NSA tests Anthropic Mythos model to find vulnerabilities in Microsoft products

The US NSA is testing a new artificial intelligence model called Mythos from Anthropic to find vulnerabilities in popular software, including Microsoft products. This is one of the most notable signals that generative models are beginning to be used not only for writing code, but also for security audits at the level of major government structures.

What is known now

According to available information, the US National Security Agency is checking how well the Anthropic model can find weaknesses in widely used software. Microsoft products are among the systems that have become the focus of such testing. The details of the project remain undisclosed: it is unclear whether this is an internal pilot, a one-time assessment of the model's capabilities, or a broader process that could become part of ongoing practice.

There is also no publicly available data on what specific classes of bugs the system is looking for. It is also important to understand who exactly is commissioning such checks. If experiments with AI for bug hunting are being conducted by the NSA, it means the technology is being considered not as a laboratory demonstration, but as a potentially useful tool for real cybersecurity tasks.

For the market, this is a strong signal: large organizations are willing to check whether the model can accelerate the work of infrastructure and corporate software protection specialists. Especially where the cost of a missed error is too high.

There is particular interest in the connection between Anthropic, Microsoft, and the NSA itself. On one hand, this is a major model developer that is pushing AI into corporate and sensitive scenarios. On the other hand, there is a software ecosystem that supports much of office, cloud, and infrastructure work. When such players come together in one case, this is no longer an experiment for demonstration purposes, but a test of practical value in a high-risk environment.

How it can work

In such scenarios, AI does not completely replace a security researcher, but helps to quickly process large volumes of code, documentation, and system dependencies. The model can be used as an assistant that offers hypotheses, highlights suspicious areas, helps reproduce error chains, and identifies where to dig deeper. Final validation remains with the human, especially when it comes to critical products. This is especially important when working with old and complex systems.

For Microsoft, such interest is also indicative. Its solutions are at the foundation of a huge number of corporate and government systems, so even small vulnerabilities in popular products can have a wide impact. If AI can detect such problems before attackers or traditional audit cycles, the benefit will be not only in speed, but also in scale: the same model can analyze more components in parallel than a limited team can manually.

Where the benefits for protection lie

In such projects, models are usually valuable not for one "magical" function, but for a set of accelerators for the security team. They do not replace manual audits, but help to quickly narrow the scope of review, prioritize, and translate raw technical signals into understandable actions for engineers, analysts, and product owners. Such a layer is useful when a team has little time for initial signal sorting and too many places where errors can hide.

• quickly identify potentially risky code and logic sections
• help match error symptoms to known vulnerability classes
• suggest verification scenarios for rare or complex component combinations
• reduce the time between initial signal and manual re-verification
• help document findings in language understandable to developers and analysts

At the same time, there are many limitations around such tools. The model can mistakenly mark safe code as dangerous, miss non-standard bugs, or offer convincing but incorrect explanations. Therefore, the key question is not whether "AI can find vulnerabilities" in general, but how consistently it does this on real products, with an acceptable number of false positives and with clear benefits for the team. That is why such systems do not yet work without experts.

What this means

The story with Mythos shows that the next stage of AI implementation in cybersecurity is not chatbots for reference, but practical tools for auditing complex software. If such tests yield results, large vendors and government structures will begin to embed models more quickly into vulnerability detection and prioritization processes.