Anthropic says its latest AI model can expose weaknesses in software security

Anthropic on Tuesday said its yet-to-be-released artificial intelligence model called Claude Mythos has proven keenly adept at exposing software weaknesses.
Mythos has laid bare thousands of vulnerabilities in commonly used applications for which no patch or fix exists, prompting the San Francisco-based AI startup to form an alliance with cybersecurity specialists to bolster defenses against hacking and withhold wide distribution.
“We have a new model that we’re explicitly not releasing to the public,” Mike Krieger of Anthropic Labs said at a HumanX AI conference in San Francisco.
Instead, Anthropic is letting cybersecurity specialists and engineers in the open-source community work with Mythos to use the model as a defensive weapon “sort of arming them ahead of time”, Krieger explained.
Leaps in AI model capabilities have come with concerns about hackers using such tools for figuring out passwords or cracking encryption meant to keep data safe.
The oldest of the vulnerabilities uncovered by Mythos dates back 27 years, and none were ostensibly noticed by their makers before being pinpointed by the AI model, according to Anthropic.
Mythos is the latest generation of Anthropic’s Claude family of AI, and a recent leak of some of its code prompted the startup to release a blog post warning it posed unprecedented cybersecurity risks.
“AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities,” Anthropic said in a blog post. “The fallout – for economies, public safety, and national security – could be severe.”
Software vulnerabilities exposed by Mythos were often subtle and difficult to detect without AI, according to Anthropic. As an example, it said Mythos found a previously unnoticed flaw in video software that had been tested more than 5m times by its creators.
As a precaution, Anthropic has shared a version of Mythos with cybersecurity companies CrowdStrike and Palo Alto Networks, as well as with Amazon, Apple and Microsoft, in a project it dubbed “Glasswing”.
Networking giants Cisco and Broadcom are taking part in the project, along with the Linux Foundation, which promotes the free, open-source Linux computer operating system.
“This work is too important and too urgent to do alone,” Anthony Grieco, Cisco’s chief security and trust officer, said in a joint release about Glasswing. “AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back.”
Approximately 40 organizations involved in the design, maintenance or operation of computer systems are said to have joined Glasswing. Project partners are to share their Mythos findings, according to Anthropic, which is providing about $100m worth of computing resources for the mission. Early work with AI models has shown they can help find and fix software and hardware vulnerabilities at a pace and scale not previously possible, according to Grieco.
“The window between a vulnerability being discovered and being exploited by an adversary has collapsed – what once took months now happens in minutes with AI,” said Crowdstrike’s chief technology officer, Elia Zaitsev.
“Claude Mythos Preview demonstrates what is now possible for defenders at scale, and adversaries will inevitably look to exploit the same capabilities,” he added.
Anthropic said it has had discussions with the US government regarding Mythos despite a decree by the White House in February to terminate all contracts with the startup. That directive was put on hold by a federal court judge while a legal challenge by Anthropic works its way through the courts.