Cloudflare's security team evaluated Anthropic's Mythos AI model against fifty internal code repositories and concluded that vulnerability management requires revised architecture to handle AI-driven discovery and chained exploits
Assessment focused on practical security adjustments beyond faster patching.
#153Gary Marcus@GARYMARCUSterrific deep dive on Mythos from @cloudflare
Cloudflare@CloudflareCloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. https://cfl.re/49BRUqW
#1496Chubby♨️@KIMMONISMUSCloudflare pointed Anthropic's Mythos Preview at 50+ of their own repos.
They call it a step-function forward "Mythos Preview is a real step forward, and it's worth saying that plainly before getting into anything else."
The big finding isn't the bugs it caught - It's that the model can take several low-severity vulnerabilities - the kind that sit invisible in backlogs - and chain them into a single working exploit. Write the proof-of-concept. Compile it. Run it. Adjust when it fails. Try again.
That loop is what separates a scanner from a researcher.
The other finding security teams should pay attention to: "patching faster" is the wrong response. If your regression testing takes a day, a two-hour SLA just means you ship broken fixes. The architecture around the vulnerability matters more than the speed of the patch.
Mythos is not just hype. It shows its power in real-world use cases.
Cloudflare@CloudflareCloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. https://cfl.re/49BRUqW
#1988Daniel Jeffries@DAN_JEFFRIES1Finally a semi-useful read on Mythos that is free of myth and talks about what this means more practically (not this is the end of the world as we know it, but how do we deal with faster patches and attacks from AI as other models scale to chained exploits)?
This is the kind of conversation we need, not idiotic ones about the end of all software.
We need "what is the right answer?" because these models are coming and will get better so how to we put our heads together and make better/more secure software across the world?
And it can't just be patching the 100 or so projects that got access to Project Glasswing.
That is not gonna help the world.
We need to figure out how does everyone else who is not part of the special chosen people to get blessed with access to test and patch their stuff, aka the open source projects and closed software that is not Office or Cloudflare but the 99.99% of software that runs everything else in the world?
What is the right loop cycle to help people patch and fix things at the source?
In the long run, AI will make software more secure, not less.
But it will change how teams have to work to get there.
Figuring that out means putting it in more team's hands sooner rather than later.
Cloudflare@CloudflareCloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. https://cfl.re/49BRUqW