Initial concerns that a new artificial intelligence tool could massively boost cybercriminal capabilities appear to have been excessive, according to cybersecurity professionals evaluating the technology one month after its debut.
When Anthropic released its Mythos AI model in April, the company cautioned that the system had identified thousands of software security flaws spanning all major operating systems and web browsers, warning of potentially serious consequences if misused.
The announcement prompted swift government action across multiple nations, with officials meeting with banking institutions to evaluate potential risks. By early May, the White House was considering new regulations governing how AI models undergo safety testing before public release.
However, cybersecurity specialists have responded with greater restraint, with many suggesting the broader alarm has been disproportionate and that access to Mythos-level technology won’t immediately enable previously impossible criminal hacking operations.
“I think there’s a really big communication gap between practitioners and policymakers,” said Isaac Evans, founder and CEO of software security firm Semgrep. The model represents “a real technical advance,” he said, but the response “is not substantiated by what we actually know about how those capabilities will translate in the field.”
Nevertheless, specialists testing the model under controlled conditions have documented significant improvements in vulnerability detection, and banking sector technology teams are addressing numerous system weaknesses across both large and small financial institution networks, as reported on May 12.
Concerns intensified following continued reports of criminal and nation-state hacking incidents involving AI technology, including an announcement from a major tech company on May 11 about detecting the first instance of a significant cybercrime organization using AI to identify an unknown software vulnerability while planning widespread exploitation.
The disconnect between security professionals’ assessment of the threat level and policymakers’ perceptions has created a storyline positioning Mythos as central to an approaching security emergency, despite similar capabilities existing previously.
“We’ve been able to use AI to find more bugs than we know what to do with for months if not years,” said one person with extensive vulnerability research experience with early access to Mythos. The challenge is not finding vulnerabilities, they said, but validating, prioritizing and fixing them without breaking systems.
Organizations’ capacity to process and validate numerous newly identified vulnerabilities generally falls short of requirements, the person noted, representing the primary challenge introduced by Mythos-level models, while acknowledging the model’s improvements. “It is capable of finding more with a weaker prompt than the models that came before it,” the person said, referring to the instructions a user provides the model to attempt to achieve a goal. Earlier models required more detailed and complicated instructions, the person said, meaning the barrier to entry has been lowered.
Anthony Grieco, senior vice president and chief security and trust officer at a major technology company, highlighted one beneficial new feature of Mythos: its capability to not only identify vulnerabilities but scan enormous amounts of code much more rapidly for those vulnerabilities and help experienced practitioners reduce false positive rates. This, he said, allows defenders to focus on the most pressing cyber risks in their contexts. The model also has fewer guardrails than previous models, allowing users to craft more specific instructions that enable activities that previous models would not.
Grieco emphasized that to fully harness Mythos’s capabilities, organizations require both adequate computing power and a comprehensive framework – terminology describing the computer environment within an organization where a large language model operates with specific instructions and limitations.
“If you have a Formula One car but you’ve only ever driven a bike, you might be able to get it to go straight,” Grieco said. “But you’re not going to maximize the track time out of the gate.”
Despite this, Anthropic’s presentation and its decision to invite selected companies to test defenses through a program called Project Glasswing helped elevate discussion about the model far beyond traditional security communities. The outcome: a comprehensive response that magnified both the perceived threat and the company’s prominence, even as defense officials labeled Anthropic a supply-chain risk while other government departments sought access.
The White House is discussing with AI laboratories expanded use of their technology, a White House official confirmed. An Anthropic spokesperson stated the company is working “closely with the U.S. government to quickly advance shared priorities,” and collaborating with the government to provide more parties access to Mythos.
Mythos and another advanced AI model have dominated national security conversations about artificial intelligence. However, those discussions often overlook a fundamental point: AI-powered vulnerability detection isn’t novel. The genuine challenge lies in subsequent steps.
“Our adversaries have gotten really good without AI,” said Cynthia Kaiser, a former senior FBI cybersecurity official now working in the private sector. “Ransomware attacks are happening in under an hour,” she said, adding that most threats still don’t rely on AI at all.
Currently, Mythos’s scale and computing infrastructure requirements also restrict who can utilize it. However, those obstacles are unlikely to persist.
“I don’t think the architecture is optimized,” said Nick Adam of a financial services company during a panel discussion at a university. He referenced the computer processing infrastructure and framework issues identified by Grieco. “There’s a barrier to entry there — but it will be solved pretty quickly.”
