CISA Gets Full Access to Anthropic's Mythos Preview: Cyber Defense Agency Receives Access After Being Locked Out, White House Parameters Pending

CISA Gets Full Access to Anthropic’s Mythos Preview AI model, received access around June 9, 2026. After being locked out since April, White House hasn’t set clear usage parameters yet. Previously only NSA, Commerce had access.

The Cybersecurity and Infrastructure Security Agency (CISA) now has full access to Anthropic’s flagship Mythos Preview model, according to a U.S. official and a second person familiar with the matter. CISA received access around June 9, 2026 (approximately a week ago), marking a significant reversal from April 2026 when the agency was locked out of the AI security tool it arguably needs most.

However, the White House has not yet set clear parameters for how CISA should use the model, leaving the agency without formal guidance on its usage.

The Timeline: From Locked Out to Full Access

Date	Status
April 7, 2026	Anthropic announces Claude Mythos Preview under Project Glasswing controlled-access program
April 21, 2026	Axios reports CISA lacks access — not among 40+ organizations with Mythos Preview
April 21-25, 2026	Multiple reports confirm CISA locked out while NSA and Commerce Department already testing Mythos
April 23, 2026	Confusion: random Discord group got unauthorized access before CISA
June 10, 2026	White House officials discuss giving CISA Mythos access, deemed “imminent”
June 9, 2026	CISA receives full Mythos Preview access
June 16, 2026	Official confirmation: CISA has full access

The turnaround happened in just 6 days from “imminent” (June 10) to “received access” (June 9).

What Mythos Preview Is: The “Cyber-Weapon” AI

Mythos Capabilities:

Feature	Description
Purpose-built	Designed to find and patch security vulnerabilities
Autonomous vulnerability discovery	Can find thousands of critical flaws across major software systems
Offensive cybersecurity	Dangerous enough to be limited access “cyber-weapon”
Bug-hunting AI	Scans environments for exploitable vulnerabilities
Too potent for public release	Anthropic claims it’s too powerful for broad public access

The model can rapidly spot cybersecurity vulnerabilities and offer the ability to exploit them, making it potentially dangerous if misused.

Why Access Is Restricted:

Offensive capabilities — Can identify and exploit flaws
Power balance concern — Could upset cybersecurity power balance
Dangerous potential — Too powerful for broad public release
Supply-chain risk — Pentagon labeled Anthropic a “supply-chain risk”

Who Had Access Before CISA

Initial Mythos Preview Recipients (April 2026):

Organization	Access Status
NSA (National Security Agency)	✅ Already using Mythos for vulnerability scanning
Commerce Dept (Center for AI Standards & Innovation)	✅ Assessing Mythos
UK AI Security Institute	✅ Confirmed access
40+ other organizations	✅ Tech companies, industry groups, software providers
CISA	❌ Locked out (April 21) → ✅ Full access (June 9)

The Irony:

CISA, America’s lead cybersecurity agency and the nerve center for national cybersecurity coordination, didn’t have access while agencies with more specialized national security mandates (like NSA) were already testing it.

Why CISA Was Locked Out Initially

The Pentagon-Anthropic Conflict:

Issue	Details
Supply-chain risk	Pentagon labeled Anthropic a “supply-chain risk”
Reason	Anthropic refused to allow Pentagon officials unrestricted access to Mythos’s full capabilities
Result	Access limited to ~40 organizations (only 12 publicly named)
Ban	Anthropic barred from defense contracts
Contradiction	NSA (Pentagon’s parent agency) bypassed federal ban to use Mythos

The Pentagon blacklisted Anthropic, but the NSA—part of the Department of Defense—was secretly using Mythos despite the ban.

CISA’s Role vs. NSA’s Role:

Agency	Primary Function	Mythos Use Case
CISA	Central coordinator for national cybersecurity, infrastructure protection	Scan federal agencies’ networks for vulnerabilities
NSA	National security intelligence, espionage	Scan environments for exploitable vulnerabilities

CISA’s mission is to protect critical tech infrastructure and coordinate cybersecurity across the nation, making Mythos arguably more critical for CISA than NSA.

What CISA Will Use Mythos For

Proposed Use Case (from White House discussions):

Task	Description
Scan federal networks	Use Mythos to scan federal agencies’ digital networks for security flaws
Find public-facing vulnerabilities	Detect public-facing vulnerabilities across government systems
Identify security flaws	Find other security flaws in federal infrastructure
Defensive cybersecurity	Use as a powerful defensive tool for infrastructure protection

The White House is weighing having CISA leverage Mythos to scan federal agencies’ networks.

