惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
量子位
The Cloudflare Blog
美团技术团队
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Proofpoint News Feed
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
博客园 - 司徒正美
宝玉的分享
宝玉的分享
T
Threatpost
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
T
Threat Research - Cisco Blogs
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
博客园 - 聂微东
A
Arctic Wolf
I
Intezer
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
爱范儿
爱范儿
Hugging Face - Blog
Hugging Face - Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
小众软件
小众软件
T
Tailwind CSS Blog
The Hacker News
The Hacker News
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
TaoSecurity Blog
TaoSecurity Blog
Project Zero
Project Zero
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cloudbric
Cloudbric
雷峰网
雷峰网
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
大猫的无限游戏
大猫的无限游戏
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V2EX - 技术
V2EX - 技术
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog

Forbes - CIO Network

Ralliant’s Amir Kazmi On Wiring AI Into Critical Infrastructure Nvidia Buys Kumo AI To Bring AI Predictions To Business Data Anthropic's Fable 5 AI Model Offers More Power At A Higher Price Argentina Wants To Let AI Own Companies. Here’s What That Means The AI Conversation CEOs Are Not Having Out Loud Moneyball Meets AI: How The New York Jets Are Charting An AI Future How Anthropic, OpenAI and Nvidia Are Driving the AI Economy Wall Street Is About To Test AI's Trillion-Dollar Valuations The VPN Risk Too Many Companies Ignore The Agentic Enterprise Got A Major Upgrade This Summer. OpenAI, Anthropic And The $1 Trillion Question: Who Really Wins From AI? Trump's AI Evaluations Order: Right Policy, Unfinished Governance Trump's AI Order Creates A New Test For Frontier AI—And Public Trust Microsoft Build 2026 Reveals the Future of AI, Data and ERP Artificial Intelligence Positioned To Disrupt $5 Trillion Industry Healthcare CIOs Should Take Note Of Copilot Health Innovation At The Pace Of AI Requires A Different Corporate Metabolism How Expedia Is Reinventing Travel Through AI And Agentic Design The AI Risks CISOs Aren’t Talking About Enough Prat Vemana On Leading Technology, Product And AI Innovation At Target AI Spurs A Cultural Shift In A 1,000-Developer Insurance Company Rewiring Omnicom’s Operating Model For AI At Scale 4 AI Strategy Questions Every Executive Needs To Drive ROI Building A Retail Platform Across Iconic American Brands Why AI Likely Means More Work For Humans AI Flattening Organizations Is The Latest Chapter In A Continuing Story OpenAI And Anthropic Are Testing Two Very Different AI Business Models Why Nvidia Needs More Than GPUs To Win The AI Infrastructure Race Google Wants Gemini To Become The Operating Layer For AI Tokenomics 101: Cost Of Getting Work Done (Not The Cost Of Tokens). AI Security Threats Coming From Outside And Inside, And Few Are Ready The AI Trade Is Moving Beyond GPUs AI Turns Solo Workers Into Departments And VCs Are Paying Attention Employee’s AI Shortcut Triggers SEC Filing — Boards, Take Note Transforming Wealth Management Using AI At Citi Uber Burns Its 2026 AI Budget In Four Months On Claude Code The Cyber Resilience Standard Every Hospital CIO Must Meet AI Layoffs Are A Substitute For A Strategy The Last Competitive Advantage In Software Isn't Software Knowledge Management, The Tech World’s Step Child, May Be AI’s Salvation The AI Governance Talent Gap Is Smaller Than It Looks Capgemini Warns CEOs: Physical AI Can No Longer Be Ignored AI Opens Work Opportunities — We Just Can’t Imagine Them Yet Friendly Chatbots Make More Mistakes — And Annoy Your Customers More From Information Provider To AI Partner: Thomson Reuters’ Next Chapter AI Is Breaking Silicon Valley’s Global Playbook AI’s Data Surge Demands Action In A New Battle Over Creator Rights AI Transformation Of An Internet Era Success: The SurveyMonkey Story Could The Musk V. Altman Trial Change The AI Race? At Least 18% of Jobs Face Major AI Risk, OpenAI Economist Predicts As Musk Takes OpenAI To Court, Its $130 Billion Philanthropy Bet Faces A Trial OpenAI Publishes 5 Principles For Its AGI Push How Hearst Is Using Data And AI To Transform A 140-Year-Old Business 6 Employee Critiques About Their Companies’ AI Practices AI Boosts Productivity — And Fears Of Layoffs, Anthropic Study Finds Alleged Claude Mythos Breach Raises Questions About AI Security Consumers Warm Up To AI, Will Trust Follow? Stop Cleaning Your Data. Start Finding The Signal. Architecture: A Question At The Core Of AI In The Enterprise Why Healthcare AI Still Struggles To Deliver QClaw Goes Global. The Agent Built Itself In 5 Days Apple’s Tim Cook Exit Hides A $4 Trillion Agentic AI Power Move AI’s Missing Link Is Accountability Can A Startup Turn Night Into Day Using Space Mirrors? Why Sam Altman’s Warning About A Big Cyberattack In 2026 Is Overblown Most Employees Are Learning AI By Osmosis These Days OpenAI GPT-5.4-Cyber — The Security Of Tomorrow Or A PR Response To Claude Mythos? UF Health Names Healthcare Vet Craig Richardville As New Tech Leader Allbirds Ran Toward AI And The Stock Surged 800% Lisa Davis Is Doing Something About Being The Only Woman In The Room AI May Be Running Out Of Data, Stanford Report Warns Is The Cult Of ‘Tokenmaxxing’Just Another Fad Or The New Normal? Inside Syngenta’s AI Driven Approach To Modern Agriculture Forget Bigger Models, Neuromorphic AI Thinks Like A Human Brain CoreWeave Becomes AI's Landlord With Meta And Anthropic Deals AI Slop Is Real. Your Adoption Strategy May Be Making It Worse. Cloud Investments Not Keeping Up With AI With AI, Job Searches And Recruiting May Be Less Onerous, Hopefully The One AI Question Boards Should Stop Asking Their CEOs Turner Construction Appoints Former GE Aerospace Exec As CIO Ignore The Doom Talk: AI’s Real Value Only Arises When Humans Step Up China’s Grassroots OpenClaw Is Rewriting The Global Agentic AI Race Anthropic–Pentagon Dispute Brings A Turning Point For The AI Industry AI Delivering Value And ROI, But Think Twice Before You Cut March 31 Is World Backup Day. Here’s How To Protect Your Data Now AI Doesn’t Fix Systems — It Exposes Them The Healthcare Rule CIOs Shouldn’t Overlook AI: The Cybersecurity Crisis That Vendors Love Where Digital And Robot-Based AI Agents Now Prevail Quantum Computing’s Next Major Breakthrough May Come From Australia 6 Ways To Rise Above An Increasingly AI-Saturated World The Real Shift Is Not AI Tools. It Is Workflow Ownership We Trust AI Over Our Own Brains, Research Finds Pravina Ladva On How Swiss Re Uses Data And AI To Build Resilience We’re Still Only Seeing AI’s First-Order Effects, Former Tesla Head States Why China Is Winning The Open Source AI Race AI Doesn’t Own The Customer Yet. Here’s How Retailers Can Keep It That Way Shobhit Varshney Of Citi On Scaling AI With Purpose And Discipline How AI Is Transforming Patient Health At Genentech Agentic AI Reshapes Nvidia Strategy Beyond GPUs At GTC
How Mythos’ Vulnerability Apocalypse Will Play Out
Mark Kraynak · 2026-04-25 · via Forbes - CIO Network
The Edge Of Doom

