Anthropic's Mythos set off a cybersecurity 'hysteria.' Experts say the threat was already here - CNBC

Skip Navigation Anthropic’s Mythos set off a cybersecurity ‘hysteria.’ Experts say the threat was already here Livestream CREATE FREE ACCOUNT Markets Business Investing Tech Politics Video Watchlist Investing Club PRO Livestream Menu Key Points Cybersecurity experts and AI researchers tell CNBC that the perils revealed by Mythos are achievable using older models, including those from Anthropic and OpenAI. AI is accelerating how quickly vulnerabilities are found, but companies still take days or weeks to patch them, creating a widening gap that leaves systems exposed. While Anthropic, OpenAI and others are working on developing cyber defense capabilities, the initial advantage goes to offense, not defense, say researchers. In comments to CNBC, Anthropic didn’t dispute that earlier models were capable of finding software vulnerabilities. watch now VIDEO1:2201:22 Era of AI-enabled cyberattack orchestration arrives Power Lunch Global banks, tech giants and governments were sent scrambling last month to contain the risks posed by Mythos, the Anthropic model said to be so powerful that it has found thousands of previously unknown vulnerabilities in the world’s software infrastructure. There’s just one problem: the capability they’re worried about is already here. Cybersecurity experts and artificial intelligence researchers told CNBC that the software vulnerabilities revealed by Mythos can be found using existing models, including those from Anthropic and OpenAI. “What we are seeing across the industry now is that people are able to reproduce the vulnerabilities found with Mythos through clever orchestration of public models to get very, very similar results,” said Ben Harris, CEO of cybersecurity firm watchTowr. Mythos has jolted executives and policymakers alike over concern that a perilous new era of AI-enabled cybercrime may be near. Anthropic limited its release to a few American companies including Apple, Amazon, JPMorgan Chase and Palo Alto Networks to reduce the risk that bad actors get their hands on it. Even with that precaution, the release has prompted the Trump administration to consider new government oversight over future models. It’s the latest in a string of high-profile launches from Anthropic that have intensified its rivalry with OpenAI as the two AI giants approach their highly anticipated initial public offerings. Weeks after the arrival of Mythos, OpenAI CEO Sam Altman announced GPT-5.5-Cyber, a model specifically tailored for cybersecurity. OpenAI on Thursday allowed limited access to GPT-5.5-Cyber to vetted cybersecurity teams. The controlled rollout of Mythos, part of a security measure called Project Glasswing, was to give the corporate world time to gird its cyber defenses against a coming onslaught of attacks from criminal groups and adversarial nations. “The danger is just some enormous increase in the amount of vulnerabilities, in the amount of breaches, in the financial damage that’s done from ransomware on schools, hospitals, not to mention banks,” Anthropic CEO Dario Amodei said this week at an Anthropic event. ‘Scary enough’ But to those fighting in the trenches of cyber warfare, one of the key capabilities advertised by Anthropic — to find software vulnerabilities at scale — has been around since last year. “The models that we have right now are powerful enough to detect zero days in a large scale, and this is scary enough,” Klaudia Kloc, CEO of cybersecurity firm Vidoc, told CNBC. That has been the case for “a couple of months, if not a year,” she said. The term “zero-day” refers to a previously unknown software flaw that hasn’t been patched, giving attackers a window to exploit it before defenders can respond. Researchers at Vidoc leaned on a technique called “orchestration” to test if they could find the same vulnerabilities that Mythos did. As the name suggests, the process involves creating workflows that split code into smaller pieces, coordinating between various tools or models to cross-check results. “We ran older models against the same code base to see if we’d be able to detect the same vulnerabilities,” Kloc said. “We did, with both OpenAI and Anthropic’s older models.” Another cybersecurity firm, Aisle, found that many of Mythos’s headline results could be reproduced using cheaper models working in parallel — suggesting that scale and coordination were more important than having the latest model. “A thousand adequate detectives searching everywhere will find more bugs than one brilliant detective who has to guess where to look,” Aisle founder Stanislav Fort wrote in a blog post. In comments to CNBC, Anthropic didn’t dispute that earlier models were capable of finding software vulnerabilities. In fact, a company spokesperson said, Anthropic has been warning for months that AI’s cyber capabilities were advancing rapidly. They pointed to a February blog post showing that Claude Opus 4.6, a widely available model, found