Anthropic myths will force a cybersecurity calculus, but it’s not the way you think

Anthropy said this The week the emergence of the new Claude Mythos Preview model marks a critical juncture in the evolution of cybersecurity, presenting an unprecedented existential threat to existing software defense strategies. So, is this just AI hype or a real turning point?

According to Anthropic, Mythos Preview goes beyond capabilities to discover vulnerabilities in almost any operating system, browser, or other software product, and independently develop exploits. With this in mind, the company is only releasing the new model to a few dozen organizations at the moment — including Microsoft, Apple, Google, and the Linux Foundation — as part of a consortium dubbed Project Glasswing. But after years of speculation about how generative AI might impact cybersecurity, the news this week sparked debate about whether computation has actually arrived and what it might look like in practice.

Some are very skeptical of Anthropic claims. They argue that existing AI agents can already help users find and exploit vulnerabilities more easily and cheaply than ever before, and that this reality is fueling improvements in how companies detect and patch their software without fundamentally changing the paradigm. And then there’s the nasty factor that Anthropic will almost certainly benefit financially from positioning its latest model as uniquely and exclusively mysterious and powerful. However, other researchers and practitioners say they agree with Anthropic’s assessment and point out that the company said the Mythos Preview is the first to achieve capabilities that will eventually be widely available in other models.

“I’m usually very skeptical of these things, and the open source community tends to be very skeptical, but fundamentally I feel like this is a real threat,” says Alex Zinla, chief technology officer at cloud security company Edera.

Zenla and others specifically point to one Mythos Preview capability as the focal point. They say generative AI is now better able to identify and develop what are known as “exploit chains,” or sets of vulnerabilities that can be exploited sequentially to deeply compromise a target — essentially a Rube Goldberg-style hacking machine. Many of the most sophisticated hacking techniques use exploit chains, including so-called zero-click attacks that compromise the system without requiring any user interaction.

“We already live in a world where companies are running vulnerable software, vulnerable hardware, and struggling to patch. Many companies are unable to secure their infrastructure — and that hasn’t really changed from yesterday to today,” says security engineer and long-time researcher Niels Provos. “But from what I understand, Mythos is really good at discovering multi-stage vulnerabilities, and then also providing proof of exploitation. I don’t think it fundamentally changes the problem space, but it changes the skill level required to find and exploit these vulnerabilities.”

The limited release of Mythos Preview to Glasswing project participants gives defenders only a small window of time to find vulnerabilities in their own systems using the model and begin to grapple more broadly with how software development, update cycles, and patch adoption have changed before attackers can gain widespread access to these capabilities themselves.

Industry leaders appear to be heeding this warning. Logan Graham, leader of Anthropic’s Red Frontier Team, told WIRED on Tuesday that as the company reached out to organizations about the Glasswing project ahead of this week’s announcement, the phone calls became shorter and shorter as the potential threat became clearer.

“This is an issue that cuts across all model developers,” Graham said. “Our goal here is just to get things started.” “It’s really important to get the Mythos Preview into the hands of defenders to give them a strong start.”