How serious are you taking Mythos as a threat? An MSP whose email was forwarded to me, is talking like it is Armageddon. Sounds more like them drumming up business.
Posted by LinearFluid@reddit | sysadmin | View on Reddit | 65 comments
The email basically was we will make sure patch are applied. Use Sonicwall with Automatic Firmware Updates. Etc.
kirksan@reddit
It’s marketing hype. Sure, AI will uncover new security flaws, but new security flaws have been uncovered regularly for decades. Make sure you’ve got your shit together and you’ll be fine. Install security updates, take the basic steps to protect your network and devices, and assume you’ll be compromised and have a recovery plan.
BoxerBoi76@reddit
IMO, it’s more so the volume of vulnerabilities Mythos is finding - not a few here or there but hundreds just in one case: https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
kirksan@reddit
I don’t care about the volume of vulnerabilities. It takes the exact same amount of effort to protect against one zero-day vulnerability as it does to protect against a million. Perhaps all the hype around this will convince CEOs to invest more in security, but the remedy hasn’t changed.
DegaussedMixtape@reddit
I don’t think that’s quite true. If they can exploit your website, then break contain to the host, and then break contain to adjacent networks because they chain vulnerabilities that’s much worse than getting only a firewall, sql, or os vulnerability to do all the damage that it can.
You are right that multiple vulnerabilities on the same platform is typically a single patch or at least a single maintenance window, but heaps of vulnerabilities across platforms is much worse than one part of your stack needing to be secured.
kirksan@reddit
I get what you’re saying, but most serious break-ins these days are chains of vulnerabilities. My point is that if you protect your environment it doesn’t matter if you have one attack or a thousand.
I can look at some of my logs right now and see continuous attempts to break in to an ssh server, literally hundreds a minute. I know none of them will succeed because it’s a honey pot and the attacker’s IPs are being automatically blocked from touching the important stuff. That’s one really simple example, the reality is this is extremely complicated, but you still have to do it right. If you do then the volume of attacks is concerning, but less important.
dsmiles@reddit
You're being intentionally obtuse. It absolutely does not take the same amount of effort to addressed a single 0 day vulnerability as it does to address a million different ones in your environment, what?!?
illforgetsoonenough@reddit
Mythos found a 23 year old 0day in the Linux kernel. Yes flaws have been found by security teams for decades, but they missed that one for decades.
And the barrier to entry for finding them is no longer an education in security. It's the right prompt, tooling, and model. That's it.
I watched a YouTube video of one of the leaders of Security at Anthropic. He was speaking at a conference to a room full of security researchers. He said Mythos is finding 0 days faster than he can validate them, he's swimming in them.
By the end of the video he was basically begging folks to help, no matter where they are, what company they work for... because a big change is coming
I tend to believe him
FatBook-Air@reddit
It's funny how different people have different perspectives on this.
You seem to be sounding the alarm; I'm instead celebrating that we have a new tool to find vulnerabilities. If they did not get found by the good guys, they may have still be found by bad guys, not patched, and not public. I think this will be a net positive.
Izual_Rebirth@reddit
The fundamental issue is that bad guys can use these tools as well.
Along with the possibility we’re going to start finding weird and wonderful vulnerabilities faster than we can address them.
There’s no guarantee the good guys will be the ones to find them first and even if they do… can they mitigate them fast enough?
Don’t think it will be long before we’ll have AIs finding the vulnerabilities and other AIs trying to fix them! I can see that second part going wrong...
malikto44@reddit
Overall, this may get us back to fundamentals of security, which is overall a good thing. Perhaps air-gapping and data diodes.
rubber_galaxy@reddit
a bad guy will be able to use this technology as well. It's all well and good finding the vulnerabilities, but patching them might be another matter.
illforgetsoonenough@reddit
Another thing that was said by the guy at the conference is that while Anthropic has this capability now, he acknowledged that other firms will have the same level of ability with 6-18 months. It's just a matter of time before it gets into the hands of the wrong people.