The Edge of Doom, Between 1836 and 1838. Found in the Collection of Brooklyn Museum, New York. (Photo by Fine Art Images/Heritage Images/Getty Images))

Getty Images

Anthropic announced Claude Mythos Preview two weeks ago. It’s a new version of the company’s general-purpose language model, with the fanfare that it is "strikingly capable at computer security tasks." So capable in Anthropic’s view that it has decided to withhold its general release to give the security industry time to catch up. To that end, it created Glasswing, a structured program for reaching out to a select number of organizations that Anthropic deems worthy of the preview.

Ever since, the industry has been debating the impact of Mythos/Glasswing. Much of the conversation is about the immediate impact of Mythos’ capabilities (though the novelty and uniqueness are in debate) and the specifics of the controlled rollout (i.e., Glasswing). Ironically, it was reported this week that there has already been unauthorized use of the Mythos preview. What’s largely missing from the current debate is a point of view as to how all of this is likely to play out given long running industry dynamics at play.

The Three Main Camps

The first camp believes this is vulnerability Armageddon and the industry is going to drown in security exploits, leaving chaos and destruction behind. This view is represented by an analysis published by Gordon Goldstein of the Council on Foreign Relations.

A second camp has emerged, taking a more practical but still pretty hair-on-fire approach, trying to lay out what can be done to defend. This is best represented by the work of 250+ CISOs who collaborated on a paper published by the Cloud Security Alliance.

It’s worth noting that a subgroup of this second camp has been harshly critical of a perceived naivete in the way Anthropic has gone about this process, arguing that patch management is far more nuanced than is being accounted for.

A third camp is taking the position that the Mythos drama is largely hype or noise and while they also agree it’s a problem, it’s not unique or new. Representative here would be a blog by Stanislav Fort of AISLE.

Each of the camps brings some good points to the discussion but overlooks some aspect of the situation and, overall, a longer-term view of what happens after the initial/ongoing vulnerability explosion plays out.

