Integrity360’s Richard Ford discusses the unease caused by Anthropic’s advanced cybersecurity AI model, and how cyber teams can prepare for such technology.
In the time since Anthropic first revealed Claude Mythos in April, discourse around the cybersecurity AI model has been unceasing.
Anthropic’s claims that Mythos has seemingly advanced capabilities in finding and exploiting software security vulnerabilities caused a frenzy in public and private sectors around the world – including in Ireland.
“The issue is not that Anthropic has created this. The issue is that Anthropic has demonstrated that this is possible,” said Richard Browne, director of the National Cyber Security Centre, when speaking to the Oireachtas Joint Committee on Artificial Intelligence shortly after the Mythos reveal.
Mythos has not been released to the general public yet, though Anthropic had been granting access to a pool of companies, banks and authorities – that is, before a recent US government order resulted in the company disabling the model for all of its users.
But while institutions and governments panic over the capabilities of this new AI model, Integrity360 CTO Richard Ford says Mythos should be approached with “measured scrutiny rather than hype”.
“Based on the information available so far, the model appears capable as an autonomous attack tool, but there is no clear evidence that it materially outperforms existing large language models in this area,” he tells SiliconRepublic.com.
“The more important point is how it could be used. In the hands of threat actors, Mythos does not need to be revolutionary to be dangerous.
“It would still be highly effective when targeting organisations with weak security postures, particularly those lacking strong access controls, patching discipline and visibility across their environments.”
Hype and disruption
Ford says that much of what is driving both the hype and the concern around Mythos comes from self-reported results, with limited independent validation.
This makes it difficult to separate genuine technical advancement from narrative, he says.
“There is a legitimate question around whether the capabilities are being overstated or simply presented without enough context.
“Early claims of large-scale vulnerability discovery sound significant, but without external benchmarking or reproducibility, it is hard to assess how meaningful those findings are in practice.”
Ford adds that in the light of Anthropic’s previous difficulties with the US government, sceptics could reasonably question whether the Mythos announcement was “partly about shaping perception as much as demonstrating capability”.
But what if the purported sophistication of Mythos is as significant as Anthropic claims?
“If the claims hold true, there is a clear view that models like Mythos could begin to disrupt areas such as bug bounty programmes and the wider ethical hacking market,” says Ford. “The concern is not that human researchers become obsolete overnight, but that AI can significantly accelerate vulnerability discovery, shifting the balance in terms of speed, scale and cost.
“We are already seeing early indicators of this trend. AI-driven platforms are performing strongly in competitive CTF environments, where rapid analysis, pattern recognition and automation provide a clear advantage.
“That raises questions about how traditional bug bounty ecosystems evolve, especially if AI can identify issues faster than human researchers or commoditise parts of the process.”
How can organisations prepare?
Though Mythos has not been fully released to the public yet – and is currently disabled as of last week – Ford has some advice for cybersecurity teams regarding the eventual widespread availability of AI models such as Mythos.
“Cybersecurity teams should treat models like Mythos as an acceleration of existing threats rather than something entirely new,” he says. “The priority is getting the fundamentals right, because AI will exploit weaknesses faster, not differently.
“Strong identity controls, consistent patching and full visibility of assets remain critical. Organisations that lack these basics will be the easiest targets for AI-assisted attacks. In short, the better your fundamentals, the more resilient you will be as AI-driven threats become mainstream.”
Ford says organisations should avoid reacting to Mythos with panic, but should also take its implications seriously.
“The direction of travel is clear: AI is becoming embedded in both attack and defence,” he says.
He believes any organisation that is not building an AI-driven cyber defence will fall behind and “move directly into the crosshairs of attackers”.
“That does not mean chasing hype, but it does mean investing in capabilities that improve speed, scale and decision-making across detection and response,” he explains.
“At the same time, this only works if the fundamentals are in place. The organisations that will succeed will be those that combine solid core controls with intelligent automation, allowing them to keep pace as the threat landscape continues to accelerate.”
The reveal of Mythos has undoubtedly rocked the boat in relation to AI and its place in cybersecurity.
But while many worry about the impact of Mythos’s capacity for cyber exploitation, Ford believes the most significant long-term effect of such AI technology will be “a structural shift” in how quickly and cheaply cyberattacks can be executed – rather than a single breakthrough capability.
“If models like Mythos mature as suggested, they will compress the time between identifying an exposure and exploiting it,” he says. “Tasks that once required skilled researchers and time investment, such as reconnaissance, vulnerability discovery, and initial exploitation, will become increasingly automated and scalable.
“That changes the economics of cyberattacks, allowing threat actors to operate at higher volume and with greater efficiency. All of this depends of course on whether Mythos is indeed just hype or the real deal.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
You must be logged in to post a comment Login