Cutting edge: Anthropic’s Claude Mythos preview is a “double-edged sword,” expert says

And while it may only be the hands of the good guys at the moment… That moment cannot last. The horse will bolt.

The barndoor cannot be closed.

“This generational improvement in coding ability directly translates to a significant advance in vulnerability discovery and exploit generation. These capabilities, however guardrailed, will not stay contained,” Lee Klarich, Palo Alto Networks chief product & technology officer, said in a recent blog post.

“Similar advances will appear across other major AI labs, Chinese models, and open source models. Attackers will find the seams in those guardrails. They will use advanced AI to discover zero-day vulnerabilities at scale, generate exploits in near real time, and develop autonomous attack agents unlike anything the industry has faced.”

If you want an example, imagine what Chinese threat groups such as Volt Typhoon could do with access to a tool that can lay out zero-days for them to exploit for… Well, days.

The problem, as Klarich sees things, is that if you’re not reacting to this, if you’re not preparing for this, you’re already losing the race.

VIEW ALL

“Within six months, advanced AI models with deep cybersecurity capabilities will become commonplace,” Klarich said.

“Organisations that have not put appropriate safeguards in place will face an entirely new class of risk across their enterprise and critical infrastructure.”

Where to start getting ready

Guido Grillenmeier, Semperis’ Principal Technologist for the EMEA region, has a somewhat more whimsical – if no less concerning – take on the impact of Mythos.

“The situation reminds me a bit of the Sorcerer’s Apprentice – calling on (almost) magical power that we can’t quite yet control,” Grillenmeier said.

“And if we’re lucky enough, we’ll also just get wet feet like Mickey Mouse in Disney’s Fantasia Masterpiece, before some proper governance for releasing newly found power is in place!”

Grillenmeier said he is convinced that US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell must already be feeling the water sloshing around their ankles, and swiftly rising. When informed of the new model’s vulnerability-hunting capabilities, the pair summoned Wall Street leaders to an emergency meeting to make sure they’re properly prepared for this rising tide.

Speaking of models such as Mythos, Grillenmeier said that not only are they great at creating code and spotting vulnerabilities in it, but also at creating exploits to target those exact same vulnerabilities.

According to Grillenmeier, they often focus on “routines responsible for handling user authentication, as once you breach the authentication, you can rule the complete system”.

“This logic hasn’t changed – just the speed of finding new vulnerabilities has increased dramatically,” Grillenmeier said.

“As such, concentrating on your Identity Security will get you far to limit the blast radius, if a new vulnerability comes up from the trenches.”

Running the race

The wider situation is hardly new. As Grillenmeier notes, Jen Easterly, the CEO of RSAC, believes the biggest risk organisations currently face is the fact that the software we rely upon is basically unsafe.

“The hope is that with AI we will soon have the power to find those unfound risks in operating systems and various libraries used by everyone, as well as systems managing our digital identities,” Grillenmeier said.

“The key is to make use of this capability before the adversaries do – not just in the banking industry, but basically everywhere! Concentrating on your Identity Security is a proper first step, until you and your software providers can re-validate and patch all code running in your company. The race is on!”