Federal Cyber Agency Reportedly Turning to AI to Hunt for Weaknesses in Government Software
CISA's specialist team is said to be using Anthropic's Mythos tool to scan federal systems for security flaws, in what could become a significant shift in how the U.S. government checks its own digital defenses.

Key points
- CISA, the U.S. Cybersecurity and Infrastructure Security Agency, is reportedly using an AI tool called Mythos, built by artificial-intelligence company Anthropic, to scan government software for security flaws.
- The scans are being led by CISA's Attack Surface Evaluation team, a unit whose job is to find weaknesses in federal systems before criminals do.
- The reporting, first surfaced by SecurityWeek, is based on unnamed sources and has not been officially confirmed by CISA or Anthropic.
- No breach of government systems has been reported in connection with this program.
The federal agency responsible for protecting U.S. government computer systems is reportedly bringing in artificial intelligence to help find the cracks in those systems first.
CISA, the Cybersecurity and Infrastructure Security Agency, is said to be using a tool called Mythos, developed by AI company Anthropic, to run automated security scans across government software. A security scan in this context means the tool combs through code or running systems looking for vulnerabilities, which are weaknesses that criminals could exploit to break in or steal data.
Who is actually doing the scanning?
The work sits with CISA's Attack Surface Evaluation team. That group runs what are sometimes called simulated hacking exercises, where security professionals legally attempt to break into a system to expose its weak points before real criminals find them. Adding an AI tool to that process would let the team cover more ground, faster, than human reviewers working alone.
The reports are attributed to unnamed sources and carry the word "reportedly" for a reason. Neither CISA nor Anthropic has publicly confirmed the arrangement. No official rulemaking, procurement notice, or formal disclosure has been published at this time, so the regulatory picture remains incomplete.
That matters. When federal agencies adopt new tools for security assessment, questions of oversight, data handling, and procurement rules come with the territory. CISA operates under a framework of authorities including the Federal Information Security Modernization Act, which governs how agencies manage and report on their security programs. Whether an AI-assisted scanning program of this kind would require new policy guidance or public disclosure is not yet clear from available information.
For ordinary people, the immediate stakes are indirect but real. Government software handles tax records, benefit payments, healthcare data, and much more. A weakness discovered by CISA's team and quietly patched is a weakness a criminal never gets to use. If the Mythos program accelerates that discovery process, that is a straightforward benefit to anyone whose personal information sits in a federal database.
No vulnerability has been publicly disclosed, and no data exposure has been reported in connection with this program. Members of the public do not need to take any action at this time.
Threat Vectr will update this story if CISA or Anthropic provide official comment.



