Cloudflare tests Mythos against 50+ of its repositories, highlights its ability to chain bugs into one exploit, and details its vulnerability discovery harness
Cloudflare Grant Bourzikas
Related Coverage
- Project Glasswing partners can now share Mythos findings beyond the programme The Next Web · Ana-Maria Stanciuc
- Mythos Preview Builds PoC Exploits in Automated Vulnerability Research Cyber Security News · Guru Baran
- AI might cut false positives, but it won't stop the slop CyberScoop · Djohnson
- Anthropic to present exposed Mythos flaws to global watchdog - claims critical vulnerabilities found ‘in every major operating system and web browser’ TechRadar · Benedict Collins
- Sources: Anthropic agrees to brief the Financial Stability Board on global financial system vulnerabilities found by Mythos, after a request by the FSB's Chair Financial Times
- Project Glasswing: what Mythos showed us Hacker News
- Anthropic Is Loosening the Secrecy Around Claude Mythos So Findings Can Be ‘Shared Broadly’ Gizmodo · Mike Pearl
- Cloudflare says Anthropic's Mythos Preview finds exploit chains that earlier frontier models missed The Decoder · Maximilian Schreiner
- Anthropic lets Glasswing partners publicly share Mythos flaws ITPro · Nicole Kobie
- Anthropic eases threat-sharing rules as Cloudflare details frontier AI cyber gains Metacurity · Cynthia B Brumfield
- Anthropic Said to Widen Mythos Threat Sharing Rules WinBuzzer · Markus Kasanmascheff
Discussion
-
@dinodaizovi
Dino A. Dai Zovi
on x
This, 1M% this: “The principle is to make exploitation harder for an attacker even when a bug exists, so that the gap between when a vulnerability is disclosed and when it is patched matters less. That means defenses that sit in front of the application and block the bug from
-
@dillon_mulroy
Dillon Mulroy
on x
great write up on how our security team(s) built a harness around mythos
-
@kr0der
Anthony Kroeger
on x
i read it and thought these 2 main points were interesting: 1. Mythos vs other frontier models - Frontier models could find a lot of the individual bugs, but a lot of cyber attacks use multiple small bugs chained together. Frontier models weren't that good at piecing these smal…
-
@mdisec
@mdisec
on x
“Well, the great researchers are submitting world class reports assisted by AI at an even greater pace, and the less skilled researchers are polluting the triage queue with genuinely unimportant vulnerability reports”😉
-
@dan_jeffries1
Daniel Jeffries
on x
This is the kind of conversation we need, not idiotic ones about the end of all software... it can't just be patching the 100 or so projects that got access to Project Glasswing. That is not gonna help the world... In the long run, AI will make software more secure, not less. B…
-
@samuelcolvin
Samuel Colvin
on x
Reading this, the bun rewrite to rust makes much more sense. My guess: Mythos looked at bun and had a shit fit - generated a deluge of vulnerabilities and memory bugs so vast and profound that they would be effectively impossible to fix in zig. Anthropic looked at the report an…
-
@jeredbare
Jered Bare
on x
I'm preaching you need to sprint to do the basics and do them well to help defend against AIs like Mythos. This is crap we should have done 20 years ago, but ran to the “next-gen” products thinking it would save us.
-
@merill
Merill Fernando
on x
CloudFlare's post is one of the better written reports on Mythos. Worth a read for both devs and cybersec folks.
-
@nneuman
Nick Neuman
on x
Interesting security post about real experience using Mythos Yet I yearn for the days of reading important posts that aren't written by an LLM
-
@cvander
Christian Van Der Henst
on x
Mythos in the right hands is good for the ecosystem
-
@patmeenan
Patrick Meenan
on x
Great write-up from @cloudflare on how they chain Mythos agents together into a useful harness. A lot of lessons in there apply well beyond just vulnerability scanning. The adversarial review by other agents (and models) works great on code investigations and reviews too.
-
@argvee
Heather Adkins
on x
Nice write up from the Cloudflare team, but the post here is misleading. Patch faster is not the wrong answer, because most teams are patching on the order of weeks or months. You must patch faster than that right now. But I will agree that 2 hours is infeasible beyond the
-
@rekdt
@rekdt
on x
It's really funny watching companies learn things like patching at high velocity isn't a cybersecurity silver bullet The state of cybersecurity is so bad in tech today, they're recreating defense in depth from first principles
-
@lucasmeijer
Lucas Meijer
on x
Amazing post. Giving LLM's narrow tasks, and composing those as lego blocks gives much better results than “just ask the model”. great example of what the lego blocks & composition look like for a security scanner.
-
@maxedapps
Maximilian
on x
This perfectly sums up one of the biggest issue of current-gen LLMs & coding agents [image]
-
@talbeerysec
Tal Be'ery
on x
A must read. One thought: Does AI flip the OSS security tradeoff? OSS was pitched as more “good eyeballs” on your code, catching bugs before “bad eyeballs” do. But now devs get eyeballs from AI. Maybe closed source makes sense, to starve the bad eyeballs. @thegrugq @ImposeCost
-
@dok2001
Dane Knecht
on x
Mythos and other frontier models, pointed at live code across critical Cloudflare infrastructure. An honest read on what's working and what comes next. https://blog.cloudflare.com/ ...
-
@yuris
Yuri Sagalov
on x
“Mythos Preview is a real step forward, and it's worth saying that plainly before getting into anything else. We've been running models against our code for a while now, and the jump from what was possible with previous general-purpose frontier models to what Mythos Preview does
-
@zackkorman
Zack Korman
on x
Cloudflare is right about this. You're not going to be able to patch fast enough, but you can build your systems so that the vast majority of vulnerabilities don't matter. If you've not done that, you're going to have a bad time. [image]
-
@cloudflare
@cloudflare
on x
Cloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next.
-
Anuk Fernando
Anuk Fernando
on linkedin
AI has officially entered its “Senior Security Researcher” era. Cloudflare's security team recently spent weeks testing Anthropic's new Mythos Preview against 50+ of their own code repositories. …
-
Grant Bourzikas
Grant Bourzikas
on linkedin
Mythos is the first real step into agentic AI for security, and the direction is hard to miss. As part of Project Glasswing …
-
@justinhendrix
Justin Hendrix
on bluesky
“Anthropic has agreed to brief leading finance ministries and central banks on vulnerabilities in the global financial system's cyber defences identified by the US technology company's latest AI model.”