.e. – the vulnerable function needs to actually be invoked and exposed to the attacker in order to be abused).
I believe AI vulnability scanning will likely find many new and novel issues that were simply too complex to identify with legacy tools before. But added complexity can cause limitations exploitability. AI scanning will likely produce a lot of unactionable output very quickly that will need to be reviewed by experts to find the real risks.
Seemant Sehgal, Founder & CEO, BreachLock:
“AI finding vulnerabilities in federal code at scale is interesting, but the harder question is what happens after the finding. A vulnerability that exists in a library no one calls, behind a network segment no one reaches, is not the same problem as one sitting in a critical authentication path. Without validating exploitability and reachability, every finding lands with the same weight, and that creates its own kind of risk. The real test of this program is whether the output helps prioritize action or just expands the backlog.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Using AI to scan for vulnerabilities in legacy code while AI generates vulnerable new code on the other end only solves half the problem. CISA pointing Mythos at government codebases is a smart move. I’ve seen federal systems running code that hasn’t had a serious security review in a decade, and a model like Mythos can cover that volume in hours instead of months.
“The blind spot is the generation side. Every federal agency and contractor also has developers writing code with AI assistants, and those tools produce insecure output more often than secure output. Authorization flaws, hardcoded credentials, missing input validation, all shipping by default because the models optimize for “does it run” and skip “is it safe.”
“Combine both facts and you get a treadmill. Mythos finds legacy bugs, teams patch them, and AI coding tools introduce fresh vulnerabilities into the same repos at machine speed. The backlog doesn’t shrink. It gets younger.
“Power grids and water systems are privately run but sit squarely in nation-state crosshairs. CISA can’t harden federal code and call it done. If the agency has a scanning tool this capable, the operators running critical infrastructure need access to it too, because those are the systems that actually keep the lights on.
“I’d want CISA to pair this initiative with secure-generation standards for AI coding tools in federal development, and extend scanning access to critical infrastructure operators. We are draining the pool while the hose is still running.”
I for one would like the CISA to combine vulnerability scanning via AI with human follow up. Because relying on just AI alone is a recipe for failure. This of course ignoring the fact that the Trump Administration seems to flip flop on Anthropic and their potential harms to society. .
Related
This entry was posted on July 8, 2026 at 4:41 pm and is filed under Commentary with tags Anthropic. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The CISA Scanning Fed Software with Anthropic Mythos
Reuters reports that the CISA is said to be using Anthropic’s Mythos AI model to scan federal government software for security vulnerabilities. The CISA’s Attack Surface Evaluation team is using the model to audit source code and identify flaws that could be exploited by cybercriminals or nation-state actors.
The initiative is part of a pilot program to evaluate whether AI can accelerate software security reviews across government systems. Reuters reports that Mythos has identified multiple vulnerabilities during testing, although specifics on the number of vulnerabilities, severity, or affected software are not disclosed.
Bronwen Aker, AI Research & Strategy Analyst, Black Hills Information Security:
The federal government can’t seem to decide what it thinks about AI in general, or Mythos, in particular. One week Anthropic is a supply-chain risk, the next week CISA is handing Mythos the keys to scan federal code for vulnerabilities. That inconsistency would be bad enough to start with, but because it’s not clear what Mythos is actually scanning, it’s much, much worse. Is this government-written code, or software built by third-party contractors and vendors? In-house bugs are one problem. Vendor bugs running across federal systems are a supply chain problem, and the public has a right to know which one this is.
Chris Traynor, Penetration Tester at BHIS and Instructor at Antisyphon:
Software code review and analysis is nothing new. Realistically, most issues found are not exploitable without very specific conditions being met (i.e. – the vulnerable function needs to actually be invoked and exposed to the attacker in order to be abused).
I believe AI vulnability scanning will likely find many new and novel issues that were simply too complex to identify with legacy tools before. But added complexity can cause limitations exploitability. AI scanning will likely produce a lot of unactionable output very quickly that will need to be reviewed by experts to find the real risks.
Seemant Sehgal, Founder & CEO, BreachLock:
“AI finding vulnerabilities in federal code at scale is interesting, but the harder question is what happens after the finding. A vulnerability that exists in a library no one calls, behind a network segment no one reaches, is not the same problem as one sitting in a critical authentication path. Without validating exploitability and reachability, every finding lands with the same weight, and that creates its own kind of risk. The real test of this program is whether the output helps prioritize action or just expands the backlog.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Using AI to scan for vulnerabilities in legacy code while AI generates vulnerable new code on the other end only solves half the problem. CISA pointing Mythos at government codebases is a smart move. I’ve seen federal systems running code that hasn’t had a serious security review in a decade, and a model like Mythos can cover that volume in hours instead of months.
“The blind spot is the generation side. Every federal agency and contractor also has developers writing code with AI assistants, and those tools produce insecure output more often than secure output. Authorization flaws, hardcoded credentials, missing input validation, all shipping by default because the models optimize for “does it run” and skip “is it safe.”
“Combine both facts and you get a treadmill. Mythos finds legacy bugs, teams patch them, and AI coding tools introduce fresh vulnerabilities into the same repos at machine speed. The backlog doesn’t shrink. It gets younger.
“Power grids and water systems are privately run but sit squarely in nation-state crosshairs. CISA can’t harden federal code and call it done. If the agency has a scanning tool this capable, the operators running critical infrastructure need access to it too, because those are the systems that actually keep the lights on.
“I’d want CISA to pair this initiative with secure-generation standards for AI coding tools in federal development, and extend scanning access to critical infrastructure operators. We are draining the pool while the hose is still running.”
I for one would like the CISA to combine vulnerability scanning via AI with human follow up. Because relying on just AI alone is a recipe for failure. This of course ignoring the fact that the Trump Administration seems to flip flop on Anthropic and their potential harms to society. .
Share this:
Like this:
Related
This entry was posted on July 8, 2026 at 4:41 pm and is filed under Commentary with tags Anthropic. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.