Anthropic mythos raises security alarms

Anthropic’s April 7 release of Claude Mythos Preview triggered a new round of cybersecurity alarms after the company said the model can autonomously turn software flaws into working exploits. (red.anthropic.com) Claude Mythos Preview is a restricted-access model that Anthropic says is unusually strong at computer security work, including finding vulnerabilities in operating systems and internet-facing software. Anthropic said it limited access instead of making the model public. (red.anthropic.com) (anthropic.com) Anthropic paired the release with Project Glasswing, a program that gives selected defenders early access to test critical software before broader attackers can use similar systems. Launch partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. (anthropic.com) The basic issue is simple: modern software is too large for humans to inspect line by line, and security teams usually find flaws only after products ship. Schneier and Barath Raghavan wrote that Mythos changes that balance by making high-end vulnerability research cheaper and more scalable. (schneier.com) That shift is already showing up in concrete bug counts. Mozilla said Firefox 150, released this week, included fixes for 271 vulnerabilities identified during an early evaluation using Claude Mythos Preview. (schneier.com) Anthropic’s own technical report said Mythos reached a level where the company judged unrestricted release too risky for cyber misuse. The company’s system card and risk report describe stronger controls, monitoring and limits on who can use the model. (red.anthropic.com) (anthropic.com) Governments are responding as if the threat is no longer theoretical. India’s Computer Emergency Response Team, or CERT-In, warned that systems like Mythos can lower the cost and skill needed for automated attacks, and Indian officials moved to keep banks and insurers from testing or deploying it for now. (financialexpress.com 1) (financialexpress.com 2) There is also a second alarm: access control. SiliconANGLE reported on April 22 that Anthropic was investigating claims that unauthorized users had accessed Claude Mythos, a model the company had kept restricted because of its cyber capability. (siliconangle.com) Schneier’s argument is not that Mythos makes every hacker elite overnight. It is that defenders now have to assume machines can search enormous codebases for overlooked weaknesses faster than most human teams can patch them. (schneier.com) Anthropic says the answer is to put these systems in defenders’ hands first and harden critical software before wider diffusion arrives. The next test is whether continuous AI-assisted auditing can outrun AI-assisted offense. (anthropic.com) (schneier.com)