The US Cybersecurity and Infrastructure Security Agency (CISA) is using Anthropic’s AI model, Mythos, to find vulnerabilities in government code repositories, Reuters reported Monday, citing unidentified sources.
The Attack Surface Evaluation teams at CISA, responsible for digital security and resilience, are overseeing the testing, Reuters reported. CISA and Anthropic did not immediately respond to requests for comment on the types of systems tested or the vulnerabilities found.
Anthropic previewed Mythos in April under its initiative, called Project Glasswing, an industry-led collaboration that seeks to secure software applications. The initiative was launched by Anthropic because it believed the capabilities of Mythos “could reshape cybersecurity.”
Dispute With The PentagonThe developments surrounding Mythos’ capabilities, however, led to panic over its disruptive potential, with the US government imposing an interim export ban on Anthropic models Mythos and Fable.
The US government lifted the ban in July only after Anthropic put in place adequate security measures to prevent potential model exploitation by threat actors.
In February, the company was also embroiled in tensions with the Pentagon over its decision not to remove Claude security guardrails to allow the US military to use the model for autonomous weapons and surveillance capabilities.
With tensions between Washington and Anthropic subsiding, more government entities have announced plans to deploy frontier models for vulnerability discovery in legacy systems.
The UK National Cyber Security Centre on Tuesday announced plans to build “Cyber Shield,” a custom agentic AI system to identify vulnerabilities in legacy systems, generate automated insights, and coordinate security remediation at a national level.
On Monday, the Alberta government said its custom AI agents, built using Anthropic’s Claude Code, Claude Opus, and Claude Sonnet, scanned 466 million lines of code in 20 hours to identify 185 vulnerable systems. The report, however, does not provide any additional information on the types of vulnerabilities discovered or how they were identified.