AI developer Anthropic says its newest Claude artificial intelligence model is so good at finding cybersecurity vulnerabilities that it’s not releasable to the public. The company is instead providing the tool to big tech infrastructure providers so they can patch the flaws it finds.
In late March, word began to leak that Anthropic’s latest AI model, dubbed Claude Mythos (PDF), was going to be a leap forward for the company’s AI technology. Now, the company has previewed its capabilities and warned that Mythos represents a major cybersecurity threat, as its capabilities represent a leap forward in finding and exploiting online security vulnerabilities.
“AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities,” the company said in a blog post Tuesday. Anthropic said Mythos Preview, which has not been released to the public, has already found what it says are thousands of severe security vulnerabilities “in every major operating system and web browser.” Asked for comment, a representative for Anthropic directed CNET to the company’s blog post.
To address the cybersecurity risks, Anthropic said it’s launching a consortium called Project Glasswing that includes Apple, Amazon Web Services, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks. Anthropic said those organizations and more than 40 others will have access to Mythos in order to start the work of shoring up defenses against AI attacks and exploits. It’s committing $100 million in usage credits for Mythos and $4 million in donations to open-source security organizations.
“The dangers of getting this wrong are obvious, but if we get it right, there is a real opportunity to create a fundamentally more secure internet and world than we had before the advent of AI-powered cyber capabilities,” Anthropic CEO Dario Amodei posted on X.
In a video posted to YouTube about Project Glasswing, leaders from companies including Microsoft, the Linux Foundation and Anthropic discussed the damage that software vulnerabilities can cause.
Large cloud computing companies have already been working with the new model to find vulnerabilities. “What we have found has been illuminating,” Anthony Grieco, chief security and trust officer at Cisco, wrote in a blog post. “Now the real work begins. AI-powered analysis uncovers data at a scale and depth that legacy frameworks were not designed to accommodate.”
Amazon Web Services said the model has already found ways to strengthen code even in its most well-tested systems. Amy Herzog, vice president and chief information security officer at AWS, called Claude Mythos Preview a “step-change in reasoning and AI capabilities for cybersecurity.”
How significant is this new model?
The phenomenon of AI being able to discover, and potentially exploit software vulnerabilities, is not new — the DARPA Cyber Grand Challenge has seen several instances of AI drawing attention in this area, said Michal Salát, threat intelligence director for Norton, the antivirus provider.
But now AI tech that could be available to anyone has some of those capabilities. “Anthropic’s Project Glasswing is focused on safeguarding this powerful technology, which can transform vulnerability research but also pose a serious risk if misused for malicious purposes,” Salát said in an email. “While it represents a major step forward from current top models such as Opus 4.6, the underlying capability already exists today, and vulnerability research is rapidly emerging as one of the primary, real-world use cases for AI in cybersecurity.”
National policymakers, who have been going back and forth on the need for federal AI regulation, will likely watch the consortium’s progress closely.
Sen. Mark Warner praised the initiative in a statement. “I applaud these leading companies for recognizing this threat and proactively sharing information, capabilities and computing capacity to better protect our critical infrastructure,” the Virginia Democrat said. “As AI dramatically accelerates the discovery of new vulnerabilities, I hope industry will correspondingly accelerate and reprioritize patching.”
Warner, whose state is a hotbed of AI data centers, recently called a proposed moratorium on data center construction “idiocy,” but has also warned about the risks to society posed by rapid AI development leading to massive job losses.
Read the full article here