Forgot your password?
typodupeerror
Government

US Cyber Agency Is Using Anthropic's Mythos To Audit Government Code (yahoo.com) 20

CISA is reportedly using Anthropic's Mythos model to scan government code repositories for security vulnerabilities, with sources saying the audits have already found numerous bugs. Reuters reports: The scanning is being done by CISA's Attack Surface Evaluation team, according to one of the sources. The team is a group within CISA that conducts digital security assessments and hacking exercises across government. Two of the sources said the audits had already uncovered a large number of vulnerabilities but did not elaborate. Reuters could not establish exactly how much government code the team had gone through or the nature or severity of the bugs it discovered.

[...] The National Security Agency, the U.S. government's powerful eavesdropping agency, has been using Mythos as far back as April despite the blacklist, Axios has reported. Late last month, the New York Times said that NSA analysts had been testing Mythos in classified settings and coming away impressed with its capabilities. But when Anthropic rolled out a public version of Mythos called Fable, which included what it described as cybersecurity safeguards, the White House suddenly demanded that it ban foreigners from running it. This triggered a global shutdown of the model that was lifted only last week.

US Cyber Agency Is Using Anthropic's Mythos To Audit Government Code

Comments Filter:
  • As long as that is not the only tool they are using, it seems fine.

    When it comes to hacking, these AIs are like really, really advanced/amazing fuzzers.
    • by Junta ( 36770 )

      Indeed, they take needles in haystacks and make smaller haystacks that have some of the needles. They don't catch some things and they falsely flag a lot of things, but they do either directly or get close to something.

      One issue in our codebase that was caught was pretty much spot on. Now upon it being highlighted, it was obvious to anyone that the inexperienced developer screwed up, problem was no one had the attention span to notice. The other issue close to real that it caught was actually not the fla

      • Fine, except now we are inundated with false positives because the LLM indicates something,

        There's a solution to this problem, alluded to in your sig.

        LLMs are like violence. If they don't solve the problem, use more. Simply tell the LLM to check which bug reports are false positives.

        • Don't forget to use an LLM to identify the false negatives that you get when you check for false positives....

          I agree. I too wish I was entirely joking. I don't even dare to put a sarcasm tag on the comment.

          • Well actually, you could probably put it in a recursive loop to get it through to the end. I could set up an AWS Lambda function to get it done, shouldn't cost much.
        • by Zocalo ( 252965 )
          There are at least a few teams out there doing just that. In this case, finding software bugs, get one LLM to look for potential bugs, and use a second independent LLM to try and validate the potential exploits it finds / develop a PoC. Depending on what you are doing and how critical/sensitive the code is, you could also add more independent LLMs in each group to provide additional layers assurance before any output is passed over for human review.

          There's also supposed to be a training loop with LLMs,
        • by allo ( 1728082 )

          That is less stupid then one might think. Tell it to find a bug, then tell it there are still bugs in the code and look if it finds another one. LLMs tend to believe the user (they are programmed, as no user wants a tool to object to a request) so it WILL find another one. If you continue too often you start getting false positives, but until then the things might find a few more bugs the first iteration missed. You first get the low hanging fruit, and need to push more for the rest.

          • by Junta ( 36770 )

            It's basically shaking the magic 8 ball and it works, but it's totally a judgement call when it has worked 'enough'. It doesn't necessarily progress from easiest to hardest issues to find, it just is a bit random. Hard to say how many passes before you've *probably* got the real ones. My experience has not been that false positive rate increases, sometimes you might have all false positives but a continuation will flag real issues.

    • by Z80a ( 971949 )

      It is a pretty terrible combination of skills.
      Good at making faulty insecure code and good at finding exploits.
      The perfect combination to make any sort of "i gonna fire everyone and replace it with vibe code" plans be even worse.

  • by allo ( 1728082 ) on Tuesday July 07, 2026 @08:25AM (#66226490)

    Obviously it is a powerful tool (even when it is overhyped) and other than usual users, they can ensure the privacy of what they upload using an NSL. Anthropic won't be that stupid to mess around with US agencies when Trump can just buy OpenAI services instead.

  • That is a lot of taxpayer money going to pay AI companies for something the government was supposed to be doing all along.

    They are also using unproven technology to audit classified resources, technology that has already been shown to be vulnerable to leaking sensitive data.

    • by darkain ( 749283 )

      Unproven? This is the technology directly responsible for the onslaught of zero-day exploits in every major F/OSS (and even some closed source) ecosystems all over the internet. Go check the CVE news from the past couple months, its all Mythos up and down entirely. This is literally the tool cracking every major codebase on the internet, so calling it "unproven" is a bit of a stretch at this point.

  • Didn't Anthropic get banned from government use because they wouldn't change their contract terms for Segseth?

  • That's fine and dandy, I guess, but the bigger issue is can we fundamentally trust this government, given the scallawags in charge, to report actual issues, address those issues; or would they capitalize on them for their own self-interests, for when they're no longer in power? My knee-jerk response to any and all of this is I don't trust 'em.
  • I just wanted to say. I don't think C or C++ are good languages and while I think clang is a pretty decent C++ compiler, I think it's far from what it could become.

    Why not use an llm to audit code?

    Maybe they should use a lot of LLMs, get second and third and fourth oppinions.

    Or is the article making a point that the US government is limiting themselves to one llm and if you want to hack the government, you just need to find Mythos's weaknesses?

"From there to here, from here to there, funny things are everywhere." -- Dr. Seuss

Working...