Titania CTO Andrew Woodford is intrigued to see what Anthropic’s Mythos AI uncovers next… but it won’t be the answers to how to protect networks.
The arrival of Mythos AI has got everyone talking – from the cyber community to the mainstream media. Coverage has oscillated between horror and awe; will this new AI threat detection tool, with the power to uncover Zero Day vulnerabilities in every application released over the last 27 years, be harnessed for good, or will it tumble to the dark side?
Much of this has been deftly fanned by Anthropic itself, keeping the solution strictly ring-fenced among the participants in Project Glasswing while proclaiming ominously how dangerous Mythos could be if it fell into the wrong hands.
Beyond the drama, there’s undoubtedly brilliant tech here: the capacity to analyse that much code, that fast, to find memory leaks, unexpected paths and both common and uncommon vulnerabilities. For developing and testing software, it’s possibly game-changing. At the very least, it should enable any existing common vulnerabilities and exposures (CVEs) to be found and patched, while simultaneously reducing the number of new issues found in commercial software releases. That could mean fewer patches, less focus on fixing and more on improving.
But in the network space, which is widely recognised as the most exploitable part of the infrastructure, the focus on code is secondary.
What matters more is some essential housekeeping: are your devices hardened to the latest vendor-recommended standards, so that you’ve already addressed known exposures? Do you have segmentation in place, so that even if attackers get through the perimeter security, they can’t access critical systems? And are your routers and firewalls enforcing your access policies correctly?
These are the factors that provide fundamental protection for your network, essential systems and data from attack. Once you’ve got these basics set up, and made sure that they are operating as they should, there may be a value in conducting further analysis with AI vulnerability management solutions.
Even then, the Mythos AI model does not necessarily offer the most useful answers. Uncovering dozens of previously unrecognised vulnerabilities across your applications could overwhelm security teams. To merely investigate each of them would take considerable time; to remediate would take even longer.
However, Mythos is not yet able to discern the most significant or exploitable risks… and what we all know about AI tools is that they don’t get it right all the time, so the human triage is vital.
Put another way, it lacks context: it may spot a significant vulnerability in code, but doesn’t assess whether that vulnerability is actually exploitable once the system is correctly configured. It could be on a closed or isolated system with minimal access.
For example, experienced engineers already suspect that their critical UNIX-based systems that have run constantly for 25 years have holes in their code. Yet they are even more certain that they can’t risk the downtime to address those potential vulnerabilities, and that the essential software isn’t compatible with more recent releases of the operating system. The only way to protect them against AI cybersecurity risks is through network segmentation and attack surface reduction: putting up walls that prevent access to these mission-critical tools.
By contrast, a vulnerability in the globally available web app, which links to a customer database, is clearly a higher risk. Mythos doesn’t yet (as far as I’m aware) consider this context or risk-score the vast number of vulnerabilities it can find.
There is a clear parallel with recent changes at NIST, which manages the US national vulnerability database. Faced with a 263% increase in reported vulnerabilities over five years, NIST has shifted focus toward those affecting critical software or known to be actively exploited—fewer than 1% of the total. Mythos AI threat intelligence currently resembles NIST’s old, exhaustive approach rather than this more targeted, risk-driven model.
There’s also another factor that mitigates against using Mythos to protect your network: cost. The actual pricing of the solution has yet to be revealed, but the computing power needed to run such deep analyses will be considerable. AI vulnerability management will not be like asking a query of ChatGPT or Copilot. While the organizations involved in the Mythos trial undoubtedly all have high cyber risks to consider, they also have the resources to invest; smaller businesses will not.
And finally, my focus so far has been on why Mythos AI is not suited to the task of protecting networks. But what about attacking them?
Of course, this remains a risk – less so through Mythos itself, than through imitators who may not share Anthropic’s morals and motivations. But the best defence remains the essential housekeeping outlined above. In 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) released their “top ten cybersecurity misconfigurations”. The most common of all was unhardened default configurations. While AI can accelerate the process, attackers don’t need Mythos to find and exploit these.
So let me say it again: Mythos is amazing. I am fascinated to learn more about it.
But it’s not going to protect your network. There are steps you can take, like network hardening and segmentation, and tools you can use, already to do that – including Titania’s Nipper solutions. And by taking these steps, you build up layers of defence so that when adversaries get hold of a Mythos-like tool, you’ve already reduced the attack surface and limited the potential impact of a breach. Don’t wait for AI to provide the solution; it’s in your hands already.
Find out more about Nipper solutions