While defending infrastructure from adversaries, you have to get it right every time. Adversaries only have to get it right once
malikto44@reddit
This is basically the next generation of
lint. When the dust settles, I think this tool will be one of the best things that has happened for security since firewalls came into general use.Dolapevich@reddit
Care to share that video, please?
kirksan@reddit
I don’t believe him, but it doesn’t matter. The point of my comment is that zero days happen, have happened, and will happen in the future. I don’t care if AI finds a hundred in a day, or some North Korean-backed hacker group finds three a year; the preparation is the same for both. Get your shit together, and you’ll be fine.
* Unless AI causes the collapse of civilization, in which case who gives a fuck?
illforgetsoonenough@reddit
What does getting your shit together look like in each of your examples?
North Koreans with 3 vulns a year: patch your infra for those three vulns and whatever other updates. Status quo with the present.
Or...
Patching your infra literally everyday, all day long. Anthropic will not be the only company to develop this level of tech. Say your business's competitors get access to a model with this capability and don't publish the vulns they find for your infra. Your company could be toast overnight.
I'm catching a vibe from the movie "Don't Look Up" a little bit.
kirksan@reddit
I’ve never heard of the movie, but being prepared isn’t just patching. That’s an important bit, and isn’t that difficult in a well designed environment, but there’s lots of other stuff you can and should do. Take steps to stop bad stuff in its tracks, have monitors that alert when the bad stuff happens, have a way to recover from the bad stuff. I get that sounds simplistic, it isn’t. It’s expensive, difficult, and time consuming, but that’s what needs to be done. Large organizations need to invest in this, smaller ones need to outsource, the ones that ignore security will likely have issues, but that hasn’t changed.
graffix01@reddit
worse is that it can find vulnerabilities and write exploits for them. that is a little scary.
bjc1960@reddit
Adding to the 'hype' aspect - notice they did not give it to critical infrastructure companies. One might think a stable electric grid is needed for the datacenters to run.
illforgetsoonenough@reddit
Do you have the full list of companies and entities it was given to?
bjc1960@reddit
No, just the ones in the news. Seemed like mostly big-tech. I also heard Mythos was leaked by contractors whose company had access.
NerdyKid1101@reddit
I just think it's more reason to slow tf down on AI up scaling and make sure we actually have safety guards in place.
malikto44@reddit
The issue I worry about. We can scale down AI and put plenty of safety guards on it... but the blackhats are definitely not going to be worried about such things as "ethics", and definitely will not be standing down because of these concerns.
We really don't want to be chasing them and having them be the ones with the zero days.
SensitiveFrosting13@reddit
As someone who runs a red team, AI is letting us find and exploit more bugs faster than ever. So from that aspect, it's pretty serious, and if you're not adapting to this level of speed you're probably fucked.
Having said that, there isn't an MSP I would trust to be able to secure against this new future.
1stUserEver@reddit
Coming from a MSP that is security focused and seeing the others that are not, you are absolutely correct in saying that they are fucked.
MyThinkerThoughts@reddit
AI driven cyberattacks are the norm now. The average time to full domain compromise is around 30 minutes. The ability to chain vulnerabilities quickly where a human would need to run that discovery is quite frankly terrifying. It’s not just Mythos.
Then there’s the literal fact that the majority of the dark web is now operating under a single entity. Earlier this year these hackers all woke up to a new boss. Received new logins with their same credentials and got access to shiny new tools.
If you are not using AI driven defensive strategies you will be at a disadvantage moving forward.
Frothyleet@reddit
Mythos, or what it symbolizes, is a potential existential threat for software and infrastructure as we know it today (also, potentially not).
It's also something for which you can do absolutely nothing actionable at the moment.
And anyone trying to sell you Sonicwall while talking security is taking the piss.
Kardinal@reddit
Best take I've seen.
Could be powerful. Might not be.
