Mythos Zero Days Aren't the Real Problem
Vulnerability management hinges on good architecture practices. AI-powered vulnerability discovery doesn't solve for this in any meaningful way.
I think that a lot of the Anthropic Mythos coverage misses the forest for the trees. The news about Anthropic Mythos has been hyping the ability of the new AI engine to find vulnerabilities in all sorts of programs, including a 27-year-old vulnerability in FreeBSD. These stories consistently talk through the dangers for future vulnerability management practices.
In cybersecurity, vulnerability management is not the fundamental problem. Many teams can and do react quickly to remediate and patch vulnerabilities.
Fundamentally, cybersecurity efforts fail not because of a single vulnerability but because of bad architecture patterns. The continual Fortigate exploits aren’t a problem because of any specific vulnerability (The specific CVE number barely matters — there are so many on those devices at this point). The Fortigate exploitability problem is that there is a “trusted” device on the public internet with unfettered access to the rest of a company’s network and resources.
The problem Mythos may end up exposing at scale is that the industry has not properly funded vulnerability remediation efforts (which is something we’ve known for a long time) but by and large we still rely on bad architecture patterns that make zero day vulnerabilities a problem.
I don't recall seeing a lot of writeups about exploitation, ransomware, or intrusions that surprise me. There are simply not very many novel exploitation techniques being used. Every writeup seems to revolve around the same thing (Fortigate CVE, Exchange CVE, file transfer appliance CVE, etc) and/or the same misconfigurations (lack of MFA, public S3 buckets, etc). Almost always the big attacks are against external-facing and/or cloud systems.
For example: if an attacker exploits a Fortigate, they have an easy attack path from a service running as a highly privileged user to the Active Directory domain controller. The problem isn't the hypothetical vulnerability on Fortigate getting exploited, it's the fact that you have a privileged system on the public internet with line of sight to another privileged system.
The real investment gap isn't in finding vulnerabilities faster: it's in building networks where a single compromised perimeter device doesn't put an attacker on cruise control to ransomware city. Vulnerability management hinges on good architecture practices. AI-powered vulnerability discovery doesn't solve for this in any meaningful way.
Side note: We are closing in on year four of the AI hype cycle where journalists and tech publications continue to publish near word-for-word copies of PR entries from GenAI companies. With most other posts on Mythos predicting "the end of cybersecurity employment" or "zero days on everything"... I have to wonder if anyone has been paying attention to the last few years of failed promises. We're falling for the hype yet again.