Cybersecurity after Mythos
The Mythos of Mythos
On the 7th of April this year, Anthropic announced that they had developed a highly capable new class of AI model which they called Mythos Preview. Mythos, they said, was unusually good at what they called ‘computer security tasks’, by which they meant both vulnerability detection and the development of exploits. Previous Anthropic models had been capable of the first task, but had rarely succeeded in the second.
Because of this capability, Anthropic made the decision not to release Mythos Preview to the public. Instead, they formed Project Glasswing, an initiative that saw Anthropic provide Mythos access to a group of companies Anthropic had identified as being vendors or maintainers of “critical digital infrastructure”. Yesterday, Anthropic announced that they are expanding Project Glasswing to include 150 new partners.
If this sounds to you like some of the best marketing you have ever heard—it does not seem to have hurt the appeal of Hermès that you cannot buy a Birkin—you are not alone. But, even discounting the somewhat breathless prose of Anthropic’s own reporting, since that initial announcement, some evidence has begun to accumulate in favor of both Mythos’ capabilities and the effectiveness of Project Glasswing.
There were the headline findings at launch: a 27 year old bug in OpenBSD. A minor bug in FFmpeg dating back to 2010. A vulnerability in FreeBSD that Mythos was able to write a working exploit for.
Then there followed the initial disclosures from Glasswing. Mozilla reportedly found 271 vulnerabilities in Firefox. Calif, an AI security firm, used Mythos as part of a successful effort to overcome Apple’s new hardware-assisted memory safety system in the M5 chip. In their analysis of the model, AI pen-testing startup XBOW described Mythos as “substantially better than prior models at finding vulnerability candidates”, although some caveats followed in their full analysis.
So, what does it all mean?
All of this has raised the salience and profile of an issue many people in the cybersecurity and AI safety fields have been thinking about for a while now: what do advanced AI capabilities mean for cybersecurity?
On MTS, we had a series of interviews with people from the field. We spoke to Brendan Dolan-Gavitt from XBOW (before their Mythos analysis dropped) about the history of cybersecurity and Mythos. We spoke to Zack Korman about where the real risks are for most companies. And we had Matt Johansen on to talk about the challenges facing large disclosure programs like Microsoft’s.
Here are three general lessons that we have taken from these conversations (although all errors are, of course, ours).
1. The models are good and they’re going to keep getting better
In our interview, Brendan said something along the lines of: AI models are getting better and better at writing code, and finding and exploiting vulnerabilities is really just a subset of writing code. Anthropic has been consistent in saying that they expect other AI labs to produce Mythos-level models in the next 6–12 months. And indeed, by some measures GPT-5.5 and 5.5-Cyber are already at parity. If the trend holds, the next cycle of model releases will show capabilities that are greater again.
This seems to have several implications for cybersecurity. The first is that it will not be sufficient to assume that advanced cyber capabilities will remain accessible only to the restricted class of people selected by leading labs. It’s fortunate then that few people are making this assumption—the leading labs, large software companies, national governments, and, if the latest Project Glasswing post is to be believed, even public utilities are using AI tools for cyber hardening in anticipation of capable models that are more widely available. Yesterday’s long-awaited executive order on AI even formalizes the practice of sharing advanced models with the government ahead of their public release.
But another implication is that we may be about to relitigate a long-standing argument in cybersecurity: are vulnerabilities in software finite or infinite? Dan Geer of In-Q-Tel famously framed the question like this: can you count vulnerabilities in software the same way you might count frogs in a pond?
I have seen some commentary online that early results from Project Glasswing suggest the answer is “no”. If Mythos can find a 27 year old bug in OpenBSD, the argument goes, perhaps there really are an infinity of vulnerabilities. If that’s true, then patching makes no difference. Remove one bug, an infinite number of others remain.
This would be more persuasive if Mythos found, say, 1,000 27 year old bugs in OpenBSD. Instead, this outcome suggests precisely the opposite—advanced models find one old vulnerability in some of the most widely fuzzed pieces of software in the world, and several hundred vulnerabilities in Firefox. This is what you would expect if each subsequent vulnerability became marginally more difficult to find.
