惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
量子位
The Cloudflare Blog
美团技术团队
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Proofpoint News Feed
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
博客园 - 司徒正美
宝玉的分享
宝玉的分享
T
Threatpost
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
T
Threat Research - Cisco Blogs
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
博客园 - 聂微东
A
Arctic Wolf
I
Intezer
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
爱范儿
爱范儿
Hugging Face - Blog
Hugging Face - Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
小众软件
小众软件
T
Tailwind CSS Blog
The Hacker News
The Hacker News
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
TaoSecurity Blog
TaoSecurity Blog
Project Zero
Project Zero
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cloudbric
Cloudbric
雷峰网
雷峰网
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
大猫的无限游戏
大猫的无限游戏
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V2EX - 技术
V2EX - 技术
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog

Forbes - Innovation

Why Do Humans Have Fingerprints? Hint: It’s Not What You Think Booking.com Confirms Data Breach, Reservation PIN Codes Changed Why Major News Sites Are Blocking The Internet Archive’s Wayback Machine iPhone Fold Release Date: New Report Details Frustrating Apple News Comet Tracker: How To See Pan-STARRS And Three Planets On Wednesday NYT Mini Crossword Today: Tuesday, April 14 Hints And Answers Today’s NYT Strands Hints, Spangram, Answers: Tuesday, April 14 (It’s A Little Unclear) Today’s Wordle #1760 Hints And Answer For Tuesday, April 14 Most Of The Microplastics In Urban Air Come From Tires Today’s Wordle #1759 Hints And Answer For Monday, April 13 NYT Mini Crossword Today: Monday, April 13 Hints And Answers NYT Pips Today: Hints, Answers And Walkthrough For Monday, April 13 The YC Chief Who Codes 10,000 Lines A Day Has A Simple Secret Samsung Expands One UI 8.5 Beta To More Galaxy Owners Why You Should Stop Using Your iPhone If It’s On This List Chamath Says Firms That Treat AI As A Strategy Hand Rivals Their Edge 3 Unexpected Habits Of Secure Couples, By A Psychologist The First Lamp That Folds Your Clothes Samsung’s Disappointing Price Update For Galaxy Phone Buyers 3 Subtle Signs Someone Is Falling In Love With You, By A Psychologist Do Mantis Shrimp See More Colors Than Humans? A Biologist Explains NYT Connections Answers Explained For Monday, April 13 (#1,037) NYT Connections Hints Today: Monday, April 13 Clues And Answers (#1,037) LEGO Luigi & Mach 8 (72050) Review: 2026’s Best Set Yet? Marc Andreessen Says AI Productivity Will Trigger A Hiring Boom 3D Printing Is The Ultimate Hack To Reduce Household Spending Apple iPhone Fold: Striking Design Revealed In Leaked Photos Apple Smart Glasses: New Leak Reveals A Major Design Twist To Beat Meta Tested: The AI Coming To The Rivian R2 Quordle Hints Today: Monday, April 13 Clues And Answers Companies And H-1B Employees Endure Immigration Waits At Consulates 3 Easy Ways To Turn Anxiety Into Sustained Focus, By A Psychologist Here’s The Most Affordable Humanoid Robot You Can Buy Now UFC 327 Results: 5 Biggest Takeaways From A Wild Night In Miami UFC 327 Results, Bonus Winners, Highlights And Reactions Dana White Announces Huge New Fight For UFC White House Today’s NYT Strands Hints, Spangram, Answers: Sunday, April 12 (Get Ready) Tesla ‘Model 2’ Rises From The Ashes Today’s Wordle #1758 Hints And Answer For Sunday, April 12 NYT Pips Today: Hints, Answers And Walkthrough For Sunday, April 12 Tyson Fury Vs. Arslanbek Mahkmudov Results: Highlights and Reaction NYT Mini Crossword Today: Sunday, April 12 Hints And Answers How Shadow AI Culture Is Destroying Your Business Venture Capital Funds That Market Like Startups Win More Deals Conor Benn Vs. Regis Prograis Results: Highlights and Reaction Samsung’s Disappointing Price Update For Galaxy Phone Buyers Artemis Reached The Moon. The Grid Can Reach The 21st Century A Biologist Explains How Archerfish Shoot Down Prey. Hint: Their Aim Rivals Human Throwing Is It Time For Apple To Forget About The MacBook Air NYT Connections Hints Today: Sunday, April 12 Clues And Answers (#1036) Trump’s 2027 Budget To Reshape U.S. Environmental And Energy Policy CDC Delays Reporting Of COVID-19 Vaccine Benefits—Here’s What To Know Oura Has Designed A Solution To A Big Smart Ring Problem Netflix’s Best New Show Has A Near-Perfect 95% Rotten Tomatoes Score Coachella 2026 Is Being Taken Over By Creator Streams Quordle Hints Today: Sunday, April 12 Clues And Answers This Startup Wants To Use AI To Help Digitize History How To Get The Best Shield In ‘Crimson Desert’ Microsoft Venom Attack Targets C-Suite Executives ‘Maul: Shadow Lord’ Sets Even More Star Wars Rotten Tomatoes Records 3 Ways Happy Couples Argue Differently, By A Psychologist Success For Leapmotor Might Have Negatives For Stellantis New Names Surface As Potential Rogue And Wonder Woman In The MCU And DCU 4 Reasons Artemis Mission Matters Even If You Think It Is Wasteful Fast ‘Crimson Desert’ Patch Adds New Moves, Shield Hiding And One Great Feature Why Do Humans Blush? An Evolutionary Biologist Explains The Signal We Can’t Control Apple iPhone Fold: Striking Design Revealed In Leaked Photos Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update iOS 26.4.1 Release: Crucial iPhone Feature Update Arrives, But No Security Fix Fury vs. Makhmudov Full Card, Ring Walk Times and How to Watch Can’t Stand Liquid Glass? This New Hidden iPhone Setting Is A Game-Changer Test-Driving The 2026 Changan Deepal S05: Italian Style Made In China NSA Warning—Reboot Your Internet Router Now Ways That Human-AI Collaboration Slides People Into ‘AI Brain Fry’ And Cognitive Downturns Stop Using These Networks—Google, NSA And TSA Warn NASA Changes Moon Plan: Landing Now Depends On SpaceX Or Blue Origin Samsung Expands One UI 8.5 Beta To More Galaxy Owners The Evolution Of Programmable Hardware At Xilinx NYT Mini Today: Saturday, April 11 Hints And Answers Today’s NYT Strands Hints, Spangram, Answers: Saturday, April 11 (You’re Putting Me On) Splashdown! NASA’s Artemis II Returns To Earth After Moon Mission Attention Is All You Need. The Human Kind Is Still The One That Counts Today’s Wordle #1757 Hints And Answer For Saturday, April 11 NYT Pips Today: Hints, Answers And Walkthrough For Saturday, April 11 Android Circuit: Galaxy S27 Pro Emerges, Honor 600 Pre-Order Offers, Pixel 11 Display Leaks Apple Loop: iPhone 18 Pro Leak, Urgent iOS Update, MacBook Neo Issues Morgan Stanley Has Mostly Positive Outlook On Tesla Robotaxi, FSD V15 Running Out Of AI Tokens Faster Than Ever? Here’s Why CoreWeave Shares Pop 13% After Anthropic Deal ‘Euphoria’ Season 3’s Rotten Tomatoes Score Crashes, Has Lost Key Player People Don’t Agree On What AI Can Do, But They Don’t Even Use The Same Product ‘Overwhelming’—Google Issues Gemini Update For Gmail Users NYT Connections Hints Today: Saturday, April 11 Clues And Answers (#1035) Quordle Hints Today: Saturday, April 11 Clues And Answers The Costly Dream Of Space-Based AI Infrastructure Can You See The Watcher In This ‘Daredevil: Born Again’ Shot? Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update You Just Watched The Backdoor Pilot For ‘The Pitt: Night Shift’ Are Nicotine Pouches Like Zyn And VELO Safe To Use? A Doctor Answers Human Resources (HR) Is The Key To AI Success Per WalkMe ( SAP)
How Mythos’ Vulnerability Apocalypse Will Play Out
Mark Kraynak · 2026-04-25 · via Forbes - Innovation
The Edge Of Doom

