TESTIMONIALS

โ€œReceived the latest edition of Professional Security Magazine, once again a very enjoyable magazine to read, interesting content keeps me reading from front to back. Keep up the good work on such an informative magazine.โ€

Graham Penn
ALL TESTIMONIALS
FIND A BUSINESS

Would you like your business to be added to this list?

ADD LISTING
FEATURED COMPANY
Cyber

Claude Mythos comments

by Mark Rowe

The Mythos ‘revelation’ got aired at the UK official CYBERUK conference in Glasgow last week. That’s how Home Office Security Minister Dan Jarvis in a speech referred to Anthropicโ€™s new Claude โ€˜Mythosโ€™ AI model.

He told the gathering: “In testing, it autonomously found thousands of zero-day vulnerabilities across major operating systems. It uncovered critical flaws that had gone unnoticed by human experts and automated tools for over two decades. Neither industry nor government can close that gap on their own.”

Like any tool, from the printing press onwards, it can be used for good or ill. What then of artificial intelligence, in the hands of cyber attackers and defenders alike?

Comments

Julian Totzek-Hallhuber, Senior Solutions Architect at Veracode says:ย โ€œThere may well be an opportunity for Claude Mythos AI to be net positive for defenders, but that canโ€™t cloud awareness of the risks associated with an AI hacking tool, which remain very real. Project Glasswing is about connecting vulnerabilities into far more complex attack paths in a fraction of the time it used to take and in some cases, thatโ€™s already surfacing issues that have been missed for years.ย  This shows just how quickly risk can build. Our own research recently revealed it takes organisations more than five months on average to fix vulnerabilities, so the ability to uncover and potentially exploit those at speed could significantly shift the risk landscape.

โ€œBut most organisationsย canโ€™tย actually useย this yet as access is restricted to a curated set of launch partnersย โ€“ย thoughย todayโ€™sย reports of unauthorised access highlight how difficult it can be to keepย these capabilitiesย contained. So, while the results are impressive, they are hard to test orย validateย in real environments. There are also early signals thatย shouldnโ€™tย be overlooked, including reports of the model stepping outside its expected boundaries, likeย attemptingย to communicate externally without authorisation.

โ€œCrucially,ย Mythosย only addresses vulnerability discoveryย andย doesnโ€™tย cancel out the need for a strong security programmeย that covers the fundamentals.ย Teams still need the governance,ย processย andย expertiseย to fix things properly and reduce risk over time. What it does change is the pace and the pressure. As these capabilities become more widely available, both attackers and defenders will be working with much more powerful tools, and organisations need to be thinking about that now.โ€

Ori Bendet, VP of Product Management atย Checkmarx called it encouraging that global regulators were taking AI-driven cyber risks seriously. “However, organizations shouldnโ€™t wait for regulation to catch up and need to take a proactive approach now. Hackers don’t wait.ย ย The launch of Mythos and any future models may speed up the need for action to adapt to the AI-driven threat landscape, but the direction of travel has been clear for some time.ย ย This means that response cycles measured in days or weeks are no longer fit for purpose. Vulnerabilities that once required specialistย expertiseย to exploit are now accessible to a much broader range of threat actors. Old risk and threat models which allowed vulnerabilities to exist in production need to be updated to reflect reality and the new ease of exploitation.โ€

Related News

  • Cyber

    Data centres made UK CNI

    by Mark Rowe

    UK Government has classed UK data centres as โ€˜Critical National Infrastructureโ€™. Technology Secretary Peter Kyle said: “Data centres are the engines of…

  • Cyber

    A continuous learning strategy

    by Mark Rowe

    Continuous cybersecurity learning is a business-critical function, says Alexia Pedersen, SVP International at the tech firm Oโ€™Reilly. The cybersecurity landscape continues to…

  • Cyber

    Cyber round-up

    by Mark Rowe

    Identity has become the primary attack surface in cybersecurity, according to Sophos. It’s vendor-agnostic survey of 5,000 IT and cybersecurity leaders across…