The US government's cyber defense arm just did something that's been inevitable since AI models started writing code: it's auditing its own with AI.
According to Reuters, CISA's Attack Surface Evaluation team is using Anthropic's Mythos model to scan government code repositories. The results? A "large number" of vulnerabilities already uncovered. That's not a glowing PR quote — that's a euphemism for "we found a lot of problems."
Why this matters
For years, the federal government has been the world's largest producer of insecure software. Not out of incompetence — out of scale, legacy systems, and procurement processes designed for a different era. The codebases CISA manages span decades, include languages nobody wants to maintain, and serve hundreds of millions of Americans.
Manual security audits at that scale are expensive and slow. AI changes the math. A model that can read millions of lines of code, identify patterns, and flag vulnerabilities in hours instead of months isn't just an efficiency win — it's the only way to even try to keep up.
The government just became one of the biggest enterprise customers for AI code review.
Mythos isn't Anthropic's flagship model — it's designed for tool use and systematic reasoning, exactly what you want for audit workflows. And CISA isn't a pilot program or a press stunt. This is real operational deployment, finding real bugs in real systems.
The competitive angle
What's notable is what this means for the broader AI market. The US federal government — notoriously slow to adopt new technology — just validated AI-assisted security auditing at the highest levels. Every enterprise security team watching this space just got a mandate from their board: "why aren't we doing this?"
Anthropic has invested heavily in the government market, and this contract is the payoff. OpenAI and Google have chased the same space, but Mythos's tool-centric design gave it an edge for this particular use case.
The catch
Let's not get carried away. Finding vulnerabilities is only half the problem. Fixing them is harder — especially in legacy systems where the original developers are long gone and every change risks breaking something else.
AI can spot the problems. Actually solving them will still require human engineers, and likely years of work. But at least now they know what to fix.
This is what AI adoption looks like when it's not about chatbots or assistants. It's about specific, high-value tasks in industries that can't afford to get it wrong. The US government just became an AI reference customer — and that's going to accelerate everything.