The AISLE research is a good place to start. It showed that Mythos’ advantage on vulnerability discovery isn’t actually unique or inaccessible in the market. AISLE was able to replicate the flagship Free BSD exploit from the Mythos announcement with eight out of eight open-weight models, including one costing only 11 cents per million tokens. This shows that while Mythos might be a step up in convenience or productivity, it’s not strictly new. Given this, it’s a safe assumption that even moderately skilled attackers already had access to this capability.

This latter point seems to be confirmed by a recent, nearly coincident in timing announcement from NIST changing the criteria for which CVE submissions will be enriched by in the National Vulnerability Database. Because of surge of 263% in submissions from 2020 to 2025, and a one-third increase this year alone, NIST will focus only on CVEs that it deems critical. In other words, the pace of vulnerability discovery, prior to the Mythos’ preview, is already outrunning the human infrastructure meant to respond. It’s impossible to say for sure this is due to AI, but it’s a good bet. Mythos, and other models like it that are sure to follow, might accelerate, or even dramatically accelerate this pace, but the dynamic is not new.

Further, as Rich Mogull, one of the lead authors on the Cloud Security Alliance paper, pointed out, Anthropic’s own report acknowledges that Mythos was unable to remotely exploit any of the vulnerabilities it found. The reason was that security mitigations in place prevented remote exploit. In other words, “Defense in depth held” (Rich’s emphasis).

Two Paths (Neither Will Work)

That said, everybody is in agreement that the pace of vulnerability discovery and the potential impact of models like Mythos is a problem. So far, the response pattern follows one that seems logical at first but is doomed to fail.

Glasswing is limiting preview access. According to the announcement, 12 large organizations were named as launch partners, but Anthropic has “extended access to over 40 additional organizations that build or maintain critical software.” It’s hard to imagine that it is more than a drop in the bucket when compared to the number of organizations likely to be affected. As was shown in the AISLE research, protecting the world from Mythos results that already can be replicated by open-weight models seems kind of pointless. Furthermore, it has been reported that unauthorized users have already found a way to access Mythos. Choose your metaphor: there is no way to keep this cat in the bag, Pandora’s box is already open, etc.

A theoretically more sustainable approach, though not without short-term pain, is to learn a lesson from cryptography. In1883, Auguste Kerckhoffs wrote a paper that laid out several principles for improved cryptography. Notably he argued that a cryptographic cipher should remain secure even when the enemy knows everything about it except the key. A century of experience with proprietary crypto libraries failing has yielded an unambiguous consensus that the only cryptography worthy of use is that which has been publicly published and rigorously vetted for exploitability.

By embracing a version of the Kerckhoffs principle and relying on software that has been battle-tested in an open way, it’s possible that the problems of software vulnerability could meaningfully improve to a more sustainable and less vulnerable state. This would mean only trusting code or code components that were open source and had come out the other side of the vulnerability apocalypse and its aftermath.

In practice, it’s not feasible for all code to be open to full inspection in a public way. Companies need to be able to monetize IP, which means keeping some secrets. The compromise path forward will be to rely on open source for everything not intellectual property relevant and to use the best models for vulnerability discovery on everything that is closed source. In essence, SaaS companies do a version of this today as much of the code in their infrastructure is built from open source. The key difference is that in this hypothetical future, all of that open source code has been more rigorously vetted by frontier models.

Another practicality problem with this future is the inevitable tragedy of the commons. Almost every software company and many enterprises use open source software and very few pay to discover and remediate vulnerabilities in that code. This seems unlikely to change. And while models like Mythos make vulnerability discovery easier, tokens aren’t free. When the Glasswing open source subsidies run out, the industry is going to have to reckon with a world in which whoever is willing to pay for the compute of vulnerability discovery gets access to the information.

In a perfect world, government and industry would collaborate to fund this. But in our world, it’s much more likely that the vetting of open source continues to be mostly non-consensual, by attackers, resulting in a cycle of pain. A huge exploit event (like the recent LiteLLM supply chain attack) will happen. There will be a flurry of patching. Then back to the normal routine until the next widespread attack event. These cycles will repeat, but with luck in the long term, we should end up with a de facto version of the Kerckhoffs principle.

What This Means For The Industry

For vulnerability discovery companies, the outlook is bad. For sure, code vulnerability scanners in the short term will see a lot of pressure from Mythos and its peer models. But it also seems likely that models will solve more general vulnerability discovery (think configurations, etc.) as well.

For remediation vendors, the short term looks great. There will be strong demand from the Glasswing output. They should also benefit from the mass exploit pain cycles. In the longer term, it’s unclear whether foundation models will be able to do this well.

For defense in depth vendors (i.e., security products that focus on prevention), things look great. For one thing, defense in depth is currently working to mitigate the threat. Mythos didn’t accomplish remote exploit. As counter intuitive as it may seem, CISOs should invest in these kinds of tools this at least as much as they are investing in patching.

Open source software users are going to have a very rough go of it in the short and medium terms. The mass exploit cycle that’s coming will be painful. In the long term, though, I’m hopeful this turns around and we reach some sort of Kerckhoffs state for open source software.