But we can't do anything different about it right now. So we do our best with what we have. Right now.
aenae@reddit
If it is powerful; just remember that not only criminals get access to it. If it does indeed find the bugs that easy, it can also be used to fix those bugs.
All in all, it is no different than Open Source. Sure, criminals can read the source to find bugs, but so can white hackers and maintainers.
1996Primera@reddit
yup \~ but also this is a version that we know about bc they told us....(but the free bsd thing was pretty cool to know that someone that old still basically had a 0day that no one ever found (alledgedly....wonder if c i a already knew about it...since they tend to sit on :ehem: exploit them :ehem: for their own use until they are patched)
imagine models we DONT know about from nation states....
then couple that w/ Quantum computing / constant improved models .....
Its already been said yrs ago , once quantum is mainstream it likely will be able to decrypt most/all encryption of yesteryear.
But putting all that fearmongering aside, its the same today as it was yesterday & it will be tomorrow.....constant cat and mouse of improving security, people break it, rinse and repeat...
DegaussedMixtape@reddit
I’m with you except the cat and the mouse will both be ai driven. Just keep applying those firmware patches and hope your vendors stay a half step in front of the attackers.
Timzy@reddit
Been using it as an excuse for a bigger budget next year
megamorf@reddit
I was also asked by management to come up with a plan to prepare for what's to come. Since I work in a big enterprise our actions need to be a lot more aligned and planned in advance.
Thankfully we recently had an internal AI day where someone shared this whitepaper https://labs.cloudsecurityalliance.org/mythos-ciso/ where many CISOs and security experts outline what's to come and how to prepare for it.
I used it as inspiration to come up with concrete action items that fit our company's processes and application landscape. My concept is currently being discussed by management and I guess I'll have more news to share once they've made a decision.
jstuart-tech@reddit
I would highly recommend reading some things that Marcus Hutchins posted recently. He seems to be one of the few experts that remains a sceptic of AI (whether he's right or wrong remains to be seen). It's just good to get the perspective of someone who hasn't drank 1000L of koolaid
https://www.linkedin.com/in/malwaretech?utm_source=share_via&utm_content=profile&utm_medium=member_android
DragonsBane80@reddit
The last thing I read was they were required to run tests on a system with basically all kernel/mem level protections off... So are they testing your code now? Or kernel functions? Did they retest with protections on and dig further? Was honestly left with more questions than answers.
That being said, I have a friend running it and is claiming high quality results not just from finding but implementing fixes.... And most orgs can't keep up with patching at the current pace... Let alone if it doubles.
We've also already seen the flip side which is CVE monitoring and reverse engineering scale has gone through the roof. PoCs are traditionally at least a day or two out, but we're already down to hours, and if disclosure isn't great, IE out before patching? Or worse patching is garbage (not uncommon) and leads to other vulns?
Idk... I'm stressed
Sqooky@reddit
95% hype, 5% capabilities.
Will LLMs assist humans in identifying vulnerabilities? 100% - they're language models, they read code and write code well.
You put in garbage, it'll find garbage. You fuzz an application, you'll find crashes. Not all buffer overflows are exploitable and will lead to real world impact. Lots of bugs go unreported due to no real world impact.
Bugs aren't hard to find, there's a lot of application surface to fuzz for, it's just about taking the time to do it, knowing how to bypass exploit mitigations, and reporting them to the right folks.
There's a metric ton of hype about "AI attacking companies". Theres a couple things to note: Vendors with DAST/SAST pipelines that leverage mythos for DAST/SAST should in theory find all the vulnerabilities that lets say, an attacker with Mythos would, right? Because DAST is dynamic testing with source code... Therefore, if an attacker uses Mythos with a black box approach, theoretically nothing should be found. End of vulnerabilities! Right? 🤷
Another major contender: All your existing security controls still work - you have a WAF? NGFW? EDR? IPS? It'll work. The controls aren't going to magically fail because AI. There's only so many ways you can perform SQL Injection in applications due to exploitability constraints... That and lets pretend for a second - your WAF providers deploys LLM integration and leverages Mythos - theoretically it should be able to block all the malicious attacks, right?
