Anthropic is rolling out a preview of its new Mythos model only to a handpicked group of tech and cybersecurity companies over concerns about its ability to find and exploit security flaws, the company said Tuesday.
Why it matters: Anthropic is so worried about the damage Mythos could cause that it's refusing to release it publicly until there are safeguards to control its most dangerous capabilities.
- OpenAI is finalizing a model similar to Mythos that it will release only to a small set of companies through its existing "Trusted Access for Cyber" program, according to a source familiar.
Threat level: Mythos Preview is "extremely autonomous" and has sophisticated reasoning capabilities that give it the skills of an advanced security researcher, Logan Graham, head of Anthropic's frontier red team, told Axios.
- Mythos Preview can find "tens of thousands of vulnerabilities" that even the most advanced bug hunter would struggle to find. Unlike past models, it can also write the exploits to go with them.
- Opus 4.6, the last model Anthropic released to the public, found about 500 zero-days in open-source software — a fraction of Mythos Preview's output.
Zoom in: In testing, Mythos Preview found bugs in "every major operating system and web browser," according to a blog post, including some that are believed to be decades old and weren't detected by repeated human-run security tests.
- Mythos Preview successfully reproduced vulnerabilities and created proof-of-concepts to exploit them on the first attempt in 83.1% of cases.
- Mythos Preview found several flaws in the Linux kernel, which is found in most of the world's servers, and autonomously chained them together in a way that would let a hacker take complete control of any machine running Linux systems.
- In another test, Mythos Preview found a 27-year-old vulnerability in OpenBSD, an open-source operating system, that would allow hackers to remotely crash any machine running it. OpenBSD is widely considered one of the most security-hardened open-source projects and is found in several firewalls, routers and high-security servers.
Yes, but: It's only a matter of months — as soon as six months or as far out as 18 — until other AI companies release models with powers similar to the Mythos Preview, Graham said.
- "It's very clear to us that we need to talk publicly about this," Graham said. "The security industry needs to understand that these capabilities may come soon."
- OpenAI and other tech giants are already working on models with similar capabilities, Axios has reported.
- "More powerful models are going to come from us and from others, and so we do need a plan to respond to this," Anthropic CEO Dario Amodei said in a video released alongside the news.
Driving the news: Anthropic is opting to roll out Mythos Preview to more than 40 organizations that will use the model to scan and secure their own code and open-source systems.
- Eleven of those companies — Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks — are participating in a new initiative called Project Glasswing.
- Those companies will use Mythos Preview as part of their defensive security work, and Anthropic will share takeaways from what the initiative finds.
- Anthropic is providing up to $100 million in usage credits to the companies testing Mythos Preview, and $4 million to open-source security organizations, including OpenSSF, Alpha-Omega and the Apache Software Foundation.
Flashback: AI models have already given malicious hackers a boost in their attacks.
- China has used Anthropic's models to automate a spying campaign targeting 30 organizations.
- Cybercriminals have been using models to write scripts and automate ransomware negotiations.
The intrigue: Anthropic has also been briefing the Cybersecurity and Infrastructure Security Agency, the Commerce Department and " a broader array of actors" on the potential risks and benefits of Mythos Preview, a company official told Axios.
- "There's an opportunity here to give a shot in the arm to defense and to keep pace with this long-standing trend where offense exploitation had an advantage," the official said.
- The official wouldn't say if the company has briefed the Pentagon, with which Anthropic has been feuding for months.
- Spokespeople for CISA and the Commerce Department didn't immediately respond to requests for comment.
Reality check: Mythos was widely hyped after Axios and others reported on its frightening capabilities, but Graham noted that the company never formally planned to make this version generally available.
- Anthropic was previously testing the model's capabilities internally, while also rolling it out to an even smaller group.
- "The feedback was overwhelmingly clear to us," Graham said. "We then decided to launch it this way."
What we're watching: Anthropic said in a blog post that the company's goal is to one day "enable our users to safely deploy Mythos-class models at scale," including for general use cases beyond cybersecurity.
- The company is planning new safeguards that will be available on its less-powerful Opus models, "allowing us to improve and refine them with a model that does not pose the same level of risk as Mythos Preview."
Go deeper: The Big One: The cyberattack scenarios that keep officials up at night
Update: This story was updated with the news of a model similar to mythos.