INDUSTRY · JULY 7, 2026 · 5 MIN READ

CISA Is Running an AI Code Auditor. Now What?

CISA's Attack Surface Evaluation team is running Anthropic's Mythos against federal repos. What the first confirmed government-scale AI code audit means for private-sector engineering teams.


CISA Is Running an AI Code Auditor. Now What?

CISA's Attack Surface Evaluation team is running Anthropic's Mythos against federal code repositories right now, looking for bugs exploitable by foreign intelligence services. Three sources confirmed the arrangement to Reuters on July 6. Two of those sources said the audits have already turned up a large number of vulnerabilities. This is the first confirmed large-scale government deployment of an AI model as a code auditor, and it settles a question that has been mostly theoretical until this week: whether AI-driven code review is serious infrastructure or a product pitch.

What CISA Is Actually Doing#

The Attack Surface Evaluation team is the unit within CISA that runs digital security assessments and simulated hacking exercises across the federal government. That team, not some experimental skunkworks project, is the one running Mythos. Reuters could not confirm the total volume of code scanned or the severity distribution of findings, but the direction is unambiguous: automated, model-driven repository scanning against production federal code.

The NSA has been running Mythos since at least April, according to Axios. The New York Times reported that NSA analysts tested the model in classified settings and found its cybersecurity capabilities significant. CISA's deployment follows that, extending the pattern from signals intelligence to critical infrastructure defense.

What Mythos Can Actually Do#

Anthropic's own published assessment of the Mythos Preview model found it capable of discovering vulnerabilities that had survived decades of human-led review across every major operating system and web browser, and of building working exploits without human guidance. That is not a marketing description. SecurityWeek reported the tool flagged more than 23,000 potential vulnerabilities across upward of 1,000 open source projects. Independent security firms reviewed 1,900 of those findings and confirmed 1,726, with more than 1,000 rated high or critical severity.

That confirmation rate matters more than the raw flag count. A tool with a high false-positive rate creates noise that teams stop reading. 1,726 confirmed findings out of 1,900 reviewed is a different class of signal.

The Export Control Context#

Mythos 5 is not freely available. After the Commerce Department blocked foreign access on June 12, a global shutdown followed. The export controls were lifted on June 30, according to Computerworld, but Mythos 5 remains restricted: Anthropic said it is restoring access only to a select group of U.S.-based organizations approved by the federal government. SecurityWeek confirmed that framing. CISA's ability to run this at scale depends on its position inside that approved perimeter. Private-sector organizations outside it are working with different tooling constraints.

What the Architecture Actually Implies#

The CISA deployment describes a specific pattern: scan repositories continuously, surface exploitable patterns, route findings to human triage. That architecture has three requirements. First, the model must be capable enough to find real bugs, not just style violations. Second, the output must be structured for triage, not just a list of warnings. Third, human reviewers must remain in the decision loop. CISA is not auto-patching federal systems. It is generating a prioritized finding set for analysts.

That is the same architecture that any engineering team running AI coding tools at volume actually needs. The surface area problem does not start at federal scale. It starts the week a team adopts Cursor or Claude Code and generation rate outpaces review capacity. The post-adoption pattern is documented: generation accelerates faster than review, and the gap between code written and code genuinely audited widens from week one. This was covered in what actually changes the week your team adopts an AI coding tool.

The right response to that gap is not slowing generation. CISA's decision suggests the answer governments and now enterprises are converging on is more automated review running continuously against the full repo, not periodic manual audits against a sample.

What Engineering Teams Should Configure Now#

The CISA deployment validates the auditor-model pattern. It does not tell teams which specific controls to configure. Three specific moves follow from this:

First, repository scanning should run on the full codebase, not just diffs. The Mythos findings described include vulnerabilities that survived decades of prior review. Those are not in recent commits. They are in old code that no one revisited after an API changed or a dependency shifted.

Second, triage routing matters as much as detection. A finding that reaches no one is equivalent to no finding. The CISA model routes to a dedicated team whose job is assessment. Most engineering organizations need an explicit owner for AI-surfaced security findings, separate from the on-call rotation.

Third, verification before a fix ships is not optional. Autonomous patching without a verification step introduces regression risk on top of the original vulnerability. Hyrax runs 13 verification steps between a candidate fix and a submitted PR, and the human merges. That constraint is deliberate: the model does not decide when a fix is safe to ship. For the same reason that CISA uses human analysts to triage Mythos findings, the fix pipeline needs a human merge decision at the end.

The Moment This Represents#

The Pentagon designated Anthropic a supply chain risk in February. A judge blocked that designation in March. An appeals court reinstated it in April. The NSA was running Mythos in April anyway. CISA is running it now. Policy and operational reality diverged, and operational reality won.

That divergence carries a signal for private-sector engineering leaders. The institutions most aware of what foreign intelligence services can do with unreviewed code have decided that AI-driven auditing is not a risk to manage but a capability to acquire. The question for engineering organizations is not whether to adopt continuous automated code review. It is how quickly the review architecture catches up to the generation rate already in place.

Hyrax is live at hyrax.dev.


Sources

  1. 01Reuters via CNA
  2. 02Reuters via 93.3 The Drive
  3. 03Startup Fortune
  4. 04SecurityWeek
  5. 05Computerworld