Claude Mythos by Anthropic: An AI that Challenges Cybersecurity
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
Anthropic recently announced that it would not release its latest artificial intelligence model, Claude Mythos, due to concerns about its potential for misuse in cybersecurity. According to the company, this model is capable of autonomously detecting and exploiting security vulnerabilities on a large scale, which could cause chaos in the cybersecurity landscape.
An expert described Claude Mythos as an incredibly impressive model, emphasizing that it will only improve over time. This decision not to make the model public was made after Anthropic found that Mythos could identify, analyze, and exploit software vulnerabilities better than humans in some cases. The company referred to this capability as a "tipping point," as it would even allow non-cybersecurity professionals to find and exploit sophisticated vulnerabilities.
Anthropic's AI outputs have raised fears of a software apocalypse. In a blog post published on Tuesday, Anthropic clarified that Mythos could autonomously find, analyze, and exploit software vulnerabilities on a large scale — in some cases, better than humans. Anthropic called this a "tipping point," stating that Mythos is so powerful that non-cybersecurity professionals could use it "to find and exploit sophisticated vulnerabilities."
Cybersecurity experts told Business Insider that while Anthropic's announcement contains some marketing language, the model appears to represent a significant leap forward in AI capabilities in the cyber domain. Jake Moore, global cybersecurity specialist at ESET, stated: "Anthropic has built its reputation as a 'security-first' AI company, so announcements like this serve two purposes: genuine caution and a signal of its security-focused stance."
Method in the Mythos
Anthropic indicated that during its testing period, Mythos detected "thousands" of critical security flaws, including zero-day vulnerabilities, which have no immediate fixes. For comparison, elite human teams working on these issues discover about 100 of these vulnerabilities per year, said Ofer Amitai, co-founder of the startup Onit Security. "So, that's about 10 to 100 times the output of a high-level human team, and it reduces exploit development from weeks to hours," he added.
Large language models (LLMs), the underlying technology for AIs like Mythos, have become incredibly proficient in programming due to their strict rules and patterns. This also applies to cybersecurity, said Erik Bloch, vice president of information security at Ilumio. "LLMs are fundamentally language engines, and code is just another language," Bloch stated. "That's why it's not surprising that they can find bugs and vulnerabilities that humans or rule-based tools miss, especially subtle issues at the logic level."
However, questions remain regarding costs and scalability. Anthropic stated that it took $20,000 to find a 27-year-old vulnerability in an operating system after running Mythos thousands of times. "Given the costs, can this be scalable?" asked Kev Breen, senior director of cyber threat research at Immersive. "Where do we start? Are humans more scalable and affordable than AI agents?"
Offense versus Defense
Cybersecurity is an ongoing game of cat and mouse between those trying to break in and those attempting to keep attackers at bay. Which side benefits more from Mythos? In a world where a tool like Mythos would be publicly available, attackers would benefit more in the short term, cybersecurity experts claim.
"They can generate highly targeted phishing, convincing deepfakes, or exploitable chains of exploits with a single click," said Mike Britton, chief information officer at Abnormal AI. Then, as defenders adopt such tools, they would gain the upper hand. "Tools based on Mythos-like capabilities will allow them to find, sort, and fix vulnerabilities much more quickly throughout the lifecycle, shifting the advantage toward defense," Amitai stated.
Anthropic indicated that its own tests on Mythos included encouraging the AI to escape a virtual sandbox. An Anthropic researcher stated that he then received an "unexpected email from the model while eating a sandwich in the park."
"If the capabilities presented here are truly substantial and not just hype, then for my part, I have serious concerns about where we are headed," said Dan Andrew, head of security at Intruder, to Business Insider.
For now, Anthropic is making a preliminary version of Claude Mythos available to select companies — including Google, Microsoft, JPMorgan Chase, and CrowdStrike — to help test it in a controlled environment in what it calls "Project Glasswing."
"The consequences — for economies, public safety, and national security — could be severe," stated Anthropic. "Project Glasswing is an urgent attempt to put these capabilities to the service of defense." Andrew noted that while this seems "scary," he believes Anthropic considers the risk to be real as they "are not the worst offenders in terms of hype versus substance."
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.