If that’s true, a Mythos head start will give defenders a big advantage over attackers who are late to very capable models. In this context, it will be particularly interesting to see how the next generation of models perform on codebases that have already been hardened by advanced AI tools. One to watch.
2. The majority of security risks are not zero-day vulnerabilities
In the broad field of cybersecurity, zero-day vulnerabilities and exploits have the most glamorous aura. They get cool names like Heartbleed, Pegasus and BlueHammer. Exploits based on zero-days, often chaining together many vulnerabilities, have been used to sabotage nuclear programs and target the iPhones of Russian FSB officials. It must feel pretty cool to stand up on stage, or in the offices of a company like Apple (see Calif, above), and present a novel and unusual zero-day
But, as Zack Korman mentioned during our conversation, the majority of cybersecurity incidents are of the more boring and prosaic kind. As anyone who has sat through a corporate IT cybersafety training program can attest, you are more likely to be compromised by a “new document shared with you” email than something cooler.
The significance of this has been illustrated by a neat coincidence: at the same time as much ink was being spilled on Mythos’ cyber capabilities, a major supply chain attack was being undertaken using the Mini Shai-Hulud worm. The attackers used several stolen credentials to include the worm in public SAP packages. The worm then harvests credentials from affected users, and uses them to spread through other public software packages.
These attacks relied on two broad types of vulnerabilities—the first allowed the initial social engineering or man-in-the-middle attack that gained the first credentials used to publish the compromised packages. The second was the permissioning and credentials decisions within affected organizations that allowed the worm to steal credentials and propagate through other packages. Neither of these vectors relies on, or is necessarily prevented by, access to Mythos.
3. The infrastructure that large companies set up to handle responsible disclosure is struggling
Our conversation with Matt Johansen covered a range of questions, and touched on topics we’ve already talked about in this post. But the motivating event wasn’t the Mythos announcement, it was a blog post from the Microsoft security team about boring old Responsible Disclosure.
Matt Johansen described Responsible Disclosure during our conversation as a kind of social contract. Security researchers agree to disclose the vulnerabilities they find, in return for vendors acknowledging and sometimes rewarding their work and making timely efforts to remedy the vulnerabilities.
The particular situation involving Microsoft is worth looking into for those who are interested. But it can be summarized like this: a security researcher decided that Microsoft was not meeting their end of the bargain, and decided that public disclosure of the vulnerabilities was the right way to draw attention to their tardiness.
Whether you agree or not with that attitude, it highlights a more general trend that is being driven by growing AI capabilities. Security researchers of all experience levels and powered by AI tools are vibe-disclosing vulnerabilities of spurious seriousness faster than many organizations can triage and respond to them. Nextcloud and Curl, among others, have discontinued their bug bounty programs in response to increasing numbers of AI-generated bug reports. Linus himself weighed in.
It’s not clear whether a deluge of low-quality reports were behind Microsoft’s slow and insufficient response to Nightmare Eclipse. But it does seem like there will need to be a reconsideration of how large companies and open source projects triage and respond to bug reports. Some people have suggested that AI tools might even be helpful here.
What to watch
In recent posts, Anthropic have suggested that they may be releasing Mythos for paying users some time in the next few weeks. We also know from OpenAI’s Erdős announcement that they are using an unreleased model with advanced capabilities internally.
There are also signs that Project Glasswing might become a model for addressing AI risks in other research areas. A few days ago, OpenAI announced The Rosalind Biodefense Program, which aims to support organizations working on bio-defence with access to OpenAI’s GPT-Rosalind life sciences model.
But, overall, the outlook at this stage is positive. Leading labs are working closely with software vendors and maintainers to ensure critical infrastructure is hardened. New tools, in the hands of researches and security teams, are helping to find vulnerabilities that humans have missed. And you are nearly halfway through the week.
 | A guest post by
|