The National Security Agency is testing Anthropic’s Mythos AI model for its ability to identify cybersecurity vulnerabilities in widely used software, including Microsoft products. Bloomberg reported on April 30 that NSA officials studying the model have been “impressed by its speed and efficiency” in scanning complex codebases for potential security flaws, citing a U.S. official and another person familiar with the matter.

What the NSA Is Testing

The agency is benchmarking Mythos against its existing internal tools and research methods, according to Bloomberg. The evaluation focuses on whether Mythos can flag weaknesses faster than traditional vulnerability research workflows that rely heavily on manual analysis.

It is not clear whether the testing has uncovered any previously unknown vulnerabilities in the software products examined, NewsBytesApp reported. Anthropic has restricted Mythos access to select organizations, advising early users, which include major tech firms and financial institutions, to use the model defensively: identifying weaknesses before malicious actors can exploit them.

The Pentagon Contradiction

The NSA’s evaluation runs directly into a political fault line. The Pentagon has designated Anthropic as a supply-chain risk, a move tied to Defense Secretary Pete Hegseth’s earlier signals of distancing the department from the company’s services. Anthropic challenged that designation in court and won a temporary ruling that blocks restrictions on government use of its technology.

The result is a split posture within the U.S. national security apparatus: the NSA is actively testing Anthropic’s most capable model while the Pentagon maintains the company poses a procurement risk. Anthropic CEO Dario Amodei has reportedly discussed with White House officials how government agencies could safely deploy versions of Mythos, according to NewsBytesApp.

Federal AI Procurement at a Crossroads

The NSA evaluation signals a broader shift in how federal agencies approach AI adoption for operational security work. Rather than building bespoke tools internally, the agency is testing whether a commercially developed frontier model can match or exceed sovereign capabilities for vulnerability detection.

This comes as the White House recently drafted executive guidance allowing federal agencies to bypass the Pentagon’s risk designation and access Mythos. The convergence of NSA testing, court rulings, and White House intervention suggests federal AI procurement is moving faster than the policy apparatus designed to govern it. For cybersecurity teams across government and enterprise, the question is no longer whether autonomous vulnerability scanning will replace manual research, but which agency gets there first.