"I heard there is some cool AI tech now that solves all cybersecurity problems."

"No, that's just a mythos."

Yes, we do watch videos!

Keep calm, find and fix bugs, make the world a bit safer one bug at a time...

And ignore the hype train, but keep an open eye on how real and measurable things develop. Just what we did before.

I know. I've been done that. I was the only technician that talked to the compliance people so I "earned" all of the work involved in communicating and bridging both worlds.

And since then it just got worse. Nobody cares about it security. The compliance people are just writing some shit and at this point in many companies they don't even expect their technicians to actually implement it anymore either (if it is even possible at all).

It's just a work creation measure at this point…

Didn't OpenAI pull the:"oh no it's too powerful, humanity couldn't take it yet so we're not releasing it to the public", stunt with one of their earlier models as well?^^

Emphasis on small.

We have not really been great at cyber security in the past, and improvements are needed all across the board. We won't be great at it tomorrow because magic.

Having one component potentially improve is, especially given how speculative the current situation is, is nothing to really worry about. Rather the contrary.

Time will tell, some processes might change, and that is likely all that will happen for a long time.

Most humans in cyber security will very likely notice very little impact for now. Can this all go sideways? Yes, of course. Is it time to say that cyber security is over? I don't think so. At all.

Anyway, even if Mythos is as good as they claim, that's not really a problem as long as it is available only to a few. It's when every script kiddie gets access to it that we should start worrying.

OSS library releases patch, model looks at diff + cve description and drops a working exploit for a couple of hundred $ of compute.

Most companies (at least this side of the pond) are not currently equipped to deal with continuously applying patches for 1-day vulns in prod.
Many large orgs here are proud that they've managed to get on a monthly update cycle

Well cybersecurity is over but not because of this but because of everyone and their mother deploying openclaw in production...

What's actually happening is... uhm... a whole heap of nothing but people copy and pasting marketing about how cybersecurity is over.

It's not though, is it?

The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.

So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.

The proof is going to be if any of the open source vulns turn out to be important. So far:

I was under the impression that the open source projects they communicated their findings with have confirmed them?

Stringing together exploits and ROP-chains is what had me take it seriously. It's not that we can't do that as well, it's being able to automate it at scale that's worrying.

(And that's not a worry about _Mythos_ - we know the open models lag ~1 year behind the cloud models so these capabilities can be expected to be at nation state actors about now and with "everyone" in a year)

@malwaretech

Aisle (active in this space) did the research backing this up:

https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier