Expert Opinion: Mythos means change is coming – are you prepared?

It is a rare day when AI is not making headlines, but the last fortnight has been particularly fevered thanks to Anthropic’s announcement of the Mythos tool that, it claims, can find and exploit software vulnerabilities like never before.

Soon after the announcement, OpenAI chimed in and said it too had a bug finding tool – ChatGPT 5.4 cyber – that was also poised to rip through digital defences at machine speed.

Anthropic claimed Mythos was too dangerous to release to the public. Instead, it brought together 40 big tech companies with whom it would share vulnerabilities Mythos finds in their code so they can be patched before cyber crime groups could exploit them. One opinion piece claimed that if Mythos was released to the public it would “crash the internet in a day”.

In addition, Anthropic plans to provide free AI processing capacity and cash to find vulnerabilities. The whole project to find and fix bugs was dubbed Project Glasswing.

Within 90 days, Anthropic said, it would release a report detailing what Mythos has found and fixed. Note 6 July in your diaries.

The announcement provoked the US government to convene a meeting with many CEOs to debate the possible impact of Mythos, ChatGPT 5.4 cyber and similar models and tools.

The possible potency of Mythos prompted the CSA, SANS and OWASP to work together to produce a long briefing paper, written with the help of several cyber security luminaries, that prepared security leaders for the coming “vulnerability storm”.

Busting the Mythos

10 days after Mythos was announced, Anthropic’s claims have come under scrutiny. Some technical publications have reversed their original viewpoint and poured very cold water on its potential for causing harm.

Others, including professional bug hunters, have gone through the document Anthropic released that detailed its vulnerability-finding capabilities and come away both puzzled and sceptical. That document, or system card, does not use the language, standards of evidence or metrics that vulnerability hunters expect and many of the claims to have found loopholes turn out to be human aided rather than uncovered by Mythos acting alone.

They also point out that there are many more cybersecurity-tuned LLMs that do a better job than Mythos, or can at least find the vulnerabilities it found, and do it far cheaper.

They also point out that Mythos fails when it is turned against mature environments that, for instance, operate a SOC, have active incident response plans and promptly patch significant vulnerabilities in their estate – like those operated by many ISF Members.

It only performs well against environments with a weak security set up, who have no response plans and do little to no monitoring. But they are very likely to be caught out by human cyber crime groups whether they are armed with AI helpers or not.

Preparing for change

However, even if the claims surrounding Mythos are overblown there is truth to be found here in the realisation that similar tools are bringing about a significant change.

It looks likely that vulnerabilities will become easier to find – by both the good guys and the bad. This might mean that we are entering an era of software becoming more secure because so many of the possible bugs are being found. And, some have pointed out, there could be a lot of false positives to clear up too.

It’s a truism that with enough eyes all bugs are shallow but it is also true that criminals do not need a vulnerability in software to breach an organisation. The wetware, i.e. people, are potentially more vulnerable and patching those shortfalls is notoriously difficult. The scammers and extortionists have plenty of other tricks to try before they need to reach for their AI-aided vulnerability scanner.

One change is clear – the arrival of these types of tools will kick off a huge amount of work for organisations as they endlessly review their assets to find out which, if any, of this tsunami of vulnerabilities they should react to first. The SOGP with its baseline of controls around security, penetration testing, vulnerability management plus the ISF’s guidance on vulnerability management are both solid starting points.

Mapping those vulnerabilities, working out how the changes might interact with the other updates and patches also being applied will add a significant overhead to existing plans. And, unfortunately, there always exists the possibility that the bad guys will focus on the little-known software supplier that maintains a library that everyone relies on without knowing it. Picking the right vulnerability at the right time is going to become essential.

So, how should organisations respond to the emergence of Mythos and its ilk? This checklist can help to prepare and assess what needs to be tuned to cope.

• Use AI tools similar to Mythos or existing pen test tools to find and fix vulnerabilities in an organisation’s own codebase.

• Investigate if AI-based coding tools can accelerate development times and drive more secure patterns of working.

• Review existing vulnerability management and patching plans to see if they are able to cope with a significant upturn in activity.

• Check how the organisation responds to incidents related to software vulnerabilities – can it cope with many simultaneous issues?

• Develop an understanding of which of the organisation’s platforms or applications are crucial and will inflict the most damage if compromised by vulnerabilities.

• Concentrate on the basics but measure how well the organisation performs against these foundational capabilities – plot a path to maturity.

• Look after colleagues and watch for any that are approaching burnout.

• Talk to peers and key suppliers about defences and threat intelligence

Executing across several, let alone all, of the items on this list is not trivial. It will involve significant strategic change to an organisation’s security arrangements. The ability of the organisation to handle the needed changes, and recognise when it is struggling, will be key.

The ultimate aim for an organisation is to become more resilient – by which is meant an ability to respond quickly to any intrusions or serious interruptions and either keep operations running or recovering with minimal disruption.

How the ISF can help

The ISF’s work on Protecting the Crown Jewels is an important part of this as it lays out the action plan an organisation can follow to understand what matters most in times of trouble. It exposes which parts of the estate must be preserved and which, for the moment, can be cut loose as recovery goes on.

We’ve been living in an AI-driven world for some time and the ISF’s Insights series on AI lays out the landscape of this territory and how organisations can cope with it.

That potent software is changing the way organisations operate, and how practitioners react, in unexpected ways. Developing good practice to cope will take time as the full effects of these changes make themselves felt. ISF Members that require help are encouraged to contact the research team to continue conversations about what needs to be done.

Time to get to work.