The US Cybersecurity and Infrastructure Security Agency (CISA) is using Anthropic’s cybersecurity AI model Claude Mythos to scan for vulnerabilities in government software, Reuters has reported.
Citing three people familiar with the matter, the publication said that CISA is actively using Claude Mythos to analyse government code repositories for potential backdoors that could act as a backdoor to hackers or foreign intelligence agencies.
Two of these sources told Reuters that the AI model has already discovered many vulnerabilities, without providing a specific number.
Reuters added that Anthropic had not replied to requests for information on the project and it had not heard back from CISA after initial contact.
Claude Mythos and OpenAI’s competing model GPT-5.6 Sol have been widely scrutinised for their advanced code generation and analysis capabilities.
Though both firms say the models are intended to be used to identify and patch vulnerabilities, security experts warn that the models could also drive a step change in cyber crime in the wrong hands.
In its evaluation of Mythos, the UK’s AI Security Institute noted the model can “execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously”.
On 22 June, cyber security agencies from the Five Eyes intelligence alliance warned that sophisticated AI-driven attacks are months away and on 7 July the European Central Bank ordered all euro zone banks to set out AI cyber defence plans.
The UN’s secretary general, António Guterres, also warned on 6 July that without internationally-agreed guardrails, AI models will soon outpace all safety controls.
Anthropic first announced Claude Mythos Preview in April, having granted access to the model only to vetted organisations in its cybersecurity coalition Project Glasswing over fears that the model could enable advanced software exploitation if released publicly.
In the weeks following the announcement, UK regulators and global partners sought greater clarity from Anthropic over the threat potential Mythos poses, and Anthropic slowly added organisations to Glasswing including nine major UK banks and Japan’s three largest banks.
The US government’s own relationship with Anthropic has run hot and cold in recent months, however. In February, the US Department of Defense (DoD) moved to brand the AI firm a “supply chain risk” after it refused US government requests to use Claude models for “all legal purposes”.
In a blog post, Anthropic chief executive Dario Amodei specifically said that Anthropic objected to potential use of Claude models for mass domestic surveillance and fully autonomous weapons.
Anthropic launched a lawsuit against the Trump administration over the DoD’s designation, which was supported by Microsoft. At the end of March, California district judge Rita Lin described the designation as “arbitrary and capricious” and ordered a temporary pause.
On 12 June the US government subsequently ordered Anthropic to limit access to Claude Mythos and its publicly-accessible, safety-limited variant Fable 5 to US citizens, prompting Anthropic to suspend the models altogether. The ban was lifted on 1 July, which Anthropic said was the result of it increasing Fable 5 safeguards and presenting evidence that neither offering is more inherently dangerous than other frontier AI models.






Recent Stories