CISA Uses Anthropic’s Mythos to Scan Federal Code for Security Vulnerabilities
July 14, 2026
The inside sources did not give much in the way of specifics as to which government agencies are being scanned by Mythos or exactly what work is being done. They did say that code repositories are being scanned and that a “large number” of security vulnerabilities have been uncovered.
At least two reports of the National Security Agency (NSA) continuing to make use of Mythos for cyber defense purposes have emerged since the April ban went into effect, and now there is a new report that the Cybersecurity and Infrastructure Security Agency (CISA) has added it to its toolbox as well. Reporters with Reuters have had contact with anonymous government sources that claim CISA is scanning code repositories for security vulnerabilities, seemingly unwilling to miss out on what is rapidly moving toward a mandatory element of cybersecurity despite blacklisting Anthropic.
Full Mythos power yet to be unleashed, but organizations can get a head start with “Fable”
Since private testing of Mythos Preview began about three months ago, the expectation has been that when the next wave of “frontier” AI models become available it will precipitate some major changes in cybersecurity practice. At this point the more limited Mythos “Fable” edition has been available to the public for about two weeks, and OpenAI’s GPT-5.6 Sol has just gone live as of this writing. While these models have been equipped with very strong guardrails aimed specifically at limiting malicious cyber attacks, the era of preemptively using AI tools to scan for security vulnerabilities seems to have officially arrived.
Even if these early releases do not prove to be potent “virtual assistants” for cyber attackers, other models certainly will before long. It thus behooves organizations to become comfortable with the idea of automated AI scanning and patching of security vulnerabilities ASAP. That seems to be the conclusion the US government has reached, as it has almost entirely (but still unofficially) reversed its position on Anthropic products in federal offices.
The reversal is easy to understand, as Anthropic was never a real threat to national security despite being placed on the “supply chain risk” list also occupied by companies like Huawei. The move was instead clear retaliation for its declaration that it would not participate in the use of AI for piloting automated weapons or for domestic surveillance and would keep staunch guardrails in place to prevent this.
Source reports “large number” of security vulnerabilities found by Mythos
The inside sources did not give much in the way of specifics as to which government agencies are being scanned by Mythos or exactly what work is being done. They did say that code repositories are being scanned and that a “large number” of security vulnerabilities have been uncovered, however, reasonably pointing to CISA combing over federal agents with the supposedly outlawed tool.
The agencies may still be technically in the clear, as the Trump executive order did provide for a six-month wind-down phase to decouple from Anthropic tools. However, that element seemed to be aimed more at defense contractors than federal agencies (particularly those directly responsible for national security).
The big question that raises is to what degree Anthropic is facilitating US government access to its services while seemingly being a banned entity. There are numerous implications there, not the least of which is impact on Anthropic’s litigation against the government over the ban. While it is possible that CISA has been making use of the public Fable for security vulnerabilities since it first became available in early June, the NSA’s ongoing use of it would imply access to Mythos Preview when it was supposed to be limited to only about two dozen organizations.
While all of that makes for interesting gossip, the key takeaway for organizations is that seemingly even the US government is now not only viewing Anthropic AI scanning for security vulnerabilities as a defensive necessity but is also trusting the organization with access despite their legal wrangling. While it is still too early to officially declare this sort of preventive “discovery” scanning as a universal requirement, one good rash of AI-powered cyber attacks that uncovers years-old weaknesses will likely be what changes that once and for all.



