Anthropic's new AI-driven code security tool, Mythos, is currently limited to finding known classes of vulnerabilities rather than discovering entirely new security flaws, according to a report by theregister.com.
The tool, part of Anthropic's Project Glasswing, was recently tested on Firefox software. While the system flagged 271 vulnerabilities, the outlet reported that none of these flaws were ones that human experts had not already identified.
Critics suggest the tool's name may be misleading. While Anthropic may have intended for 'Mythos' to imply god-like security powers, the report notes the name could also refer to a 'set of beliefs of obscure origin which are incompatible with reality.'
Currently, Mythos functions as an automation of human expertise rather than a replacement for it. It excels at identifying vulnerability classes that humans have already documented, but it struggles with zero-day threats or unknown architectural weaknesses.
The evolution of automated vulnerability hunting
Despite its current limitations, the report views the rollout as a preview of a future where automated tools become generally available. The technology is expected to evolve, eventually making new code significantly more secure before it even reaches deployment.
Industry observers compare the current state of AI security to the early days of the jet age. During that era, aircraft suffered from structural faults that were eventually resolved through improved engineering and regulatory oversight. The report suggests that as tools like Mythos improve, code can be made 'truly excellent before release.'
However, the transition period poses risks. The report warns that deploying 'roaming packs of implacable vuln-hunting robots' into a software environment still running on 'pre-industrial' security standards could lead to messy consequences.
Security experts note that even if software bugs are eliminated, other vectors like supply chain exploits and human error will remain. The report concludes that while Mythos cannot yet solve the security crisis, the trajectory points toward a future where computers handle the repetitive work of bug hunting, leaving humans to manage complex design and operation.
