Experts warn cyber threat was already here

Global banks, tech giants and governments have scrambled over the past month to contain the risks posed by Mythos; The anthropic model is said to be so powerful that it has found thousands of previously unknown vulnerabilities in the world’s software infrastructure.

There’s just one problem: The talent they’re worried about is already here.

Cybersecurity experts and artificial intelligence researchers told CNBC that the software vulnerabilities uncovered by Mythos could be found using existing models, including Anthropic and OpenAI models.

“What we’re seeing in the industry now is that people are able to reproduce the vulnerabilities found in Mythos through clever editing of publicly available models to achieve very, very similar results,” he said. Ben HarrisCEO of cyber security firm watchtower.

Mythos is shaken managers and policy makers So are concerns that a dangerous new era of AI-enabled cybercrime may be around the corner. Anthropic has limited its release to a few American companies: Apple, Amazon, JPMorgan Chase And Palo Alto Networks to reduce the risk of falling into the hands of bad actors.

Despite this precaution, evacuation Trump administration to consider new government oversight over future models.

This is the latest in a series of high-profile launches for Anthropic, which has intensified its rivalry with OpenAI as the two AI giants approach their highly anticipated initial public offerings. Weeks after Mythos’ arrival, OpenAI CEO Sam Altman announced a dedicated model, GPT-5.5-Cyber. specifically designed for cybersecurity.

On Thursday, OpenAI allowed vetted cybersecurity teams limited access to GPT-5.5-Cyber.

The controlled rollout of Mythos is part of the security measure. Glass Wing ProjectIt was to give the corporate world time to strengthen its cyber defenses against future attacks from criminal groups and hostile nations.

“The danger is the massive increase in the amount of vulnerabilities, the amount of breaches, and the financial damage that ransomware inflicts on schools, hospitals, and banks,” Anthropic CEO Dario Amodei said at an Anthropic event this week.

But for those fighting in the trenches of cyberwar, one of the key capabilities Anthropic advertised: finding software vulnerabilities at scale has been available ever since. last year.

“The models we have now are powerful enough to detect zero days on a large scale, and that’s scary enough.” Klaudia KlocThe CEO of cybersecurity firm Vidoc told CNBC:

He said this had been the case for “several months, if not a year.”

The term “zero day” refers to a previously unknown and unpatched software flaw, giving attackers a window to exploit the bug before defenders can respond.

Researchers at Vidoc relied on a technique called “orchestration.” test If they can find the same vulnerabilities that Mythos found. As the name suggests, the process involves creating workflows that break code into smaller pieces, coordinating between various tools or models to cross-check the results.

“We ran older models on the same code base to see if we could detect the same vulnerabilities,” Kloc said. “We did this with legacy models from both OpenAI and Anthropic.”

Another cyber security firm, CorridorHe found that most of Mythos’ headline results could be reproduced using cheaper models running in parallel; This suggested that scale and coordination were more important than having the latest model.

“Thousands of competent detectives searching everywhere will find more mistakes than one brilliant detective who has to guess where to look,” Aisle founder Stanislav Fort wrote in a blog. to post.

In a statement to CNBC, Anthropic did not dispute that previous models had the ability to find software vulnerabilities.

In fact, Anthropic has been warning for months that AI’s cyber capabilities are rapidly advancing, a company spokesperson said. They pointed to February blog post This shows that Claude Opus 4.6, a widely available model, found more than 500 “high severity” vulnerabilities in open source software.

At this week’s Anthropic event, Amodei confirmed this point, saying that although the scale of software vulnerabilities found by Mythos has increased compared to previous models, this trend is not new.

“The risks are very real. That’s why we took the actions we did,” Amodei said. “But at the same time, in a way, they’re not that surprising. … We’ve been seeing warnings about this for a while.”

What sets Mythos apart is its ability to take the next step, developing exploits that work with little or no human input, effectively automating a process that previously required skilled researchers, Anthropic’s spokesperson said.

But hackers working for criminal groups and hostile countries already have these skills, cyber researchers say. Hackers in North Korea, China and Russia “know how to do this, whether it’s Anthropic or not,” Kloc said.

The threat of AI-powered hacking has companies and government regulators worried about protecting critical systems from a new wave of ransomware and other types of attacks, according to Harris.

He described talks with banks, insurers and regulators in recent weeks as “hysteria”.

Even before the advent of generative AI, companies faced the problem of skilled hackers exploiting newly discovered vulnerabilities within hours, while patching code often took days or weeks. Some patches complicate matters by requiring important systems to be taken offline.

“The industry is panicking at the number of vulnerabilities they are currently facing,” Harris said. “But even before widespread availability, Mythos was not patching vulnerabilities quickly enough.”

According to Harris, previously only a small community of experts worldwide had the skills and time to find and exploit obscure vulnerabilities in software. By using existing AI models, the barriers to entry that cause cyber havoc have been reduced.

This means banks and other targets will see more attacks, and software systems that were previously of little interest to cybercriminals will now face threats, Harris said.

JPMorgan’s Jamie Dimon suggested this last month when he said AI tools can help companies protect themselves against cyberattacks, but they first make them more vulnerable.

“There’s a significant increase in the volume of vulnerabilities being discovered, but they don’t appear to have a tool to help you fix them,” he said Justin HerringHe is a partner at the law firm Mayer Brown and former deputy administrator for cybersecurity at New York’s financial regulator.

“Vulnerability management is a great thing Sisyphus Cybersecurity mission,” Herring said.

The limited group that was part of the first Mythos release has a head start on fixing vulnerabilities, but there is a downside. AI researchers were not given access to Mythos to independently verify Anthropic’s claims or begin building defenses against it.

Some say this prevents the broader cyber community from becoming part of the solution.

It has been stated that it creates “layers of haves and have-nots” that can slow the pace of cybersecurity innovation. Pavel GurvichHe is the CEO of Tenzai, a cybersecurity startup that uses Anthropic’s models.

He said many cybersecurity startups are working on solutions that can help businesses in this new age of artificial intelligence.

“They’re trying to figure out the best way to fix the world before it becomes available to the world,” said Ben Seri, co-founder of cybersecurity startup Zafran Security. “It’s kind of a chicken-and-egg situation, and you’re going to break some eggs. It’s inevitable.”