The Edge of Doom, Between 1836 and 1838. Found in the Collection of Brooklyn Museum, New York. (Photo by Fine Art Images/Heritage Images/Getty Images))

Getty Images

Anthropic announced Claude Mythos Preview two weeks ago. It’s a new version of the company’s general-purpose language model, with the fanfare that it is "strikingly capable at computer security tasks." So capable in Anthropic’s view that it has decided to withhold its general release to give the security industry time to catch up. To that end, it created Glasswing, a structured program for reaching out to a select number of organizations that Anthropic deems worthy of the preview.

Ever since, the industry has been debating the impact of Mythos/Glasswing. Much of the conversation is about the immediate impact of Mythos’ capabilities (though the novelty and uniqueness are in debate) and the specifics of the controlled rollout (i.e., Glasswing). Ironically, it was reported this week that there has already been unauthorized use of the Mythos preview. What’s largely missing from the current debate is a point of view as to how all of this is likely to play out given long running industry dynamics at play.

The Three Main Camps

The first camp believes this is vulnerability Armageddon and the industry is going to drown in security exploits, leaving chaos and destruction behind. This view is represented by an analysis published by Gordon Goldstein of the Council on Foreign Relations.

A second camp has emerged, taking a more practical but still pretty hair-on-fire approach, trying to lay out what can be done to defend. This is best represented by the work of 250+ CISOs who collaborated on a paper published by the Cloud Security Alliance.

It’s worth noting that a subgroup of this second camp has been harshly critical of a perceived naivete in the way Anthropic has gone about this process, arguing that patch management is far more nuanced than is being accounted for.

A third camp is taking the position that the Mythos drama is largely hype or noise and while they also agree it’s a problem, it’s not unique or new. Representative here would be a blog by Stanislav Fort of AISLE.

Each of the camps brings some good points to the discussion but overlooks some aspect of the situation and, overall, a longer-term view of what happens after the initial/ongoing vulnerability explosion plays out.