more than 500 “high severity” vulnerabilities in open-source software. At the Anthropic event this week, Amodei affirmed this point, saying that while the scale of software vulnerabilities found by Mythos surged from earlier models, the trend wasn’t new. “The risks are very real. This is why we took the actions we did,” Amodei said. “But they’re also, in some sense, not that surprising. ... We’ve been seeing warnings of this for a while.” Hysteria and panic What makes Mythos different is its ability to take the next step, developing working exploits with little or no human input, effectively automating a process that previously required skilled researchers, the Anthropic spokesperson said. But hackers working for criminal groups and adversarial nations already have this skill set, cyber researchers say. Hackers in North Korea, China and Russia “know how to do this, with or without Anthropic,” Kloc said. The threat of AI-enabled hacking has corporations and government regulators worried about protecting crucial systems from a new wave of ransomware and other types of attacks, according to Harris. He described conversations with banks, insurers and regulators in recent weeks as “hysteria.” watch now VIDEO2:2502:25 Anthropic CEO Dario Amodei speaks with Jamie Dimon: Here are key takeaways TechCheck Even before the advent of generative AI, corporations faced the problem of skilled hackers exploiting newfound vulnerabilities in hours, while patching the code often takes days or weeks. Some patches require key systems to be taken offline, complicating matters. “The industry is panicking about the number of vulnerabilities they face now,” Harris said. “But even before Mythos is widely available, it couldn’t fix vulnerabilities fast enough.” Before, only a tiny population of experts globally had the ability and time to find obscure vulnerabilities in software and exploit them, according to Harris. Now, using currently available AI models, the barriers of entry to wreaking cyber havoc have been lowered. That means that banks and other targets will see more attacks, and that software systems that previously didn’t draw as much interest from cybercriminals will now face threats, Harris said. Advantage: Offense While Anthropic, OpenAI and others are working on developing cyber defense capabilities commensurate with the problems they have identified, the initial advantage goes to offense, not defense, researchers say. JPMorgan’s Jamie Dimon suggested as much when he said last month that while AI tools could eventually help companies defend themselves from cyberattacks, they are first making them more vulnerable. “You have a significant increase in the volume of vulnerabilities discovered, but they don’t seem to have deployed a tool that helps you fix them,” said Justin Herring, partner at the law firm Mayer Brown and former executive deputy superintendent for cybersecurity at New York’s financial regulator. “Vulnerability management is the great Sisyphean task of cybersecurity,” Herring said. The limited group that was part of the initial Mythos release got a head start on patching vulnerabilities, but there is a downside. AI researchers haven’t been given access to Mythos to independently verify Anthropic’s claims or to begin building defenses against it. Some say it prevented the wider cyber community from being part of the solution. It has created “tiers of haves and have-nots,” which could stunt the pace of cybersecurity innovation, said Pavel Gurvich, CEO of cybersecurity startup Tenzai, which uses Anthropic’s models. Many cybersecurity startups are working on solutions that can help businesses in this new era of AI, he said. “They’re trying to figure out the best way to fix the world before this becomes accessible to the world,” said Ben Seri, co-founder of cybersecurity startup Zafran Security. “It’s this kind of chicken-and-egg situation, and you’re going to break some eggs. It’s unavoidable.” watch now VIDEO4:4704:47 Anthropic’s new AI model is an ‘evolution’ in what we know about security: Cato Networks’ Etay Maor Fast Money Choose CNBC as your preferred source on Google and never miss a moment from the most trusted name in business news. TRENDING NOW Frontier jet hits and kills pedestrian on runway in Denver during takeoff Michael Burry says the market today feels like ‘the last months of the 1999-2000 bubble’ Why one of the largest U.S. auto lenders isn’t worried about high vehicle prices or ‘forever loans’ Burger King’s president says the chain improved its Whopper — and calls from customers helped Touchscreens took over. Now tech companies want your thumbs back on BlackBerry-style keyboards Sponsored LinksSponsored Links Promoted LinksPromoted Links FROM THE WEB Make every uniqueness visibleCurveComfy Shop Now Undo Cognitive Decline Has Been Tied to This Common Evening Snack. Do You Eat It?The Mo​dern Vitality Review Undo This site is now part of Versant. By continuing, you agree to our Terms. You also acknowledge that our updated Privacy Policy applies, including