Reality is LLMs are just like machine learning, just a bit easier for the general population to use. They're blackbox tech. It'll get integrated into products, and it'll phase out.
Imo LLMs really shine at coding, that's where I see it being used the most in the future as user facing apps, and autonomous functions are just too risky for businesses.
A lot of the AI bubble is marketing drawn up to recoup investor revenue.
Michichael@reddit
Not at all. It's pure conman hype with zero evidence of value or use from non vested parties. Like most AI claims.
OsitoPandito@reddit
they are fear-mongering so that it gets a ton of hype and then causes their stocks to go up
BoxerBoi76@reddit
https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
ultimatebob@reddit
Yeah, but the antivirus and firewall manufacturers are. If they can use this to sell add-on security subscriptions, they will!
Kindly_Revert@reddit
Anthropic isn't publicly listed.
nazerall@reddit
They are prepping for a '26 IPO.
sdeptnoob1@reddit
Aren't they about to be?
OsitoPandito@reddit
oh thats funny, I literally didnt even mean it in a literal sense. I mean, they just want people to be aware of their product
PizzaUltra@reddit
To quote swiftonsecurity:
https://bsky.app/profile/swiftonsecurity.com/post/3mkq4zjha4k2r
LinearFluid@reddit (OP)
This is what I was thinking too. FUD is being spread for reasons of profiting and because of that, I'm getting the ducks in a row for the questions that are coming on what am I doing about it.
BoxerBoi76@reddit
https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
achristian103@reddit
How many "armaggedon scenarios" have you survived in your lifetime?
I'd bet good money Mythos will be added to that list.
BoxerBoi76@reddit
https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
LinearFluid@reddit (OP)
Y2K tops that list.
sgt_Berbatov@reddit
Nothing to see, it's a nothing burger.
People have looked at it, reviewed it. All of those FreeBSD issues it found have evidence of heavy user involvement. Plus the LLM itself didn't find anything more than other LLMs have found in the past.
They're doing everything they can to keep the hype train, and the money, going. Do not be surprised to see some medical LLM thing be released next before August before the wheels come off of the damn thing.
BoxerBoi76@reddit
Really?
https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
jkdjeff@reddit
Most orgs have about a million things they need to worry about before Mythos.
tobraha@reddit
This post on LinkedIn really sums it up well, IMO.
https://www.linkedin.com/posts/grossmanjeremiah_the-dominant-view-in-my-filter-bubble-is-ugcPost-7455423063791394816-kMz1
Denver80211@reddit
I think it's real.
I also think there's nothing for me to do other than expect fast and poorly built patches.
bitslammer@reddit
Mythos is not really the threat. The threat is really the likely potential for an sharp increase in the number of serious vulnerabilities found. If you already have a good process for vulnerability management then you may be OK or you may need to dedicate more resources to that as well as introduce some automation to cope with the volume.
GeneMoody-Action1@reddit
Spot on, I wil be doing a presentation at infotech live in vegas on this very point.
If the vulns are there, they are there, any security researcher testing the correct thing the correct way (or getting lucky fuzzing) could find them all the same. What these systems represent is a shift in efficiency of discovery, and how that translates to threat is not as black and white as commensurate increase.
The efficiency gain in discovery then causes a efficiency loss in the vendors who now have to scale out to say 150 patches in a cycle where the norm was 25-30. That costs many hours, may even require additional devs, *if* they can even scale that fast. And it will change millions of lines of code undoubtedly coming with the risk of regression, instability, and potentially creating new vulnerability in the process.
Short story long, the vendors are not prepared for their part to give the results to the admins waiting, THAT is where this is about to get VERY ugly. Brook's law applies here, there is no magic bullet.
