Integrity360’s Richard Ford discusses the relief brought by Anthropic’s AI model for advanced cybersecurity, and how cyber teams can prepare for that technology.
In the time since Anthropic first unveiled Claude Mythos in April, talk about an AI model for cybersecurity has been relentless.
Anthropic’s claims that Mythos has seemingly advanced capabilities in detecting and exploiting software security vulnerabilities have caused an uproar in public and private sectors around the world – including in Ireland.
“The issue is not that Anthropic created this. The issue is that Anthropic has shown that this is possible,” said Richard Browne, director of the National Cyber Security Centre, when he spoke to the Oireachtas Joint Committee on Artificial Intelligence shortly after the Mythos disclosure.
The Mythos has not been released to the general public yet, although Anthropic was giving access to many companies, banks and authorities – that is, before the recent US government order caused the company to ban the model from all its users.
But while institutions and governments fear the capabilities of this new AI model, Integrity360 CTO Richard Ford says the Mythos should be approached with “measured consideration rather than talk”.
“Based on the information available so far, the model seems capable of being a standalone attack tool, but there is no clear evidence that it significantly outperforms the major language models that exist in this area,” he told SiliconRepublic.com.
“The most important point is how it can be used. In the hands of threatening actors, Mythos doesn’t need to be flexible to be dangerous.
“It will still be very effective when targeting organizations with weak security postures, especially those that do not have strong access controls, policing and visibility across their environments.”
Hype and distraction
Ford says much of what drives the hype and concern surrounding the Mythos comes from self-reported results, which have limited independent verification.
This makes it difficult to distinguish real technological progress from fiction, he says.
“There is a valid question whether power is overdone or just presented without enough context.
“Early claims of high-risk findings sound significant, but without external measurement or reproducibility, it is difficult to assess how meaningful the findings are in practice.”
Ford added that given Anthropic’s previous difficulties with the US government, skeptics could reasonably ask whether the Mythos announcement was “in part about shaping opinion and demonstrating competence”.
But what if the complexity called the Mythos is as important as the Anthropic claims?
“If the claims are true, there’s a clear view that models like Mythos could start to disrupt areas like bug bounty programs and the broader hacking market,” Ford said. “The concern is not that human researchers will become obsolete overnight, but that AI can dramatically accelerate risk discovery, shifting the balance in terms of speed, scale and cost.
“We are already seeing early signs of this trend. AI-driven platforms are becoming more effective in competitive CTF environments, where rapid analysis, pattern recognition and automation provide a clear advantage.
“That raises questions about how the bug bounty ecosystem evolves, especially if AI can identify problems faster than human researchers or process components.”
How can organizations prepare?
While Mythos hasn’t been fully released to the public yet — and is currently disabled as of last week — Ford has advice for cybersecurity teams about the eventual widespread availability of AI models like Mythos.
“Cybersecurity teams should treat models like Mythos as an acceleration of existing threats rather than entirely new,” he says. “The key is to get the basics right, because AI will exploit weaknesses faster, not differently.
“Strong identity controls, consistent patching and complete visibility of assets are still essential. Organizations without these foundations will be the easiest targets for AI-assisted attacks. In short, the better your foundations are, the stronger you will be as AI-driven threats become more common.”
Ford says organizations should avoid reacting to the Mythos with panic, but should take its impact seriously.
“The way forward is clear: AI is focused on both offense and defense,” he says.
He believes that any organization that does not build AI-driven cyber defenses will fall behind and “walk right through the attackers”.
“That doesn’t mean chasing the hype, but it means investing in capabilities that improve speed, scale and decision-making across discovery and response,” he explains.
“At the same time, this only works if the basics are in place. The organizations that will succeed will be those that put together smart basic controls, allowing them to keep pace as the threat landscape continues to accelerate.”
The unveiling of Mythos arguably rocked the boat regarding AI and its place in cybersecurity.
But while many are concerned about the impact of Mythos’ ability to be exploited online, Ford believes the most important long-term effect of such AI technology will be a “structural change” in how quickly and cheaply cyberattacks can be carried out – rather than a single success.
“If models like Mythos mature as suggested, they will compress the time between identifying an exposure and implementing it,” he says. “Tasks that once required skilled researchers and time investments, such as retesting, vulnerability discovery, and early exploitation, will be automated and scaled.
“That changes the economics of cyberattacks, allowing threat actors to operate at higher volumes and with greater success. It all depends on whether the Mythos is really hype or real money.”
Don’t miss out on the information you need to succeed. Sign up for Daily BriefSilicon Republic’s digest of must-know sci-tech news.
