A single AI model has caused a stir in the cybersecurity industry not by being hackable, but by being very good at finding vulnerabilities.
Anthropic’s Mythos, released earlier this month to a controlled group of 40 organizations, has already triggered about 150 software updates at a major U.S. bank, and cybersecurity officials are warning that the pace of discoveries could outstrip companies’ ability to safely deploy fixes.
Mythos was created by Anthropic to identify cybersecurity vulnerabilities at a faster rate than human analysts. In the weeks following its restricted release, results started coming in from the tech stack of those who had received it earlier.
According to the Financial Times, Fifth Third Bank CFO Brian Preston said that the bank’s technology vendor, Microsoft, has offered about 150 software updates since the release of Mythos.
When Jitu Patel, president and chief product officer of Cisco, explained the impact of the model, no one was left speechless. “When you consider that there’s a pre-mythos world and a post-mythos world,” Patel says. Cisco is one of a handful of United States companies that have gained access to the model, along with Amazon, Microsoft and JPMorgan Chase.
The amount of bugs that have been discovered through Mythos has brought an additional challenge, with a lot of patches coming out very quickly. “There is a possibility of flooding with segments,” warned Haider Pasha, chief security officer of EMEA for Palo Alto Networks.
Fixing security vulnerabilities often requires system downtime, which critical infrastructure companies should only be able to do during scheduled maintenance periods.
“The challenge with patching is that you actually have to take your systems down sometimes,” Patel said, “and most organizations can’t afford downtime.” For hospitals, utilities and financial institutions running legacy software on tight operating schedules, this barrier isn’t theoretical, it’s structural.
This goes beyond that to how Mythos interacts with its users. According to Palo Alto Networks, the technology will spread beyond the safe confines of models designed by US companies and allow hostile groups to create, as Pasha says, “autonomous attack agents like the industry has never seen before”.
The ability to combine different vulnerabilities and turn them into a series of attacks for a single attack path shows how much more advanced adversarial AI has become.
It was confirmed earlier this week that Anthropic is currently considering unauthorized access to its technology through third-party platforms, adding further pressure to the organization from central banks, regulators and institutions who need faster access to Anthropic’s product that it has so far denied.
Cybersecurity officials with access to Mythos told the FT that joint action “across the public and private sectors” is now necessary to protect critical infrastructure.
