Enterprise security teams were urged by security experts at Infosecurity Europe to brace for impact as both Anthrophic and OpenAI expand access to their frontier AI models for vulnerability discovery.
Anthropic, in particular, is significantly expanding Project Glasswing, its scheme to provide select organizations with access to Claude Mythos, an AI-powered vulnerability discovery tool that many industry observers and practitioners believe signals a structural shift for cybersecurity.
After initially granting access to around 50 organizations in April, Anthropic is now adding roughly 150 more vetted partners to its program.
In a parallel development, OpenAI reportedly has offered nine major UK banks access to its cybersecurity AI tool, GPT-5.5 Cyber.
Prepare for the son of Mythos
Speaking at Infosecurity Europe, Gunter Ollmann, CTO at penetration testing and security services firm Cobalt, said frontier AI models from Google and two from China are not far behind in their capabilities.
“Security teams should prepare for the son of Mythos,” said Ollmann. “These frontier AI tools are still restricted in their access, but they are only going to get cheaper as we go along.”
Paul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), backed up this assessment by citing estimates that China was eight months behind. Misuse of frontier AI models represents a threat while also offering defenders the opportunity to push additional costs onto adversaries, Chichester told Infosec Europe delegates.
“Organisations can use AI to write better code and look for vulnerabilities,” said Chichester, who added that frontier AI tools have the potential to democratise security assessments and penetration testing.
Organisations should improve cybersecurity by hardening access controls and running incident response exercises, Chichester advised.
Daniel Wilcock, threat intelligence analyst at managed security services firm Talion, warned that organisations that fail to explore advanced AI risk falling behind those that are using the technology to accelerate vulnerability discovery and security operations.
“Advanced AI platforms are already being used by malicious threat actors, and all organisations must be prepared for this,” Wilcock warned.
Exploit chains
Ollmann told CSO that AI is far from replacing security experts such as penetration testers.
“The combination of AI-driven analysis and human expertise is proving far more effective than either operating alone,” Ollmann said. “The organizations that benefit most from these advances will be the ones that can rapidly validate, prioritize, and remediate the issues being discovered before attackers find them first.”
Ollmann added: “Mythos appears to be operating with a level of software access and analysis flexibility that most commercial security researchers and testing platforms don’t typically have, including the ability to examine code and behaviours that may otherwise be restricted by licensing or terms of service. That creates a unique opportunity to identify classes of vulnerabilities that conventional testing approaches often miss.”
For example, Mythos makes it easier to chain together several medium severity vulnerabilities to create a high impact risk.
The topic of AI flaw-chaining was also central to a panel on Mythos at the recent CSO Cybersecurity Awards and Conference in the US.
“When we’re doing threat modeling, we have some sense that these are the known vulnerabilities that we are modeling against and here’s where we think we are weak, and that kind of goes away with chaining multiple vulnerabilities,” Jim Reavis, CEO and co-founder of Cloud Security Alliance (CSA) told attendees. “CVSS scoring, it seems like that’s not super relevant anymore.”
Jon Yeoh, chief scientific officer at CSA, agreed, touching on the “son of Mythos” threat as well.
“It’s not just about Anthropic. It’s about what these next-generation AI will be doing,” he said. “This is a major step change in what AI can do.”
No Responses