Anthropic PBC has said its new artificial intelligence tool, Mythos, is so good at finding vulnerabilities in software and computer systems that it can’t be released to the general public. The AI giant initially released Mythos to a small group of carefully chosen parties because if a tool this powerful fell into the wrong hands, Anthropic says, it could help attackers more easily steal data or disrupt critical infrastructure.
That risk was underscored when a small group of unauthorized users in a private online forum gained access to Mythos in April, according to a person familiar with the matter and documentation viewed by Bloomberg News.
Even so, Anthropic is allowing 150 additional organizations around the world to access Mythos, bringing the total groups with access to about 200. The new organizations are based in 15 countries and span industries such as power, healthcare and communications, the company said.
For the last several years, cybersecurity companies have promised that artificial intelligence will speed up and automate some of the work of preventing digital breaches. But hackers and cyberspies have discovered the advantages of AI too. The advent of Mythos and models like it that can exploit well-hidden flaws in popular software without human supervision points to a faster-moving, less predictable phase of the cyber arms race.
What is Mythos?
Claude Mythos Preview is a general purpose AI model that Anthropic says significantly outperforms prior offerings on a range of benchmarks, including for coding and reasoning. The company explained that some AI models have reached a level of coding capability that allows them to beat all but the most skilled humans at finding and exploiting software vulnerabilities.
According to Anthropic, Mythos Preview has already found thousands of “zero-day” vulnerabilities during testing, including in every major operating system and every major web browser. “Zero days” are flaws that were previously unknown to the software’s developers — the name implying they have zero days to come up with a patch to resolve the problem. These often represent a gold mine for hackers because they offer a window of free rein inside vulnerable systems.
Mythos was able to identify these with even less human intervention than past models, Anthropic said. “Mythos Preview demonstrates a leap in these cyber skills — the vulnerabilities it has spotted have in some cases survived decades of human review and millions of automated security tests,” the company said. In the hands of a ransomware gang or hostile governments, such a tool could lead to more devastating and frequent cyberattacks.
Read More: Inside Anthropic’s Race to Assess the Dangers of Mythos
Researchers say they have not been given access to independently verify Anthropic’s claims about Mythos’s performance. Gang Wang, an associate professor of computer science at the University of Illinois, said it’s hard to assess the significance of Mythos Preview without more hands-on testing.
Who is being given access to Mythos?
In April, Anthropic granted access to a limited group of vetted partners, an initiative it calls Project Glasswing , after a type of butterfly with transparent wings that allow it to hide in plain sight. The core participants include Amazon.com Inc. , Apple Inc. , Alphabet Inc. ’s Google, Microsoft Corp. , Nvidia Corp. , Palo Alto Networks Inc. , CrowdStrike Holdings Inc. , Broadcom Inc. , Cisco Systems Inc. , JPMorganChase and the Linux Foundation , a nonprofit that supports open-source software projects. It soon extended access to about 40 other organizations. Anthropic described the project as “an urgent attempt to put these capabilities to work for defensive purposes.”
As of early June, the company is expanding Project Glasswing to an additional 150 organizations. Though Anthropic declined to name the additional participants, it said the group includes companies and nonprofits that produce key programming code for broader use. People familiar with the matter have said that the European Union’s cybersecurity body will be granted access to the software.
These organizations will use Mythos as part of their defensive security work. Many companies already use so-called penetration exercises, in which they hire specialists to probe their systems for bugs so they can fix them before hackers get in. Mythos could let companies turbocharge that process, allowing them to find more flaws more quickly and narrow the opportunities for potential attacks.
Why does Anthropic consider the release of Mythos a “watershed moment”?
Anthropic described Mythos Preview as “a watershed moment for security.” By their nature, zero-day vulnerabilities are difficult to find, and a small and murky industry has been built around finding them and selling them to government intelligence agencies, sometimes for millions of dollars. According to Anthropic, the vulnerabilities Mythos Preview found were often “subtle and difficult to detect” and included a 27-year-old flaw in OpenBSD, an operating system that Anthropic says has a reputation as one of the most security-hardened in the world. Since Mythos was launched, the software has been used to find over 10,000 serious vulnerabilities, Anthropic said on May 22 .
Mythos was also allegedly able to turn vulnerabilities that are known but not widely patched into “exploits” that hackers could use to infiltrate computer networks. For instance, it found and chained together several flaws in the Linux kernel — the core of the operating system and software that runs most of the world’s internet servers — to allow an attacker to take complete control of the machine. Non-experts also asked Mythos Preview to find ways to remotely take control of computers overnight and came back the next morning to a complete, working exploit, Anthropic said.
Mythos is one of several new AI tools able to find zero days or build exploits. OpenAI’s Codex Security and Google’s “Big Sleep agent” have been developed to find vulnerabilities. OpenAI is also finalizing a product with advanced cybersecurity capabilities that it intends to release to select partners, Axios reported . Researchers at an Israeli cybersecurity startup called Buzz, meanwhile, say they have built an autonomous tool combining five AI agents that has a 98% success rate in exploiting known flaws.
What safeguards are in place?
The safeguards are a work in progress, according to Anthropic. “We have seen it reach unprecedented levels of reliability and alignment,” Anthropic wrote, meaning it aligns with what humans want. “However, on rare occasions when it does fail or act strangely, we have seen it take actions that we find quite concerning.”
In one instance , a researcher urged an early version of Mythos to try to escape a secured, isolated “sandbox” computer and then find a way to send a message to that person. The tool succeeded but then continued to take “additional, more concerning actions,” developing a multistep exploit to gain internet access.
Anthropic said it doesn’t plan to make Mythos Preview generally available, given its potential for misuse. Still, the company ultimately hopes to enable users to deploy “Mythos-class models” at scale. “To do so, we need to make progress in developing cybersecurity (and other) safeguards that detect and block the model’s most dangerous outputs,” it said.
For the highest severity bugs found by Mythos, humans are involved: Specialists validate those discoveries before sending the information on to the people who maintain the code, according to Anthropic. It’s a necessary but time-consuming process, but one that may eventually be eliminated as the model improves, the University of Illinois’ Wang said.
Does Mythos give cybersecurity defenders an advantage over hackers?
Maybe, but it might take a while. Anthropic’s process for disclosing flaws to the people who maintain the software or computer systems can be lengthy. So far, about 14% of the “high- or critical-severity bugs” Mythos Preview has uncovered have been patched, the company said on May 22.
At the same time, hackers are using AI to dramatically speed up how quickly they find and exploit vulnerabilities once they are disclosed. (Vendors are encouraged, and in some cases required, to publicly disclose vulnerabilities once they are discovered, and ideally provide a fix.) This gives cyber professionals less and less time to patch their networks. In a March 30 blog post, Palo Alto Networks Chief Executive Officer Nikesh Arora warned that the barrier for sophisticated attacks will continue to diminish over the next six months. “A single bad actor will now be able to run campaigns that required entire teams,” he wrote .
Yair Saban, chief executive officer of Buzz and a veteran of Israel’s Unit 8200 cyber unit, said it took six engineers three weeks to build their AI-powered hacking tool. Others, including nation-state cyber spies and criminal hackers, can surely do the same, he said.
Anthropic maintains that Mythos Preview and other AI tools like it will ultimately favor defenders. “In the long run, we expect that defense capabilities will dominate: that the world will emerge more secure, with software better hardened — in large part by code written by these models,” the company’s Frontier Red Team said in an April 7 blog . “But the transitional period will be fraught.”