If you want to be prepared for this, ramping up patching is of course prudent, but you will need more prongs on that pitchfork if you plan to defend the fort with it. Hardening for starters, SOOOO overlooked in too many cases, proper hardening can decrease footprints drastically, and complete neuter some entire classes of threats. 80% coverage of 100% of threat is bad. 80% coverage of 40% threat of course bodes much better.
Better patching policies that favor continuity over convenience, and that pivot on resilience not hide behind SLAs. These need to be solidly agreed on from top to bottom of business hierarchy, from C suite to application owners, "we do this normally but when the task calls, we do THIS because we cannot NOT do this." Do not tie your admins hands when they need them the most, have a system for dealing with emergent threats, that triggers review as to why your exiting policy didn't. (This is how mature teams handle zero days already, so you *should* have something that at least looks like this somewhere.)
More patch enforcement over approve/offer systems.
Live compliance stats, "who needs this, right now" and "apply this right now"
And seldom discussed in the same vein, but security and backup are symbionts, one should always provide protection for the other. In patching and security there is no 100% guarantee of anything, because one cannot prepare for the unknown unknown. But backup it just calculus, given the correct input the output is guaranteed if the formula is correct. And that's just a fancy way to say that in security, failure is acceptable to a degree because it cannot be conclusively prevented. But in backup, there is NO EXCUSE for not being ready for when security fails. Live it, eat, sleep, and breathe it, and for the love of TEST IT or you do not have it....
"These are your weapons. When you take them, you begin your journey." The wise Man (Sucker Punch)
MaxBroome@reddit
This. You should already be prepared for a zero-day, and practice zero trust and network segmentation to tighten the blast radius.
slparker09@reddit
AI is bullshit and I for one can't wait for the bubble to pop.
It's glorified auto-complete and valley fanboys are hyping it up more than sliced bread.
I'm still waiting for my flying car and crypto to close all the banks...
bjc1960@reddit
Right now it is "pay to play." A CIO in the security space told us in a round table talk that their company was not invited to be part of mythos and there were costs.
FortLee2000@reddit
Mythos Preview will allow security professionals to discover vulnerabilities at unprecedented speed and scale. Of course, the corollary is that attackers will be able to exploit systems and applications that are not promptly patched.
One fear some analysts have expressed is that rogue actors will develop or acquire their own AI models that rival Mythos Preview, giving them the tools to find and exploit known and unknown vulnerabilities.
The main problem (of many) is that every vendor will claim to have some kind of AI-powered zero-day discovery tool. As an MSP who is actively concerned about my clients' environments, it will be my job to weed through the claims and test the results to ensure efficacy.
I certainly didn’t have this on my 2026 line card, but it is going to be a factor from now on.
Oh, and drumming up business - minus the FUD - is not a bad idea...
motific@reddit
I'm taking it very seriously. Not specifically Anthropic Mythos but the presence of AI in this attacking role.
As FreeBSD's Lead Release Engineer Colin Percival said back in March, "2026 is going to go down in computer security history as the year of a million CVEs" and "Open source security teams are in for a rough year".
https://nitter.net/cperciva/status/2035045573116789002
justaguyonthebus@reddit
It's a huge serious threat. Someone else mentioned that it's not mythos specifically but what it just revealed about what comes next.
Security decisions are often trade-offs between ease of use vs feasibility to exploit. Most people are scared of the unknown threats, but I'm just as concerned about the known issues that were previously considered unfeasible. With the bigger issue is how long it will take to get all of it fixed.
I was recently developing on something and kinda hit a wall on the implementation. But I was aware of another way to do it, a way that I would never put the time and effort into doing because it's so tedious and fragile and error prone and hard to test. So I asked AI to do it and it just did it.
That was the moment for me where the Mythos threat really clicked for me. Because this wasn't Mythos.
shadow1138@reddit
Ironic - an MSP freaking out over it, when I'm sure the MSP isn't doing basic cyber hygiene
_SleezyPMartini_@reddit
if anything, I see this as a another reason to focus on increased recovery and immutable backups.