The National Security Agency is using Anthropic’s Mythos system to surface security flaws in Microsoft technology, according to The Information. That’s a striking pairing: America’s signals intelligence agency leaning on a frontier AI lab’s tooling to audit the software stack that runs most of the federal government and a huge slice of global enterprise.
The Information reports the NSA has been applying Mythos to identify vulnerabilities in Microsoft tech. What stands out here is the shift in posture. Instead of waiting for outside researchers or Microsoft’s own teams to disclose bugs, the agency is actively using AI to do its own discovery work at scale.
Why this matters
For years, vulnerability research has been a labor problem. Skilled reverse engineers are scarce, expensive, and slow. AI-assisted code analysis flips that equation. A model that can read binaries, trace data flows, and reason about edge cases lets a small team cover ground that used to take a small army.
The NSA already has one of the deepest pools of vulnerability research talent on the planet. Adding Anthropic’s tooling on top suggests the agency thinks AI gives it a multiplier even with that bench in place. That’s a meaningful endorsement of where the technology is.
What we know about Mythos
Anthropic hasn’t been loud about Mythos as a public product. The name has surfaced in the context of AI systems applied to security research and code analysis tasks. Whether it’s a dedicated offering or a tailored deployment of Claude for offensive and defensive security work, the use case here is clear: feed it large codebases or compiled artifacts and let it hunt for the kinds of flaws that turn into exploits.
That’s the same direction other labs are pushing. Google’s Project Zero has been publishing on AI-assisted vuln discovery. OpenAI has worked with security firms. The difference is that this NSA deployment is operational, not a research demo.
The Microsoft angle
Microsoft’s footprint inside the U.S. government is enormous. Windows, Azure, Office 365, Active Directory, Exchange. When a single vendor sits underneath that much critical infrastructure, every undiscovered flaw is a potential cascading risk. The NSA finding bugs in Microsoft tech isn’t adversarial in the public sense. It’s defensive due diligence at national scale.
There’s also the awkward middle layer. The NSA has historically held onto some vulnerabilities for offensive use, a practice that drew heavy criticism after EternalBlue leaked and powered WannaCry. AI-driven discovery is going to surface bugs faster than the disclosure process was built to handle. Expect renewed debate over the Vulnerabilities Equities Process and how quickly findings flow back to vendors.
What practitioners should take from this
A few immediate implications:
- AI-assisted vuln research is now operational, not theoretical. If a government agency is using it to audit one of the largest software vendors, the same tooling will reach private red teams and bug bounty hunters fast.
- Defenders need parity. If offensive AI tools find bugs at higher throughput, defensive AI tools have to match the pace on patching, triage, and exposure management.
- Vendor security teams are about to get busier. Microsoft and others should expect a higher volume of high-quality disclosures, including from sources that have AI doing the heavy lifting.
- Anthropic’s enterprise and government push is real. Between Claude Gov rollouts, federal contracts, and now this Mythos deployment, the company is locking in serious public sector traction.
What comes next
Watch for two things. First, whether other agencies confirm similar deployments. CISA, the Pentagon, and the intelligence community all have parallel needs. Second, whether Microsoft (and other vendors in the NSA’s crosshairs) start announcing their own AI-driven security programs to keep up with the disclosure pace.
The broader pattern is clear. AI is moving from “helps write code” to “helps break code” inside the most consequential security shops in the world. More details at the original source.