Anthropic's Mythos Model Raises Cybersecurity Concerns

Anthropic announced on April 7 that its new general-purpose AI model, Mythos, had found thousands of severe security vulnerabilities, some missed by humans for over a decade. The company said the model could exploit every major operating system and every major web browser.

Engineers at the lab used the technology to find working hacks in a single night. Anthropic decided not to release Mythos beyond a group of trusted partners, giving defenders a head start. The announcement stated that it is about to become very difficult for the security community.

The warning reverberated worldwide and led the Trump administration to begin discussing a system to review new AI models.

Last year, coding tools from OpenAI and Anthropic helped developers produce millions of lines of new code. These tools are prone to creating errors and vulnerabilities that developers miss. More companies now use outside code libraries than before, which could allow hacks to spread if vulnerabilities exist in those packages.

Isaac Evans, CEO of cybersecurity startup Semgrep, said everyone is predicting a lot more hacking this year. His company recently found two vulnerabilities in its codebase, both contributed by Anthropic's Claude product. Evans noted that generating ten times the lines of code should be expected to produce ten times the number of vulnerabilities.

Feross Aboukhadijeh, CEO of cybersecurity startup Socket, said developers are reviewing new code less carefully. Combined with reliance on outside code libraries, this creates a perfect storm of danger, he said. The vulnerability surface of all software is expanding really quickly, Aboukhadijeh added.

Security teams already use new AI models to search for vulnerabilities while worrying about attackers gaining access to similar models. On April 7, the Mythos announcement triggered a reckoning for security teams worldwide. A team at Mozilla wrote that Mythos helped them find and fix more security bugs than they had in the previous year.

Researchers with the security firm Calif said Mythos helped them identify bugs in MacOS and figure out a way to corrupt part of the technology. Cybersecurity giants CrowdStrike, Palo Alto Networks, and Fortinet have each posted recent announcements warning about the potential dangers of frontier AI.

5 landing on top of other security issues, CISOs are living in the AI fog. Nair's company signed onto a partnership with OpenAI to try to beat back the storm of worries. Anthropic is also hatching partnerships, giving companies like Snyk a chance to try out the advanced tech.

Logan Graham, who heads Anthropic's frontier red team, wrote on X that his cybersecurity team is bringing Mythos to defenders as fast as they responsibly can. Security is always a team sport, Nair said. The model companies need to figure out that is how security works, he added.

UK government officials released an open letter about Mythos warning businesses to discuss cyber risk at their next board meeting and regularly thereafter. An OpenAI spokesperson pointed to recent cyber-focused announcements and releases aimed at helping defenders work more quickly and effectively.

The company's Daybreak page lets developers request a security scan.