Anthropic Unveils 'Claude Mythos', Powerful AI With Major Cyber Implications
- Reference: 0181404286
- News link: https://it.slashdot.org/story/26/04/07/2115208/anthropic-unveils-claude-mythos-powerful-ai-with-major-cyber-implications
- Source link:
> Mythos is not an incremental improvement but a step change in performance over Anthropic's current range of frontier models: Haiku (smallest), Sonnet (middle ground), and Opus (most powerful). Mythos sits in a fourth tier named Copybara, and Anthropic describes it as superior to any other existing AI frontier model. It incorporates the current trend in the use of AI: the modern use of agentic AI. "The powerful cyber capabilities of Claude Mythos Preview are a result of its strong agentic coding and reasoning skills... the model has the highest scores of any model yet developed on a variety of software coding tasks," notes Anthropic in a blog titled Project Glasswing -- Securing critical software for the AI era.
>
> In the last few weeks, Mythos Preview has identified thousands of zero-day vulnerabilities with many classified as critical. Several are ten or 20 years old -- the oldest found so far is a 27-years old bug in OpenBSD. Elsewhere, a 16-years old vulnerability found in video software has survived five million hits from other automated testing tools without ever being discovered. And it autonomously found and chained together several in the Linux kernel allowing an attacker to escalate from ordinary user access to complete control of the machine. [...] Anthropic is concerned that Mythos' capabilities could unleash cyberattacks too fast and too sophisticated for defenders to block. It hopes that Mythos can be used to improve cybersecurity generally before malicious actors can get access to it.
>
> To this end, the firm has announced the next stage of this preparation as Project Glasswing, powered by Mythos Preview. Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. "Project Glasswing is a starting point. No one organization can solve these cybersecurity problems alone: frontier AI developers, other software companies, security researchers, open-source maintainers, and governments across the world all have essential roles to play." Claude Mythos Preview is described as a general-purpose, unreleased frontier model from Anthropic that has nevertheless completed its training phase. The firm does not plan to make Mythos Preview generally available. The implication is that 'Preview' is a term used solely to describe the current state of Mythos and the market's readiness to receive it, and will be dropped when the firm gets closer to general release.
[1] https://www.securityweek.com/anthropic-unveils-claude-mythos-a-cybersecurity-breakthrough-that-could-also-supercharge-attacks/
[2] https://slashdot.org/~wiredmikey
[3] https://www.anthropic.com/glasswing
Great, more marketing myths (Score:1)
Seriously, this constant delivery scam has to stop. And, again, because some some people still do not get what is going on: Finding some vulnerabilities is an attacker skill and of relatively low value for defenders. The only thing that really counts for defenders is which vulnerabilities this thing does not find. Quite non-surprisingly, there is no information on that.
Re: (Score:3)
That is a remarkable take, and not in a good way. Not defending AI, just appalled by the disrespect for finding and fixing vulnerabilities. Finding vulnerabilities is a core part of closing them, it doesn't only matter when an attacker does it.
Re: Great, more marketing myths (Score:1)
You need to understand that gweihir here has staked his whole, admittedly limited, reputation on AI being nothing more than a regular expression or some ridiculous shit. He is like a 3 time Trump voter who knows he is wrong but it overly invested
Re: (Score:2)
> Seriously, this constant delivery scam has to stop. And, again, because some some people still do not get what is going on: Finding some vulnerabilities is an attacker skill and of relatively low value for defenders. The only thing that really counts for defenders is which vulnerabilities this thing does not find. Quite non-surprisingly, there is no information on that.
You can thank AI for your most recent OpenSSL patches. If you think this is not going to fundamentally change the cybersecurity landscape I don't think you are paying attention much. Whatever bubble chatbots and agents may be going forward, this is not part of it.
[1]https://aisle.com/blog/what-ai... [aisle.com]
[1] https://aisle.com/blog/what-ai-security-research-looks-like-when-it-works
Re: (Score:3)
Yeah, "LLM's are gods" and "statistical ML networks are good at finding defective code patterns" are extremely different claims.
The people who are True Believers on both extremes look pretty silly.
I appreciate really good closed captioning while having no use for chatbots. Both ends get to call me a heretic!
Re: (Score:2)
You have actually managed to [1]out-stupid yourself [theregister.com]. I didn't think it could be done!
[1] https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel
It is the best of times, it is the worst of times (Score:2)
At last month's RSAC conference many of the presentations and vendor sales pitches had an AI component. Talking about how AI could be used for cyber-security defense, and cyber-security offense. And the general consensus was that the next few years were going to be very very interesting in the cyber-security world.
will it be de-tuned in periods of heavy use... (Score:2)
...like they do with Opus?
Opus is a nice help when trying to get past a coding problem, but during high-demand periods, the output of Opus declines so much that it becomes unusable. It reasons in circles, and starts outputting code that is one step above nonsense, and then can't live-update artifacts anymore, so you blow through you session in minutes, when it should take hours.
Re: (Score:2)
I generally use Sonnet, it is very capable for most things and cheaper. If it gets stuck or starts to struggle I switch to the better model.
