Federal CIO cautious on Anthropic’s Mythos despite planned rollout
Federal Chief Information Officer Greg Barbaccia said Tuesday the government is approaching Anthropic’s Mythos model with measured expectations, acknowledging both its potential to strengthen federal cyber defenses and the significant uncertainties that remain about how it would perform in real-world conditions.
Barbaccia said his direct exposure to Mythos has been limited to evaluations and benchmarking tests, and that no federal agencies have deployed it yet. While he says the Office of the National Cyber Director is coordinating the government’s approach, his broader assessment of where AI-assisted cybersecurity is heading was direct.
“We’re going to get to a world soon where AI defense will be able to catch up,” Barbaccia told CyberScoop on Tuesday at the Workday Federal Forum, produced by Scoop News Group. “We must get to a point where the bots are finding the bots.”
Earlier this month, Barbaccia sent an email to cabinet agencies to inform them that the Office of Management and Budget has started laying the groundwork for a controlled rollout of the model to federal agencies.
His framing reflects a view that the same capabilities making Mythos a potential offensive threat are precisely what make it valuable as a defensive tool. Anthropic has said the model identified thousands of previously unknown, high-severity vulnerabilities across major operating systems and web browsers during testing, many of them decades old. The question for federal security teams is not whether those capabilities are real, but whether they translate from controlled laboratory settings to the complex, defended networks that government agencies actually run.
Barbaccia was candid about that gap.
“I think it’ll uplevel people and make a novice cybersecurity offensive operator more efficient,” he told CyberScoop. “But the jury is still out on how effective it’ll be against real-world conditions, meaning a network that’s guarded by human defenders that has alerting and things like that. The evaluations I’ve seen have been laboratory learnings.”
That distinction matters for federal security teams weighing how to think about the model. Finding a vulnerability and successfully exploiting it in a defended environment are different problems. Barbaccia pointed to the CVE catalog, the government’s running list of known software flaws, as one area where the model’s speed could have practical value. A human analyst working through that catalog would take considerable time. A model like Mythos could move through it far faster. But speed alone does not determine whether a vulnerability poses an actual threat.
“There’s a difference between something that is exploitable in a 4-nanosecond window during a BIOS boot versus what’s the reality of that being exploited in the real world,” he said. “We have to understand, just like you could secure your entire threat surface, where are the crown jewels? And how do you protect something, and make sure the protection you’re deploying is worthwhile what you’re protecting.”
That kind of thinking is familiar to federal network defenders, who operate under resource constraints and must triage which vulnerabilities to address first. What Mythos potentially changes is the speed at which that triage can happen, and the depth at which vulnerabilities can be identified before an adversary finds them.
Barbaccia said the CIO Council, which coordinates technology policy across civilian agencies, is still in the early stages of understanding what the model could mean for enterprise security environments. “Everybody’s just curious to learn a lot more,” he said.
Agencies have tried on their own to obtain access to Anthropic’s model. The Department of the Treasury has asked for access, according to reports. CISA, the agency responsible for securing, monitoring, and defending civilian agency networks, has not been granted access.
