Organizations utilizing Claude Mythos have found 1000’s of vulnerabilities within the first month of safety testing below Undertaking Glasswing, per an announcement from Anthropic final week.
The challenge, initially introduced on April 7, granted preview entry of Mythos to about 50 organizations, together with Apple, Google, JPMorgan Chase, the Linux Basis and Microsoft. Anthropic mentioned it felt compelled to restrict the discharge after seeing the mannequin’s means to seek out beforehand undetected safety weaknesses in a few of the most generally used applied sciences.
“Finally, Mythos-class fashions will allow builders to construct far safer software program by catching bugs earlier than they’re deployed,” Anthropic wrote in its Could 22 replace. “However this interim interval — whereas vulnerabilities are being quickly found and slowly patched — presents new dangers.”
Many of the contributors in Undertaking Glasswing every discovered a whole bunch of critical- or high-severity vulnerabilities of their software program, Anthropic mentioned. In all, the businesses invited to make use of Mythos Preview have to this point flagged greater than 10,000 important safety flaws.
One instance supplied within the announcement was Cloudflare. The supplier of content material supply networks and different web companies uncovered roughly 2,000 vulnerabilities in its merchandise; of these, 400 have been handled as high- or critical-severity.
Anthropic mentioned yesterday that it intends to launch Mythos “within the coming weeks.”
“That is positively one thing that all of us want to arrange for,” mentioned Jim Reavis, CEO of the Cloud Safety Alliance (CSA), which printed a technique paper in April concerning the Mythos threat. The CSA can also be conducting a sequence of boards for CISOs to share concepts and observations about how Mythos and different frontier LLMs will change cybersecurity. These adjustments will probably be important, Reavis mentioned, as a result of they need to be.
“We’ll see much more vulnerabilities,” Reavis mentioned. “And as quickly as you see a vulnerability otherwise you see a vendor launch a patch, an attacker could have a whole blueprint to right away create an exploit out of that.”
To counter the AI menace, organizations must take aggressive steps to automate safety within the SOC, use agentic instruments throughout incident response actions and place much more give attention to least-privilege practices, Reavis mentioned. “We’re all going to be working fairly arduous for the following yr or two.”
“It is fascinating how briskly it is transferring,” mentioned Barry Mainz, CEO of Forescout, a cybersecurity vendor. “It is a shock to the business, however a great shock.”
Safety groups now higher perceive that defensive techniques resembling menace containment and zero-trust safety are essential, Mainz mentioned. Patch administration will nonetheless matter, he added, however patching will not be sufficient to defend in opposition to AI-driven assaults.
Whereas groups ought to count on a tough interval of adjustment and experimentation within the near-term, Mainz mentioned cybersecurity will take an enormous leap ahead because of the vulnerabilities being uncovered by AI.
“There’s some particular alternatives [for improved practices],” Mainz mentioned. “It is positively shaking up the business.”
Phil Sweeney is an business editor and author targeted on cybersecurity matters.
