“We must get to a point where the bots are finding the bots,” Greg Barbaccia, the federal chief information officer, told CyberScoop on Tuesday — a concise statement of intent that also frames a roster of practical questions about Anthropic’s Mythos and how the government will use it.
Greg Barbaccia on Mythos' promise and limits
Barbaccia said his exposure to Anthropic’s Mythos has been limited to evaluations and benchmarking tests, and he emphasized that no federal agencies have yet deployed the model. He described Mythos as possessing capabilities that could strengthen defensive work by speeding discovery and analysis, while cautioning that the model’s laboratory results may not translate directly into effectiveness inside defended, operational networks.
“I think it’ll uplevel people and make a novice cybersecurity offensive operator more efficient,” Barbaccia said, then added the caveat officials care about most: the difference between laboratory learnings and performance against a network “that’s guarded by human defenders that has alerting and things like that.”
Office of Management and Budget laying groundwork for a controlled rollout
Earlier this month, Barbaccia emailed cabinet agencies to notify them that the Office of Management and Budget has begun preparing for a controlled rollout of Mythos to federal agencies. He also said the Office of the National Cyber Director is coordinating the government’s approach to the model, indicating interagency collaboration is already underway even as access and deployment remain limited.
Anthropic’s test claims and the CVE catalog as a practical focus
Anthropic has said Mythos identified thousands of previously unknown, high-severity vulnerabilities across major operating systems and web browsers during testing, some of them decades old. Barbaccia pointed to the CVE catalog — the running list of known software flaws — as a place where speed could matter. A human analyst working through the CVE catalog would take considerable time; a model like Mythos could move through that work far faster.
Yet speed does not equal real-world risk. Barbaccia used a concrete example to underscore the distinction: “There’s a difference between something that is exploitable in a 4-nanosecond window during a BIOS boot versus what’s the reality of that being exploited in the real world.” In other words, the mere presence of a vulnerability in testing does not automatically translate into an exploitable threat against agency systems operating under layered defenses.
Access requests, CISA, and agency interest
The Department of the Treasury has sought access to Mythos, according to reports, but Barbaccia said federal agencies have not deployed the model. He also noted that CISA, the agency charged with securing, monitoring, and defending civilian agency networks, has not been granted access. Those access patterns track the cautious, staged approach Barbaccia described: agencies are attempting to obtain the tool, but formal, broad deployment has not begun.
What this means for federal cybersecurity teams, OMB, and the Office of the National Cyber Director
- Federal cybersecurity teams and network defenders: Barbaccia’s framing suggests teams should expect faster triage and broader vulnerability discovery if Mythos performs as Anthropic reports, but they should also treat laboratory findings skeptically until proved in defended environments.
- Office of Management and Budget and the CIO Council: OMB’s groundwork for a controlled rollout and the CIO Council’s early-stage engagement mean policy and procurement decisions will be central to any broader adoption; Barbaccia said the CIO Council is “just curious to learn a lot more.”
- Office of the National Cyber Director and CISA: With the Office of the National Cyber Director coordinating the government’s approach, agencies that have not yet been granted access — CISA among them — will be watching whether the model’s laboratory promise converts into operational value before seeking broader access or authority to use it defensively.
Barbaccia’s assessment is pragmatic: Mythos may shrink the time it takes to identify and prioritize vulnerabilities, and it may enable less experienced operators to act with greater efficiency. But the central unresolved question remains concrete and specific — will vulnerabilities the model flags in controlled testing translate into exploitable targets inside federal networks protected by layered defenses and human monitoring?
Federal officials have already begun formal steps — OMB preparing a controlled rollout and the Office of the National Cyber Director coordinating — so the next milestones to watch are the outcomes of those controlled tests and whether agencies such as CISA receive access. Until those steps yield operational results, Barbaccia’s caution — that “the jury is still out on how effective it’ll be against real-world conditions” — will shape how agencies plan for Mythos’ promise and limitations.




