The Mythos ‘revelation’ got aired at the UK official CYBERUK conference in Glasgow last week. That’s how Home Office Security Minister Dan Jarvis in a speech referred to Anthropicโs new Claude โMythosโ AI model.
He told the gathering: “In testing, it autonomously found thousands of zero-day vulnerabilities across major operating systems. It uncovered critical flaws that had gone unnoticed by human experts and automated tools for over two decades. Neither industry nor government can close that gap on their own.”
Like any tool, from the printing press onwards, it can be used for good or ill. What then of artificial intelligence, in the hands of cyber attackers and defenders alike?
Comments
Julian Totzek-Hallhuber, Senior Solutions Architect at Veracode says:ย โThere may well be an opportunity for Claude Mythos AI to be net positive for defenders, but that canโt cloud awareness of the risks associated with an AI hacking tool, which remain very real. Project Glasswing is about connecting vulnerabilities into far more complex attack paths in a fraction of the time it used to take and in some cases, thatโs already surfacing issues that have been missed for years.ย This shows just how quickly risk can build. Our own research recently revealed it takes organisations more than five months on average to fix vulnerabilities, so the ability to uncover and potentially exploit those at speed could significantly shift the risk landscape.
โBut most organisationsย canโtย actually useย this yet as access is restricted to a curated set of launch partnersย โย thoughย todayโsย reports of unauthorised access highlight how difficult it can be to keepย these capabilitiesย contained. So, while the results are impressive, they are hard to test orย validateย in real environments. There are also early signals thatย shouldnโtย be overlooked, including reports of the model stepping outside its expected boundaries, likeย attemptingย to communicate externally without authorisation.
โCrucially,ย Mythosย only addresses vulnerability discoveryย andย doesnโtย cancel out the need for a strong security programmeย that covers the fundamentals.ย Teams still need the governance,ย processย andย expertiseย to fix things properly and reduce risk over time. What it does change is the pace and the pressure. As these capabilities become more widely available, both attackers and defenders will be working with much more powerful tools, and organisations need to be thinking about that now.โ
Ori Bendet, VP of Product Management atย Checkmarx called it encouraging that global regulators were taking AI-driven cyber risks seriously. “However, organizations shouldnโt wait for regulation to catch up and need to take a proactive approach now. Hackers don’t wait.ย ย The launch of Mythos and any future models may speed up the need for action to adapt to the AI-driven threat landscape, but the direction of travel has been clear for some time.ย ย This means that response cycles measured in days or weeks are no longer fit for purpose. Vulnerabilities that once required specialistย expertiseย to exploit are now accessible to a much broader range of threat actors. Old risk and threat models which allowed vulnerabilities to exist in production need to be updated to reflect reality and the new ease of exploitation.โ
