There is so much misinformation about the Anthropic Mythos release that it is giving me Gell-Mann whiplash. Please stop taking claims and counterclaims from people running early application security startups as evidence of any kind about what models curently can or can’t do. Unless you have literally looked over the findings they have reported, in which you should still treat it as non-evidence, because you have no idea if that finding was reported by actually running the AI scaffolding that they mentioned, or was found by an employed security researcher in a trench coat, or came from an AI but was filtered from thousands of other false positives, or any one of the million other adversarial things an AI appsec startup can do to make it look like “we’ve been able to find 0-days for many months”.
I work at a threat intelligence company and my default view is that Mythos is likely under-hyped for SWE and overhyped for cyber.
People VASTLY underestimate how easy it is to break into the vast majority of organizations. There is no need to design custom 0-Days because you can simply log-in (or run a session replay attack) using credentials/sessions freely available on the dark web. I would put forward that if Mythos was released tomorrow with standard API guardrails you would not see an explosion in cyberattacks.
However, the one exception is that organizations that already heavily invest in security (think Google) would have a new major attack surface to cover, and you may see an increase in sophisticated actors attacking other sophisticated actors because it changes offense-defense balance in favor of offense.
There is so much misinformation about the Anthropic Mythos release that it is giving me Gell-Mann whiplash. Please stop taking claims and counterclaims from people running early application security startups as evidence of any kind about what models curently can or can’t do. Unless you have literally looked over the findings they have reported, in which you should still treat it as non-evidence, because you have no idea if that finding was reported by actually running the AI scaffolding that they mentioned, or was found by an employed security researcher in a trench coat, or came from an AI but was filtered from thousands of other false positives, or any one of the million other adversarial things an AI appsec startup can do to make it look like “we’ve been able to find 0-days for many months”.
I work at a threat intelligence company and my default view is that Mythos is likely under-hyped for SWE and overhyped for cyber.
People VASTLY underestimate how easy it is to break into the vast majority of organizations. There is no need to design custom 0-Days because you can simply log-in (or run a session replay attack) using credentials/sessions freely available on the dark web. I would put forward that if Mythos was released tomorrow with standard API guardrails you would not see an explosion in cyberattacks.
However, the one exception is that organizations that already heavily invest in security (think Google) would have a new major attack surface to cover, and you may see an increase in sophisticated actors attacking other sophisticated actors because it changes offense-defense balance in favor of offense.