Costly status quo? (Score:2)
> It's already powering Project Glasswing, a joint effort with major tech firms to secure critical software. But the same capabilities could also accelerate offensive cyber operations.
In other words, it's using horrendous amounts of power and causing untold environmental damage, while maintaining the existing overall parity between the bad guys and the worse guys. Got it.
Re: (Score:3)
"...while maintaining the existing overall parity between the bad guys and the worse guys."
In reality, probably yes. But it is conceivable that a "last vulnerability" could be closed and "overall parity" would be broken permanently. The problem is that the bad guys continue to add new vulnerabilities for the worse guys to use, and that will likely accelerate with the proliferation of these very tools.
Re: (Score:2)
The bad guys will continue to innovate and find new vulnerabilities. Meanwhile, the bug hunters have all been laid off, to be replaced by this new system. Until someone realizes that, up until now, it has been finding bugs based on the training it has scraped from the far corners of the Internet. And since there is no training data on these new attack methods, it falls on its face.
sales pitch (Score:3)
The most serious sounding sales pitch. Here is how you know... "Anthropic is committing up to $100M in usage credits for Mythos Preview across these efforts, as well as $4M in direct donations to open-source security organizations."
The sky is falling, we can help if you pay us.
Let me guess, "EVERYTHING HAS CHANGED" (Score:3)
Here we go again.
"EVERYTHING HAS CHANGED."
"Oh, that used to be true, but not anymore."
"Hey, some CEO said a thing; let's pretend it is absolute truth without any objectivity or skepticism!"
"Those old models I said were the most amazing thing ever last month are now worthless."
"AGI is here!"
It is ALL SO DAMN EXHAUSTING.
Sounds about right. (Score:2)
!. Get AI out there and everyone to use it because it's useful. Allow reasonably powerful models.
2. Make the peasents..I mean..consumers feel like some control has been given to them so they're not nickle and dimed for simple HTML or programs that AI can make for users for simple tools.
3. Introduce more powerful AI and for security and everything else now, is locked behind a vendor that you can't get your hands on so you need to continue your life subscription to everything, and you accept the vendor since
YIKES! API Price (Score:2)
Just saw the reported API pricing for those who are allowed access: $25/$125 per 1M tokens. To put that into perspective Opus 4.6 is $5/$25 per 1M tokens. Even Opus 4 was "only" $15/$75 per 1M. No way this one is coming to any plans. It will be enterprise only when they do open it up more.
Still cheaper than GPT Pro though ($30/$180)
the Battle of the Titans (Score:2)
"In the last few weeks, Mythos Preview has identified thousands of zero-day vulnerabilities with many classified as critical."
We are moving into a scenario where there's a race for extremely capable white hat AI to identify the existing vulnerabilities and try to plug them, and black hat to find and exploit them. I think this is a good move to try and get the white team ahead of the game. There's a possible apocalypse here.
What the heck are "cyber" implications??? (Score:2)
And these are apparently huge ones, at that!
That sounds like sales gobbledygook to me!
Anyone got examples (Score:2)
Of these old bugs they found? I can't find them and they're not in the article. Or is this a "trust me bro" deal?
Re: (Score:3)
Limited info here: [1]https://red.anthropic.com/2026... [anthropic.com]
Sounds like more details in 90+45 days.
[1] https://red.anthropic.com/2026/mythos-preview/
Re: (Score:3)
Here's [1]the blog post with more tech details [anthropic.com] than marketing fluff with links to the bugs.
[1] https://red.anthropic.com/2026/mythos-preview/
Re: Anyone got examples (Score:4, Insightful)
They have multiple documented patched zero days and provided sha3 verifiable hashes for ones that will be released in the next 135 days. Knowing Anthropic and their track record, it seems highly unlikely they're lying. This is a game changer to the security community. In the long term it should be great, but in the short term it is going to surface hundreds of thousands of vulnerabilities.
Re: (Score:2)
> They have multiple documented patched zero days and provided sha3 verifiable hashes for ones that will be released in the next 135 days.
But I'm sure they trained on this code. It's just repeating it's training data. There is no intelligence.
And yes, I'm kidding since otherwise someone will take me seriously.
Re: (Score:2)
Just watch the patches and CVE's trickling out.
It's not like OpenBSD is going to sit on a vulnerability for 90 days or whatever.
Issuing a patch doesn't give away the details about how it was found.
Re: (Score:2)
Y2Claude
And yes they posted at least one example:
[1]https://ftp.openbsd.org/pub/Op... [openbsd.org]
> several sections throughout this post we discuss vulnerabilities in the abstract, without naming a specific project and without explaining the precise technical details. We recognize that this makes some of our claims difficult to verify. In order to hold ourselves accountable, throughout this blog post we will commit to the SHA-3 hash of various vulnerabilities and exploits that we currently have in our possession.[3] Once our responsible disclosure process for the corresponding vulnerabilities has been completed (no later than 90 plus 45 days after we report the vulnerability to the affected party), we will replace each commit hash with a link to the underlying document behind the commitment.
[1] https://ftp.openbsd.org/pub/OpenBSD/patches/7.8/common/025_sack.patch.sig