The U.S. Cybersecurity and Infrastructure Security Agency is running a restricted Anthropic AI security auditing model on government software. Neither the agency nor Anthropic will say what the model has found.
CISA, the U.S. civilian cybersecurity agency, is running a closed Anthropic model called Mythos across federal code repositories, looking for vulnerabilities that foreign intelligence services or cybercriminals could exploit. Three people familiar with the deployment described it to Reuters; Anthropic did not respond to questions, and a CISA spokesperson said only that the agency would "check with the team." (Reuters via X) (NorthKoreaTimes syndicated re-report)
Mythos sits inside a trusted-access program called Glasswing. Only vetted organizations can run it, and the model's outputs are not auditable by anyone outside that circle. (SecurityWeek) (ai-checker context) That restriction is the point. The public agency whose job is to share vulnerability intelligence with the private sector is using a tool whose findings cannot be independently checked, replicated, or ranked. The accountability chain the rest of CISA's work assumes is missing here by design.
Anthropic released Mythos and a sibling called Fable on 9 June 2026 as part of a new Claude line internally tagged "Capybara," positioned above Opus. Fable is the public version, available to anyone; Mythos is the restricted one. (decodethefuture roadmap leak) The White House has reportedly pressed Anthropic to keep foreigners from running Fable at all, a condition that sharpens how geopolitically loaded the model has become before CISA ever turned it on federal code.
CISA's Attack Surface Evaluation team is the operational unit doing the work. Its remit is to find flaws in software the government itself runs and ships, the same class of bugs that ended up in Log4j, MOVEit, and a long list of procurement-bill disasters. Putting a frontier AI on that loop changes the throughput. Two of the three sources told Reuters the audits have already surfaced "a large number" of vulnerabilities. Neither the scope reviewed nor the severity distribution has been disclosed. (TheNextWeb)
Anthropic's posture with the rest of the federal government is unresolved. The lab was recently designated a Pentagon supply-chain risk over safeguards on autonomous weapons and domestic surveillance. A federal judge blocked the designation in March. CISA, sitting inside the Department of Homeland Security, has chosen to deepen its integration with that same vendor at the same moment the dispute is unresolved. The engagement did not pause for the litigation. It qualified under it.
The engagement creates a governance condition Reuters and the trade press did not surface. CISA, the civilian agency responsible for telling the rest of the country what is broken in its software, is reading its own code through a model that no one outside a paid and vetted circle can run, on findings neither the agency nor the vendor will characterize. The accountability chain CISA's public products assume (publish the CVE, share the indicator, let defenders reproduce) does not survive the Glasswing arrangement.
During an earlier government test, Mythos reportedly found flaws in classified U.S. systems. That finding is itself reported, not confirmed. It is useful as evidence that the model can find real bugs in sensitive code, and as a warning that what it finds is not automatically shareable with the people who own the affected systems outside the trust ring. The CISA engagement is the first time the same restriction has been applied to unclassified federal civilian code.
Three signals will indicate whether the arrangement changes. A public CISA advisory attributing a vulnerability class to AI-assisted review would disclose the workflow without naming the model. A comment from Anthropic on the government use of Mythos would signal whether the vendor accepts public accountability. A procurement record showing the Glasswing conditions would expose the arrangement to outside review. As of now, the audit is running. The disclosure posture is the only signal the public has that the audit is also trustworthy.