Source linked

Anthropic's Mythos Found Hundreds of Bugs at $20K Each

cephalosec.com@proud_condor2 hours ago·Cybersecurity·4 comments

Anthropic's Claude Mythos model costs $20,000 per vulnerability found, and alternative models like DeepSeek and Gemma 4 already find half as many at a fraction of the price.

anthropicclaude mythosproject glasswinguk ai security institutedeepseekcybersecurity

Anthropic's Claude Mythos model cost $20,000 to find a single 27-year-old OpenBSD bug, and the entire Project Glasswing burned through a $100 million token budget. That's not a revolution - it's an expensive scaling exercise that most attackers can't afford.

Why the Panic Over Mythos Misses the Real Story

The UK AI Security Institute called Mythos the first model to complete "The Last One" cyber range - a full attack chain from reconnaissance to network takeover. GPT-5.4 and Opus 4.6 weren't far behind on the same benchmarks. Those benchmarks also lack active defenders and penalty for noise, so a real SOC would catch most Mythos-driven attacks before they pivoted.

Mythos's main marketing trick was highlighting vulnerabilities old enough to drive - like that 16-year-old FFmpeg bug. Old bugs are valuable because they affect more versions, but they're not harder to find. They just needed someone to look. Mythos looked, repeatedly: a thousand runs through its scaffold to snag that OpenBSD bug, at $20,000 a pop.

Open Models Are Catching Up Quickly

Without access to Mythos or Opus, DeepSeek runs decent in the cloud, while Gemma 4 and Qwen 3.6 punch above their weight in self-hosted setups - finding about half the vulnerabilities Mythos spotted in the benchmark. Aisle claimed the secret is all in the harness, not the model. That's half true: smaller models can detect vulnerabilities, but they can't produce valid exploits. Mythos-class models prove exploitability, which solves the false positive plague that killed earlier AI bug hunting.

Mozilla reported 271 findings with an extremely low false positive rate. Cloudflare said the false positive rate was "better than human testers." Those claims need wider verification, but if they hold, Mythos's real advantage is reducing noise - not finding bugs that others can't.

Where This Leaves the Cybersecurity Industry

Mythos brings new risks, but only for actors who already had advanced cyber resources. Not for the average script kiddie. The US government blocking Fable (Mythos's safeguard-heavy cousin) gives OpenAI time to catch up. The next interesting question: how fast can open models close the exploit gap? Because if Gemma 4 learns to weaponize its findings at DeepSeek's compute cost, the Mythos era might be shorter than Anthropic's PR campaign suggests.

Source: Post-Mythos Cybersecurity: Keep calm and carry on
Domain: cephalosec.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Anonymous Hacker Dumps 30 Zero-Day PoCs for 7-Zip, Ghidra, Firefox, Docker

An anonymous GitHub account has published 30 proof-of-concept exploits for undisclosed vulnerabilities across major software, none reported to vendors before the drop.

Claude Code Falls for a Clean Repo That Drops a Reverse Shell

No exploit code, no warning, no suspicious command. A DNS TXT record three indirection steps away from what Claude Code evaluated gives the attacker a shell with the developer's privileges.

Polymarket's $3.1M Hack From a Compromised Vendor Triggers Full Refund Pledge

Hackers drained $3.1 million in PUSD from 11 Polymarket wallets via a malicious script injected through a compromised third-party vendor. The platform pledged full refunds to affected users.

Russian Hackers Now Steal Signal Backup Keys to Read Old Messages

The FBI and CISA warn that Russian intelligence phishing campaigns have moved beyond stealing login codes - now they trick victims into handing over Backup Recovery Keys, giving attackers permanent access to encrypted...

Comments load interactively on the live page.