AI exploit generation: tempo threat vs. capability hype
Anthropic's Mythos generates working exploits from source code, but tempo beats magic as real threat JFokusTL;DW
- Mythos can generate working exploits from source code, but this capability—combining multiple vulnerabilities into chained attacks—is the real news, not the bug-finding itself.
- Mozilla found 271 vulnerabilities with Mythos, but Mozilla also dramatically improved its harnessing techniques (prompting strategies), so improvements may reflect both model capability and better instructional methods, not just the model alone.
- Mythos completed a 32-step network intrusion challenge (17/100 success rate) that previous Claude models couldn't finish, demonstrating genuine progress on multi-step exploitation tasks.
- When tested on curl (176,000 lines of highly-audited C code), Mythos found only one real vulnerability of low severity—not catastrophic, and suggests well-maintained codebases remain defensible.
- The real threat is tempo: the time from vulnerability discovery to working exploit is shrinking, and the number of actors capable of building exploits is growing, raising the attack surface across all organizations.
- Classical vulnerabilities (buffer overflows, injection flaws, XSS) remain unchanged; Mythos is simply faster at finding and weaponizing them, not discovering fundamentally new attack vectors.
- Project Glass Wing aids only Big Tech and Linux Foundation projects; most organizations are unprotected, and the window before open-access models (like Deep Seek V4) ship is likely 3–12 months.
- Organizations must immediately inventory dependencies against CVE databases, measure mean time to remediation, and reduce it from months to days to stay ahead of accelerating exploit generation.
- Defensive actions—SOCs, intrusion detection, anomaly detection—matter far more than previously appreciated and should be core architecture concerns, not afterthoughts delegated to ops teams.
- Open source sustainability is broken; major companies use curl, OpenSSL, and others without funding maintainers, leaving critical infrastructure vulnerable to the same Mythos-accelerated exploitation timeline.
TL;DW
- Mythos can generate working exploits from source code, but this capability—combining multiple vulnerabilities into chained attacks—is the real news, not the bug-finding itself.
- Mozilla found 271 vulnerabilities with Mythos, but Mozilla also dramatically improved its harnessing techniques (prompting strategies), so improvements may reflect both model capability and better instructional methods, not just the model alone.
- Mythos completed a 32-step network intrusion challenge (17/100 success rate) that previous Claude models couldn't finish, demonstrating genuine progress on multi-step exploitation tasks.
- When tested on curl (176,000 lines of highly-audited C code), Mythos found only one real vulnerability of low severity—not catastrophic, and suggests well-maintained codebases remain defensible.
- The real threat is tempo: the time from vulnerability discovery to working exploit is shrinking, and the number of actors capable of building exploits is growing, raising the attack surface across all organizations.
- Classical vulnerabilities (buffer overflows, injection flaws, XSS) remain unchanged; Mythos is simply faster at finding and weaponizing them, not discovering fundamentally new attack vectors.
- Project Glass Wing aids only Big Tech and Linux Foundation projects; most organizations are unprotected, and the window before open-access models (like Deep Seek V4) ship is likely 3–12 months.
- Organizations must immediately inventory dependencies against CVE databases, measure mean time to remediation, and reduce it from months to days to stay ahead of accelerating exploit generation.
- Defensive actions—SOCs, intrusion detection, anomaly detection—matter far more than previously appreciated and should be core architecture concerns, not afterthoughts delegated to ops teams.
- Open source sustainability is broken; major companies use curl, OpenSSL, and others without funding maintainers, leaving critical infrastructure vulnerable to the same Mythos-accelerated exploitation timeline.
Dan Bergh Johnsson dissects what Mythos actually demonstrates: exploit generation from identified vulnerabilities, not novel attack vectors. Mozilla's harness improvements mattered as much as model capability; curl's 176K audited lines yielded one non-critical find. The real risk is speed—AI compresses the window from vulnerability discovery to working exploit.
