Reuters reports that the Cybersecurity and Infrastructure Security Agency (CISA) has quietly started using Anthropic’s high-end AI model, Mythos, to scan government code for security holes. If true, this is an odd little marriage: a federal agency leaning on a Silicon Valley startup that is currently in legal and policy fights with the Pentagon and the White House. The move is both smart — if you want bugs found fast, use a fast tool — and a reminder that national security still depends on asking hard questions about control, oversight, and trust.
What CISA reportedly did and how Mythos is being used
According to reporting, CISA’s Attack Surface Evaluation team has run Mythos to audit government software repositories, including public code stores like GitHub. The scan work allegedly found a “substantial number” of vulnerabilities, though no public tally or technical details have been released. Anthropic’s Mythos is part of its Project Glasswing program, a gated channel that gives vetted defenders access to the model’s strong software-security chops. That capability is useful — these AIs can spot bugs faster than humans — but it also raises real questions about the safeguards around those scans.
Why this matters: security gains and real risks
On the upside, using advanced AI to find software flaws could reduce the risk of foreign spies and cybercriminals exploiting government systems. Faster vulnerability discovery means faster fixes, and that is plainly in the national interest. On the downside, Mythos is a dual-use tool: the same ability to find bugs can be misused to craft exploits. Add in Anthropic’s recent supply-chain designation from the Pentagon and a short-lived export restriction, and you have a stew of technical promise, legal friction, and policy risk that demands clear rules.
Questions Congress and the public should demand answers to
If CISA is using Mythos, taxpayers deserve to know under what authority and with what protections. Is the model running on-site or through a vetted access agreement? Who controls the outputs — could the model’s findings produce exploit code that leaks? Were the vulnerabilities responsibly disclosed and fixed, and how broad was the scan? Those are oversight questions, not academic ones. Washington should not outsource accountability to a vendor that is simultaneously suing the government and arguing it has been blacklisted by the Pentagon.
Bottom line: use the tool, but do not hand over the keys
Let’s be clear: we should not reflexively ban helpful tech that defends America. But neither should we pretend that kicking a can of code into an opaque model is governance. If CISA’s use of Mythos is real, treat it as a pilot that needs tight guardrails: clear contracts, robust logging, on-site handling where possible, and public reporting to Congress about scope and fixes. In short, find the bugs — but make sure the people who find them are not the same people who get to weaponize them by accident or design. That’s simple common sense; Washington would do well to remember it.

