Anthropic's Mythos Tapped by CISA for Code Audits as IPO Looms – 3 Sources
Key Takeaways
- cybersecurity agency CISA is using Anthropic’s Mythos AI for national-security code audits, a powerful validation as the AI startup prepares for its IPO.
- The engagement comes months after Anthropic clashed with the Pentagon over AI weaponization safeguards, making the government’s embrace a dramatic shift.
- This could boost investor confidence and open doors for further public-sector AI adoption.
Mentioned
Key Intelligence
Key Facts
- 1CISA’s Attack Surface Evaluation team is using Anthropic’s Mythos AI model to scan government code repositories for security vulnerabilities.
- 2The audits have already uncovered a large number of bugs, though exact figures, severity, and the amount of code scanned remain undisclosed.
- 3Anthropic previously faced a Pentagon supply-chain risk designation in February 2026 after refusing to remove AI safeguards against autonomous weapons and domestic surveillance.
- 4A federal judge blocked that designation in March 2026, and tensions between Anthropic and the U.S. government have since begun to ease.
- 5Anthropic has confidentially filed for an initial public offering, a step that could be bolstered by this high-profile federal contract.
- 6The deployment marks one of the first known uses of a large language model for government-wide secure code auditing, setting a precedent for AI in federal cybersecurity.
Analysis
In a notable government endorsement of advanced AI, CISA is quietly using Anthropic’s Mythos model to sweep federal code for weaknesses, according to three sources. The contract not only puts Anthropic’s technology at the center of national cyber defense but also arrives at a critical time: the company has confidentially filed for an IPO, and this high-stakes use case may tip investor sentiment from wary to bullish.
The U.S. Cybersecurity and Infrastructure Security Agency has quietly started using Anthropic’s AI model Mythos to audit federal code repositories for vulnerabilities, according to three sources familiar with the matter. This exclusive report reveals a deepening, though still uneasy, embrace of the AI startup’s tools by the very government that only months ago sought to blacklist it. The development underscores both the escalating demands of digital defense and the high-stakes politics surrounding advanced AI. CISA’s Attack Surface Evaluation team, the internal group responsible for probing federal networks for weaknesses, is employing Mythos to automate the tedious but critical task of scanning millions of lines of code for bugs that foreign spies or cybercriminals could exploit. While the scale and severity of vulnerabilities uncovered remain cloaked in operational secrecy, two sources indicated that the audits have already flagged a large number of issues—an outcome that, if confirmed, would represent a significant validation of AI’s role in proactive cyber defense.
In a notable government endorsement of advanced AI, CISA is quietly using Anthropic’s Mythos model to sweep federal code for weaknesses, according to three sources.
The backdrop is anything but ordinary. Anthropic, a San Francisco-based AI company founded by former OpenAI researchers, has long positioned itself as a safety-first developer, embedding constitutional AI principles into its models to refuse harmful outputs. That ethos collided with the Pentagon in early 2026, when the company refused to remove safeguards that prevented its AI from being used for autonomous weapons or domestic surveillance. The Department of Defense responded in February by slapping Anthropic with a formal supply-chain risk designation—a label previously reserved for foreign firms suspected of facilitating espionage. The move effectively barred the company from federal contracts and cast a shadow over its enterprise ambitions. That extraordinary action was blocked by a federal judge in March, a judicial stay that allowed Anthropic to continue operating while the legal and political dust settled. By July, the relationship had thawed sufficiently for CISA to quietly deploy Mythos on sensitive government systems, an irony not lost on observers: the agency entrusted with defending the nation’s cyber infrastructure is now relying on the same AI maker once deemed a supply-chain threat.
The implications for federal cybersecurity are substantial. Manual code review, the traditional method for vetting software used by agencies, is slow, expensive, and unable to keep pace with the volume of new patches and applications. AI models like Mythos can process entire repositories at machine speed, flagging suspicious patterns, outdated libraries, or hardcoded credentials that might otherwise slip through. By integrating AI into its attack surface assessments, CISA potentially multiplies its capacity to harden government systems against adversaries ranging from state-sponsored hacking groups to ransomware gangs. Yet the move also introduces new risks. Large language models are prone to hallucinations—generating plausible but incorrect findings—and can miss context-specific vulnerabilities that a human auditor would catch. Moreover, the opaque nature of AI decision-making raises questions about accountability when a missed bug leads to a breach. The lack of public detail about how many bugs were found, their severity, and how the AI’s output is validated highlights the nascent and still experimental character of this deployment.
What to Watch
From an industry standpoint, the CISA contract is a powerful signal for Anthropic as it inches toward a public listing. The company has confidentially filed for an initial public offering, a milestone that would be the largest for an AI model maker. Demonstrating that their flagship model Mythos is trusted for national-security functions counters the narrative that AI safety constraints hobble commercial utility. It may also open the door to similar deals across other government departments and allied nations, creating a lucrative pipeline. For CISA, the success of this pilot could accelerate the adoption of AI-assisted code review as a standard practice, potentially reshaping federal IT procurement to favor platforms with baked-in AI auditing capabilities. The broader AI ecosystem is watching: this case could set a precedent for how performance and safety claims are weighed against regulatory history when agencies purchase AI services.
Looking ahead, the arrangement faces tests on multiple fronts. The legal truce with the Pentagon could unravel if Anthropic’s stance on weaponization is challenged anew, especially given the evolving norms around AI in defense. For CISA, the challenge will be to establish rigorous benchmarks for AI-assisted auditing—defining acceptable false-positive rates, integrating human oversight, and ensuring that findings translate into actual patches. As cyber threats grow more sophisticated, the partnership between federal defenders and AI innovators will likely deepen, but only if the trust deficit can be bridged with transparency and demonstrable results. The coming months may reveal whether Mythos becomes a permanent fixture in the government’s security toolkit or a cautionary tale about overhyped AI in critical missions.
Sources
Sources
Based on 1 source articleFrom the Network
CISA’s Mythos Audits Find ‘Large Number’ of Bugs in Govt Code, 3 Sources Say
CISA is leveraging Anthropic’s advanced AI model Mythos to proactively scan government software for security flaws, revealing a significant vulnerability discovery. This adoption marks a new frontier
StartupsAnthropic’s pre-IPO momentum: CISA and NSA now both use Mythos for code audits
With CISA joining the NSA in deploying Mythos, Anthropic now boasts two marquee federal security clients ahead of its confidential IPO. The startup’s journey from Pentagon blacklist to government darl
How we covered this story
Every story in our ai coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the ai space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled ai-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |