News: 0184336604

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

US Cyber Agency Is Using Anthropic's Mythos To Audit Government Code (yahoo.com)

(Tuesday July 07, 2026 @11:00AM (BeauHD) from the behind-the-scenes dept.)


CISA is reportedly using Anthropic's Mythos model to [1]scan government code repositories for security vulnerabilities , with sources saying the audits have already found numerous bugs. Reuters reports:

> The scanning is being done by CISA's Attack Surface Evaluation team, according to one of the sources. The team is a group within CISA that conducts digital security assessments and hacking exercises across government. Two of the sources said the audits had already uncovered a large number of vulnerabilities but did not elaborate. Reuters could not establish exactly how much government code the team had gone through or the nature or severity of the bugs it discovered.

>

> [...] The National Security Agency, the U.S. government's powerful eavesdropping agency, has been using Mythos as far back as April despite the blacklist, Axios has reported. Late last month, the New York Times said that NSA analysts had been testing Mythos in classified settings and coming away impressed with its capabilities. But when Anthropic rolled out a public version of Mythos called Fable, which included what it described as cybersecurity safeguards, the White House suddenly demanded that it ban foreigners from running it. This triggered a global shutdown of the model that was lifted only last week.



[1] https://www.yahoo.com/news/politics/articles/exclusive-us-cyber-agency-using-200953358.html



ok (Score:2)

by phantomfive ( 622387 )

As long as that is not the only tool they are using, it seems fine.

When it comes to hacking, these AIs are like really, really advanced/amazing fuzzers.

Re: (Score:2)

by Junta ( 36770 )

Indeed, they take needles in haystacks and make smaller haystacks that have some of the needles. They don't catch some things and they falsely flag a lot of things, but they do either directly or get close to something.

One issue in our codebase that was caught was pretty much spot on. Now upon it being highlighted, it was obvious to anyone that the inexperienced developer screwed up, problem was no one had the attention span to notice. The other issue close to real that it caught was actually not the fla

Re: (Score:2)

by phantomfive ( 622387 )

> Fine, except now we are inundated with false positives because the LLM indicates something,

There's a solution to this problem, alluded to in your sig.

LLMs are like violence. If they don't solve the problem, use more. Simply tell the LLM to check which bug reports are false positives.

Re: (Score:2)

by AleRunner ( 4556245 )

Don't forget to use an LLM to identify the false negatives that you get when you check for false positives....

I agree. I too wish I was entirely joking. I don't even dare to put a sarcasm tag on the comment.

Re: (Score:2)

by phantomfive ( 622387 )

Well actually, you could probably put it in a recursive loop to get it through to the end. I could set up an AWS Lambda function to get it done, shouldn't cost much.

Re: (Score:2)

by Zocalo ( 252965 )

There are at least a few teams out there doing just that. In this case, finding software bugs, get one LLM to look for potential bugs, and use a second independent LLM to try and validate the potential exploits it finds / develop a PoC. Depending on what you are doing and how critical/sensitive the code is, you could also add more independent LLMs in each group to provide additional layers assurance before any output is passed over for human review.

There's also supposed to be a training loop with LLMs,

Re: (Score:2)

by allo ( 1728082 )

That is less stupid then one might think. Tell it to find a bug, then tell it there are still bugs in the code and look if it finds another one. LLMs tend to believe the user (they are programmed, as no user wants a tool to object to a request) so it WILL find another one. If you continue too often you start getting false positives, but until then the things might find a few more bugs the first iteration missed. You first get the low hanging fruit, and need to push more for the rest.

Re: (Score:2)

by Z80a ( 971949 )

It is a pretty terrible combination of skills.

Good at making faulty insecure code and good at finding exploits.

The perfect combination to make any sort of "i gonna fire everyone and replace it with vibe code" plans be even worse.

Of course (Score:2)

by allo ( 1728082 )

Obviously it is a powerful tool (even when it is overhyped) and other than usual users, they can ensure the privacy of what they upload using an NSL. Anthropic won't be that stupid to mess around with US agencies when Trump can just buy OpenAI services instead.

Atlanta:
An entire city surrounded by an airport.