Over the last few weeks, the profession has been rocked by Anthropic announcing its latest AI model, Claude Mythos. Designed to help with red teaming tasks, Mythos is supposed to be capable of outperforming humans. As part of the model’s development Anthropic launched Project Glasswing, giving big name tech and security companies early access to Mythos to help test it and ensure security.
The results of early tests were stark. According to Anthropic, within weeks Mythos “found thousands of high-severity vulnerabilities, including some in every major operating system and web browser”, some within minutes. One of these vulnerabilities had been present in a system for more than 27 years. On the surface, this sounds like the silver bullet the security profession has been searching for. Rooting out critical vulnerabilities that have been lying dormant for decades, enabling teams to address them. Yet Mythos also suggested ways to exploit these gaps, making its insights arguably more valuable for attackers than defenders.
A debate has been raging ever since. Some commentators are suggesting Mythos could help cybercriminals execute breaches on an apocalyptic scale. Others have pointed out that cybercriminals don’t need AI models to launch successful attacks, or that the discovery of a 27-year-old vulnerability might be overstating an undeclared, not critical weakness. And many believe Anthropic’s announcements are a thinly veiled marketing ploy – simultaneously showing the power of its AI, building hype, and reinforcing the company’s claim to be more security conscious than its competitors.
Regardless of which side of the fence you are on, Mythos has inspired questions and discussion. At the very least, Mythos has strengthened the general consensus that AI is accelerating change across the security landscape – for good and bad – and our need to adapt.
Mythos may reach general availability one day, and when it does it will, no doubt, play a role alongside other security tools. For the moment, while the AI tool may be able to identify exploits at scale, defence cannot be based solely on technology. Mythos, along with any other tool, lacks the contextual judgement that human practitioners bring. It can assess technical severity but, with limited visibility into the specific environment in which a vulnerability exists, cannot easily distinguish between theoretical and practical risk in a meaningful way. For example, a flaw may be technically exploitable. But if the underlying data is low value or the system is not meaningfully exposed, the real-world risk may be minimal. This means Mythos is likely to struggle to determine true business impact, or whether an attacker would even prioritise a given target.
Until AI can add this context, skilled professionals are still needed to ensure a deeper level of insight. The role of fixing the hard basics will continue to fall on the cyber security team. As AI becomes more powerful, getting cyber security basics right is still the most effective defence. This might not be the most exciting way to think about AI in cyber security, but it rings true. Patching, access management, understanding where your most important assets are, and prioritising defences will put any company on the front foot, even against an AI-aided adversary.
Focussing resources and budget on AI identified threats that might not materialise, risks wasting budgets that are already restrictive. It’s possible that the hype around AI threats is drawing attention away from real, tangible security challenges that already exist. Phishing of untrained employees, a lack of effective threat detection capabilities, fragmented responses, and an expanding attack surface, beyond AI, all remain major hurdles plaguing the security profession.
The message is clear; keep an eye on future developments but avoid the hype and panic and get the basics right. Focusing on theoretical AI threats could be leaving the door open to traditional cyberattacks, after all most successful breaches do not need a high spec AI adversary behind them.