Current Status: Full Access, No Parameters

What CISA Has Now:

Status	Detail
Access level	✅ Full Mythos Preview access
Access date	Around June 9, 2026 (one week ago)
Usage guidance	❌ White House hasn’t set clear parameters yet
Formal rules	❌ No defined usage framework established

What’s Still Unclear:

How CISA should use Mythos (no formal guidance)
What restrictions apply to CISA’s usage
Timeline for White House parameters

The agency has access but operates without clear usage parameters.

The White House’s Role in Mythos Access

Ongoing Government Access Plans:

Timeline	Development
April 15, 2026	White House moves to give federal agencies access to modified Mythos version
April 16, 2026	OMB setting up protections and safeguards to limit misuse
April 25, 2026	Trump administration negotiating broader government access to Mythos
June 10, 2026	White House officials discuss giving CISA access, deemed “imminent”
June 9, 2026	CISA receives access (6 days after “imminent” comment)
June 16, 2026	Access confirmed, but no usage parameters set

Gregory Barbaccia (White House OMB Chief Information Officer) said they’re working closely with model providers, industry partners, and intelligence community to ensure appropriate guardrails before releasing modified version to agencies.

The Mythos Paradox: CISA Locked Out While Unauthorized Users Had Access

The Contradiction:

Who	Access Timeline
CISA (main cybersecurity agency)	❌ Locked out April 21 → ✅ Full access June 9
Random Discord group (unauthorized users)	✅ Got access before CISA (April 22)
NSA (intelligence agency)	✅ Already using Mythos (April 19)

What Happened:

A small group of individuals gained unauthorized access to Claude Mythos through a third-party vendor environment
The group already had permission to view Anthropic’s AI systems due to previous contractor work
They were using Mythos since gaining access, but not for malicious purposes (aiming to avoid detection)
Anthropic is investigating the unauthorized access claim

The irony: random unauthorized users got access before America’s primary cybersecurity agency.

Why This Matters: National Cybersecurity Implications

CISA’s Mission:

Protect critical tech infrastructure in the US
Central coordinator for national cybersecurity
Infrastructure protection across federal agencies

Mythos’s Strategic Value:

Autonomous vulnerability discovery at scale
Can find thousands of critical flaws across software systems
Offensive cybersecurity capabilities — can exploit vulnerabilities
Defensive tool for infrastructure protection

The Power Balance:

Mythos could upset the cybersecurity power balance by giving whoever has it unprecedented ability to find and exploit flaws.

The Bottom Line

CISA now has full access to Anthropic’s Mythos Preview model, receiving access around June 9, 2026 after being locked out since April 2026. This marks a significant reversal from April 21 when Axios reported CISA lacked access while NSA and Commerce Department were already testing Mythos. The White House has not yet set clear parameters for how CISA should use the model, leaving the agency without formal usage guidance. Mythos is a purpose-built autonomous vulnerability-discovery AI capable of finding thousands of critical flaws across major software systems, making it a powerful “cyber-weapon” restricted to ~40 vetted organizations under Project Glasswing. The Pentagon had labeled Anthropic a “supply-chain risk” and barred the company from defense contracts, but NSA (part of DoD) secretly used Mythos despite the ban. Ironically, a random Discord group got unauthorized access before CISA did. CISA will likely use Mythos to scan federal agencies’ networks for public-facing vulnerabilities and security flaws.

Quick Summary

CISA now has full Mythos Preview access, received access around June 9, 2026 (one week ago). After being locked out since April 21, 2026 when Axios reported CISA lacked access while NSA and Commerce Dept already testing Mythos. White House hasn’t set clear usage parameters yet. Mythos: autonomous vulnerability-discovery AI finding thousands of critical flaws across software systems, “cyber-weapon” restricted to ~40 organizations under Project Glasswing. Pentagon labeled Anthropic “supply-chain risk,” barred from defense contracts, but NSA secretly used Mythos despite ban. CISA will scan federal agencies’ networks for public-facing vulnerabilities. Random Discord group got unauthorized access before CISA did. CISA: America’s lead cybersecurity agency, nerve center for national cybersecurity coordination, protecting critical tech infrastructure.

CISA Gets Full Access to Anthropic’s Mythos Preview: Cyber Defense Agency Receives Access After Being Locked Out, White House Parameters Pending