your existing data. For info on your data rights, click “Your Privacy Choices” or see “Your Rights” in our Privacy Policy. We and our partners also use tools on this site to provide the services, personalize your experience, and for analytics, marketing, and advertising. If you previously opted out of selling, sharing, or targeted advertising on this site, you will need to update your Privacy Choice. Your Privacy Choices Continue Residents (or authorized agents) of states listed in the “Your Rights” section of our Privacy Policy: You are opted out of targeted advertising, selling, or sharing, occurring on this site, for this browser and device. We received your election through our toggle or a universal opt-out preference signal. You can change your choice any time. You should also provide the information requested in this Opt-Out Form, which will enable us to take action on your opt-out election more broadly than just this site (e.g., we will be able to stop sharing your email with third parties in order to target you with adverting on other sites and services, like social media platforms, such as social media platforms). Residents (or authorized agents) of states not listed in the “Your Rights” section of our Privacy Policy: If we do not detect that you are in one of the states listed in the “Your Rights” section of our Privacy Policy, we cannot ensure that we will be able to apply your opt out choice, even if you utilize the toggle or we receive your election through your universal opt-out preference signal. Notice of Right to Opt-Out of Sale/Sharing and Targeted Advertising We may collect personal data from and about you through this site for “targeted advertising,” “selling,” or “sharing,” as defined by applicable privacy laws. Some states provide residents (or their authorized agents) with the right to opt out of these practices. See the “Your Rights” section of our Privacy Policy for more info. If you reside in one of these states (or are an authorized agent) you can opt out of targeted advertising, selling, or sharing, occurring on this site by moving the toggle below to the left and clicking “Confirm My Choice.” Your choice through the toggle is specific to this site. If you access other Versant sites and services, you will need to opt out for each. Also, if you clear your cookies on this browser or use another browser or device, you will need to opt out again. You can change your choice any time. In addition to the toggle, you should also provide the information requested in our “Opt-Out Form” (accessible by clicking the “+” below), which will enable us to take action on your opt-out election more broadly than just on this site (e.g., we will be able to stop sharing your email with third parties in order to target you with adverting on other site and services, such as social media platforms). You may also enable where available and provided for under applicable privacy laws, a universal tool that automatically communicates your opt out preference, such as the Global Privacy Control (“GPC”). If detected, we will process your GPC signal as if you had opted out through the toggle. If you opt-out, you may continue to see advertising, including ads that may be based on personal information processed before you opted out. Manage Opt-Out Preferences: Move Toggle to Left and Click “Confirm My Choice” and then Complete Opt-Out Form (accessible by clicking “+” below) Allow Sale of My Personal Info and Sharing/Processing for Targeted Ads Allow Sale of My Personal Info and Sharing/Processing for Targeted Ads Residents (or authorized agents) of states listed in the “Your Rights” section of our Privacy Policy: To opt out of targeted advertising, selling, or sharing occurring on this site for this browser and device, move the toggle to the left and click “Confirm My Choice.” Residents (or authorized agents) of states not listed in the “Your Rights” section of our Privacy Policy: If we do not detect that you are in one of the states listed in the “Your Rights” section of our Privacy Policy, we cannot ensure that we will be able to apply your opt out choice, even if you utilize the toggle. Please note, your choice through the toggle is specific to this site, for this browser and device. If you access other Versant sites and services, you will need to opt out for each. Also, if you clear your cookies on this browser or use another browser or device, you will need to opt out again. You can change your choice any time. If you opt-out, you may continue to see advertising, including ads that may be based on personal data processed before you opted out. Opt-Out Form Always Active You should also provide the info requested in this Opt-Out Form, which will enable us to take action on your opt-out election more broadly than just this site (e.g., we will be able to stop sharing your email with third parties in order to target you with adverting on other sites and services, such as social media platforms). Cookie List Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choice