Anthropic’s Mythos Will Force a Cybersecurity Reckoning—Just Not the One You Think

Comment
LoaderSave StorySave this story
Comment
LoaderSave StorySave this story

Anthropic said this week that the debut of its new Claude Mythos Preview model marks a critical juncture in the evolution of cybersecurity, representing an unprecedented existential threat to existing software defense strategies. So, is it more AI hype—or a true turning point?

According to Anthropic, Mythos Preview crosses a threshold of capabilities to discover vulnerabilities in virtually any and every operating system, browser, or other software product and autonomously develop working exploits for hacking. With this in mind, the company is only releasing the new model to a few dozen organizations for now—including Microsoft, Apple, Google, and the Linux Foundation—as part of a consortium dubbed Project Glasswing. But after years of speculation about how generative AI could impact cybersecurity, the news this week ignited controversy about whether a reckoning has really arrived and what it might look like in practice.

Some are extremely skeptical of Anthropic's claims. They argue that existing AI agents can already help users find and exploit vulnerabilities much more easily and cheaply than ever before, and that this reality is fueling refinements in how companies discover and patch their software without fundamentally changing the paradigm. And then there's the ick factor that Anthropic will almost certainly benefit financially from positioning its latest model as mysterious, uniquely powerful, and exclusive. Other researchers and practitioners, though, say that they agree with Anthropic's assessment and point out that the company has said Mythos Preview is just the first to achieve capabilities that will ultimately be widely available in other models.

“I typically am very skeptical of these things, and the open source community tends to be very skeptical, but I do fundamentally feel like this is a real threat,” says Alex Zenla, chief technology officer of cloud security firm Edera.

Zenla and others specifically point to one Mythos Preview capability as the pivot point. Generative AI, they say, is now getting more capable at identifying and developing what are known as “exploit chains,” or groups of vulnerabilities that can be exploited in sequence to deeply compromise a target—essentially Rube Goldberg–machine-style hacking. Many of the most sophisticated hacking techniques employ exploit chains, including so called zero-click attacks that compromise a system without requiring any interaction from a user.

“We are already living in the world where companies run vulnerable software, vulnerable hardware, and struggle to patch. Many companies are not capable of securing their infrastructure—that hasn’t really changed from yesterday to today,” says longtime security engineer and researcher Niels Provos. “But from what I understand, Mythos is really good at coming up with multistage vulnerabilities, and then also provides the proof of exploitation. I don’t think it intrinsically changes the problem space, but it changes the required skill level to find these vulnerabilities and exploit them.”

A limited release of Mythos Preview to Project Glasswing participants only gives defenders a small lead time to find weaknesses in their own systems using the model and start to grapple more broadly with how software development, update cycles, and patch adoption needs to change before attackers have widespread access to such capabilities themselves.

Industry leaders seem to be heeding the warning. Anthropic's frontier red team lead, Logan Graham, told WIRED on Tuesday that as the company reached out to organizations about Project Glasswing ahead of this week's announcement, the phone calls got shorter and shorter because the potential threat was becoming more obvious.

“This is an issue that involves all of the model developers. Our goal here is just to kick things off,” Graham said. “It's really important that Mythos Preview gets in the hands of defenders to give a head start.”

The people considering the impacts of Mythos Preview extend far beyond tech firms. Bloomberg reported this week that US Treasury secretary Scott Bessent and Federal Reserve chair Jerome Powell convened a meeting of finance sector leaders at the Treasury’s headquarters in Washington, DC, on Tuesday to discuss the potential impacts of models like Mythos Preview on cybersecurity.

Jeetu Patel, president and chief product officer of Cisco, which is a member of Project Glasswing, told WIRED at the HumanX AI conference in San Francisco that Mythos Preview “is a very, very big deal.”

“In the long run, you want to make sure that your defenses are machine-scale, because the attacks are machine-scale,” Patel said. “If I have billions of agents that are going to be attacking my infrastructure, I need to make sure that I can defend it effectively. What Anthropic did here is a fantastic thing, because it just creates a level of asymmetry against the bad actors.”

Still, some argue that the frenzy is overblown—a splinter of the overall AI hype cycle. “It's every spaghetti Western ever where big-tent preachers say the end is nigh and then skip town with everyone's money,” says longtime security and compliance consultant Davi Ottenheimer. “It's a shift, like learning how to fight with machine guns when others are still using bolt-action rifles, but it's not magical and mystical.”

Some argue, though, that given how long it takes for these mentality shifts to proliferate across all industries and organizations, it can be useful to seize on specific incidents or advances as an opportunity to raise awareness. Other cybersecurity reckonings have come after catastrophic breaches like the Aurora attacks on Google that highlighted the importance of “zero trust” architecture, or the Solarwinds and Log4shell hacking sprees that popularized a “secure by design” approach to software development. Anthropic argues that the debut of Mythos Preview can be used as a more prudent type of inflection point, because it is still a warning of what could be to come, not a real-world demonstration of a worst-case scenario.

Security experts also say that the moment presents an opportunity to address shortcomings in how software is currently developed.

“For decades, we have built an enormous global industry to defend, detect, and respond to ‘vulnerabilities’—flaws and defects in software—that should never have existed in the first place,” Jen Easterly, the longtime cybersecurity practitioner and former US Cybersecurity and Infrastructure Security Agency director, wrote on Wednesday. Project Glasswing, she argues, could usher in “a future in which AI helps us move beyond endlessly defending against flawed software and toward building technology that is more secure from the start. Not the end of cybersecurity as a mission, but the beginning of the end of cybersecurity as we know it.”

Edera's Zenla emphasizes that Mythos Preview is not a lightning bolt that will change everything overnight. Instead, she says, it is another step toward the security version of infinite monkeys at infinite typewriters eventually producing Shakespeare.

“If you get a million vulnerability researchers, they can find a huge number of bugs. But humans are not very good at holding lots of contextual information in their minds for long periods of time, so finding very long chains of vulnerabilities that are actually exploitable together has been rare," she says. “Mythos and models like it will accelerate the pace at which attackers will be able to group vulnerabilities into sets that can work together. Some people are going to be grumpy about it for a long time, but I do think the dynamic has shifted.”

Additional reporting by Maxwell Zeff.