Discussion

• @dinodaizovi Dino A. Dai Zovi on x

  This, 1M% this: “The principle is to make exploitation harder for an attacker even when a bug exists, so that the gap between when a vulnerability is disclosed and when it is patched matters less. That means defenses that sit in front of the application and block the bug from

• @dillon_mulroy Dillon Mulroy on x

  great write up on how our security team(s) built a harness around mythos

• @kr0der Anthony Kroeger on x

  i read it and thought these 2 main points were interesting: 1.  Mythos vs other frontier models - Frontier models could find a lot of the individual bugs, but a lot of cyber attacks use multiple small bugs chained together.  Frontier models weren't that good at piecing these smal…

• @mdisec @mdisec on x

  “Well, the great researchers are submitting world class reports assisted by AI at an even greater pace, and the less skilled researchers are polluting the triage queue with genuinely unimportant vulnerability reports”😉

• @dan_jeffries1 Daniel Jeffries on x

  This is the kind of conversation we need, not idiotic ones about the end of all software... it can't just be patching the 100 or so projects that got access to Project Glasswing.  That is not gonna help the world... In the long run, AI will make software more secure, not less.  B…

• @samuelcolvin Samuel Colvin on x

  Reading this, the bun rewrite to rust makes much more sense.  My guess: Mythos looked at bun and had a shit fit - generated a deluge of vulnerabilities and memory bugs so vast and profound that they would be effectively impossible to fix in zig.  Anthropic looked at the report an…

• @jeredbare Jered Bare on x

  I'm preaching you need to sprint to do the basics and do them well to help defend against AIs like Mythos. This is crap we should have done 20 years ago, but ran to the “next-gen” products thinking it would save us.

• @merill Merill Fernando on x

  CloudFlare's post is one of the better written reports on Mythos. Worth a read for both devs and cybersec folks.

• @nneuman Nick Neuman on x

  Interesting security post about real experience using Mythos Yet I yearn for the days of reading important posts that aren't written by an LLM

• @cvander Christian Van Der Henst on x

  Mythos in the right hands is good for the ecosystem

• @patmeenan Patrick Meenan on x

  Great write-up from @cloudflare on how they chain Mythos agents together into a useful harness. A lot of lessons in there apply well beyond just vulnerability scanning. The adversarial review by other agents (and models) works great on code investigations and reviews too.

• @argvee Heather Adkins on x

  Nice write up from the Cloudflare team, but the post here is misleading. Patch faster is not the wrong answer, because most teams are patching on the order of weeks or months. You must patch faster than that right now. But I will agree that 2 hours is infeasible beyond the

• @rekdt @rekdt on x

  It's really funny watching companies learn things like patching at high velocity isn't a cybersecurity silver bullet The state of cybersecurity is so bad in tech today, they're recreating defense in depth from first principles

• @lucasmeijer Lucas Meijer on x

  Amazing post. Giving LLM's narrow tasks, and composing those as lego blocks gives much better results than “just ask the model”. great example of what the lego blocks & composition look like for a security scanner.

• @maxedapps Maximilian on x

  This perfectly sums up one of the biggest issue of current-gen LLMs & coding agents [image]

• @talbeerysec Tal Be'ery on x

  A must read. One thought: Does AI flip the OSS security tradeoff? OSS was pitched as more “good eyeballs” on your code, catching bugs before “bad eyeballs” do. But now devs get eyeballs from AI. Maybe closed source makes sense, to starve the bad eyeballs. @thegrugq @ImposeCost

• @dok2001 Dane Knecht on x

  Mythos and other frontier models, pointed at live code across critical Cloudflare infrastructure. An honest read on what's working and what comes next. https://blog.cloudflare.com/ ...

• @yuris Yuri Sagalov on x

  “Mythos Preview is a real step forward, and it's worth saying that plainly before getting into anything else. We've been running models against our code for a while now, and the jump from what was possible with previous general-purpose frontier models to what Mythos Preview does

• @zackkorman Zack Korman on x

  Cloudflare is right about this. You're not going to be able to patch fast enough, but you can build your systems so that the vast majority of vulnerabilities don't matter. If you've not done that, you're going to have a bad time. [image]

• @cloudflare @cloudflare on x

  Cloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next.

• Anuk Fernando Anuk Fernando on linkedin

  AI has officially entered its “Senior Security Researcher” era.  Cloudflare's security team recently spent weeks testing Anthropic's new Mythos Preview against 50+ of their own code repositories. …

• Grant Bourzikas Grant Bourzikas on linkedin

  Mythos is the first real step into agentic AI for security, and the direction is hard to miss. As part of Project Glasswing …

• @justinhendrix Justin Hendrix on bluesky

  “Anthropic has agreed to brief leading finance ministries and central banks on vulnerabilities in the global financial system's cyber defences identified by the US technology company's latest AI model.”