The AISLE research is a good place to start. It showed that Mythos’ advantage on vulnerability discovery isn’t actually unique or inaccessible in the market. AISLE was able to replicate the flagship Free BSD exploit from the Mythos announcement with eight out of eight open-weight models, including one costing only 11 cents per million tokens. This shows that while Mythos might be a step up in convenience or productivity, it’s not strictly new. Given this, it’s a safe assumption that even moderately skilled attackers already had access to this capability.

This latter point seems to be confirmed by a recent, nearly coincident in timing announcement from NIST changing the criteria for which CVE submissions will be enriched by in the National Vulnerability Database. Because of surge of 263% in submissions from 2020 to 2025, and a one-third increase this year alone, NIST will focus only on CVEs that it deems critical. In other words, the pace of vulnerability discovery, prior to the Mythos’ preview, is already outrunning the human infrastructure meant to respond. It’s impossible to say for sure this is due to AI, but it’s a good bet. Mythos, and other models like it that are sure to follow, might accelerate, or even dramatically accelerate this pace, but the dynamic is not new.

Further, as Rich Mogull, one of the lead authors on the Cloud Security Alliance paper, pointed out, Anthropic’s own report acknowledges that Mythos was unable to remotely exploit any of the vulnerabilities it found. The reason was that security mitigations in place prevented remote exploit. In other words, “Defense in depth held” (Rich’s emphasis).

Two Paths (Neither Will Work)

That said, everybody is in agreement that the pace of vulnerability discovery and the potential impact of models like Mythos is a problem. So far, the response pattern follows one that seems logical at first but is doomed to fail.

Glasswing is limiting preview access. According to the announcement, 12 large organizations were named as launch partners, but Anthropic has “extended access to over 40 additional organizations that build or maintain critical software.” It’s hard to imagine that it is more than a drop in the bucket when compared to the number of organizations likely to be affected. As was shown in the AISLE research, protecting the world from Mythos results that already can be replicated by open-weight models seems kind of pointless. Furthermore, it has been reported that unauthorized users have already found a way to access Mythos. Choose your metaphor: there is no way to keep this cat in the bag, Pandora’s box is already open, etc.

A theoretically more sustainable approach, though not without short-term pain, is to learn a lesson from cryptography. In1883, Auguste Kerckhoffs wrote a paper that laid out several principles for improved cryptography. Notably he argued that a cryptographic cipher should remain secure even when the enemy knows everything about it except the key. A century of experience with proprietary crypto libraries failing has yielded an unambiguous consensus that the only cryptography worthy of use is that which has been publicly published and rigorously vetted for exploitability.

By embracing a version of the Kerckhoffs principle and relying on software that has been battle-tested in an open way, it’s possible that the problems of software vulnerability could meaningfully improve to a more sustainable and less vulnerable state. This would mean only trusting code or code components that were open source and had come out the other side of the vulnerability apocalypse and its aftermath.

In practice, it’s not feasible for all code to be open to full inspection in a public way. Companies need to be able to monetize IP, which means keeping some secrets. The compromise path forward will be to rely on open source for everything not intellectual property relevant and to use the best models for vulnerability discovery on everything that is closed source. In essence, SaaS companies do a version of this today as much of the code in their infrastructure is built from open source. The key difference is that in this hypothetical future, all of that open source code has been more rigorously vetted by frontier models.

Another practicality problem with this future is the inevitable tragedy of the commons. Almost every software company and many enterprises use open source software and very few pay to discover and remediate vulnerabilities in that code. This seems unlikely to change. And while models like Mythos make vulnerability discovery easier, tokens aren’t free. When the Glasswing open source subsidies run out, the industry is going to have to reckon with a world in which whoever is willing to pay for the compute of vulnerability discovery gets access to the information.

In a perfect world, government and industry would collaborate to fund this. But in our world, it’s much more likely that the vetting of open source continues to be mostly non-consensual, by attackers, resulting in a cycle of pain. A huge exploit event (like the recent LiteLLM supply chain attack) will happen. There will be a flurry of patching. Then back to the normal routine until the next widespread attack event. These cycles will repeat, but with luck in the long term, we should end up with a de facto version of the Kerckhoffs principle.

What This Means For The Industry

For vulnerability discovery companies, the outlook is bad. For sure, code vulnerability scanners in the short term will see a lot of pressure from Mythos and its peer models. But it also seems likely that models will solve more general vulnerability discovery (think configurations, etc.) as well.

For remediation vendors, the short term looks great. There will be strong demand from the Glasswing output. They should also benefit from the mass exploit pain cycles. In the longer term, it’s unclear whether foundation models will be able to do this well.

For defense in depth vendors (i.e., security products that focus on prevention), things look great. For one thing, defense in depth is currently working to mitigate the threat. Mythos didn’t accomplish remote exploit. As counter intuitive as it may seem, CISOs should invest in these kinds of tools this at least as much as they are investing in patching.

Open source software users are going to have a very rough go of it in the short and medium terms. The mass exploit cycle that’s coming will be painful. In the long term, though, I’m hopeful this turns around and we reach some sort of Kerckhoffs state for open source software.