eCommerceNews US - Technology news for digital commerce decision-makers
United States
CISA uses Anthropic AI to hunt flaws in federal code

CISA uses Anthropic AI to hunt flaws in federal code

Thu, 9th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

The US Cybersecurity and Infrastructure Security Agency (CISA) is using Anthropic's Mythos artificial intelligence model to scan federal government software for security vulnerabilities. According to people cited by Reuters, the deployment is part of a pilot applying AI to source code auditing across government systems.

CISA's Attack Surface Evaluation team is running Mythos against federal codebases. The model reviews source code and flags potential flaws attackers could exploit. Reuters said Mythos has already uncovered multiple vulnerabilities in testing, though no details have emerged on the number, severity, or systems involved.

The move puts CISA at the centre of the debate over how governments should use commercial AI systems in sensitive security workflows. It also raises questions about the balance between scan coverage and the practical workload these tools create for human security teams, which must still validate and remediate issues.

Specialists in AI-driven cybersecurity described the initiative as an important proof point for machine-led code review, while warning that its impact will depend on how agencies triage the results.

Bronwen Aker, AI Research & Strategy Analyst at Black Hills Information Security, highlighted concerns about policy inconsistency and a lack of transparency around what Mythos is analysing.

"The federal government can't seem to decide what it thinks about AI in general, or Mythos in particular. One week Anthropic is a supply-chain risk, the next week CISA is handing Mythos the keys to scan federal code for vulnerabilities. That inconsistency would be bad enough on its own, but because it's not clear what Mythos is actually scanning, it's much, much worse. Is this government-written code, or software built by third-party contractors and vendors? In-house bugs are one problem. Vendor bugs running across federal systems are a supply chain problem, and the public has a right to know which one this is," said Bronwen Aker, AI Research & Strategy Analyst at Black Hills Information Security.

Chris Traynor, Penetration Tester at Black Hills Information Security and Instructor at Antisyphon Training, noted that AI is entering a field already rich with automated analysis tools, but with different strengths and drawbacks.

"Software code review and analysis is nothing new. Realistically, most issues found are not exploitable without very specific conditions being met (i.e. the vulnerable function needs to actually be invoked and exposed to the attacker in order to be abused). I believe AI vulnerability scanning will likely find many new and novel issues that were simply too complex to identify with legacy tools before. But added complexity can also limit exploitability. AI scanning will likely produce a lot of unactionable output very quickly that will need to be reviewed by experts to find the real risks," said Chris Traynor, Penetration Tester at Black Hills Information Security and Instructor at Antisyphon Training.

That focus on what happens after detection is central to Seemant Sehgal, Founder and Chief Executive Officer at BreachLock. He drew a distinction between raw vulnerability counts and issues that matter in real-world attack paths.

"AI finding vulnerabilities in federal code at scale is interesting, but the harder question is what happens after the finding. A vulnerability that exists in a library no one calls, behind a network segment no one reaches, is not the same problem as one sitting in a critical authentication path. Without validating exploitability and reachability, every finding lands with the same weight, and that creates its own kind of risk. The real test of this program is whether the output helps prioritize action or just expands the backlog," said Seemant Sehgal, Founder and Chief Executive Officer at BreachLock.

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity at Suzu Labs, framed CISA's use of Mythos as one half of a broader AI risk cycle that also includes how software is now written.

"Using AI to scan for vulnerabilities in legacy code while AI generates vulnerable new code on the other end only solves half the problem. CISA pointing Mythos at government codebases is a smart move. I've seen federal systems running code that hasn't had a serious security review in a decade, and a model like Mythos can cover that volume in hours instead of months," said Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity at Suzu Labs.
"The blind spot is the generation side. Every federal agency and contractor also has developers writing code with AI assistants, and those tools produce insecure output more often than secure output. Authorization flaws, hardcoded credentials, missing input validation, all shipping by default because the models optimize for 'does it run' and skip 'is it safe,'" said Krell.
"Combine both facts and you get a treadmill. Mythos finds legacy bugs, teams patch them, and AI coding tools introduce fresh vulnerabilities into the same repos at machine speed. The backlog doesn't shrink. It gets younger," he added.

Krell also argued that the impact of CISA's work will extend beyond federal networks.

"Power grids and water systems are privately run but sit squarely in nation-state crosshairs. CISA can't harden federal code and call it done. If the agency has a scanning tool this capable, the operators running critical infrastructure need access to it too, because those are the systems that actually keep the lights on," he said.
"I'd want CISA to pair this initiative with secure-generation standards for AI coding tools in federal development, and extend scanning access to critical infrastructure operators. We are draining the pool while the hose is still running," he added.