After a Potential Mythos Breach, Why Do Developers Use Such Powerful AI Models?

Artificial intelligence is making life easier for some — and a lot harder for others. San Francisco-based AI firm Anthropic — which also developed the chatbot Claude — earlier this month released Mythos, a powerful model developers claim can identify and exploit “vulnerabilities in every major operating system and every major web browser when directed by a user to do so.”

Anthropic has only given a few companies — among them JPMorgan Chase, cybersecurity giant CrowdStrike and fellow AI developers Google and Amazon — access to Mythos as part of what it’s calling “Project Glasswing.” The goal of this partnership, Anthropic said, is to use Mythos to prevent hackers (who are using their own powerful AI models) from targeting the weak spots in the software that helps these massive corporations run.

But despite the high level of secrecy surrounding its model, Anthropic confirmed to KQED on Thursday that it is currently investigating a report of “unauthorized access” to Mythos through one of the third-party vendors helping develop the software. The company has not found any evidence yet that Anthropic systems have been affected or that the reported activity extends beyond the third-party vendor environment.

Even before this latest incident, multiple cybersecurity experts and global leaders raised concerns about the power of Mythos and the potential consequences if this software fell into the wrong hands.

Earlier this week, KQED’s Forum spoke with Alex Stamos, computer science lecturer at Stanford University and chief product officer for San Francisco-based AI firm Corridor, to understand why developers still move forward with creating such powerful technology despite the potential risks.

Keep reading for the takeaways from his conversation with KQED’s Mina Kim, including insights on how folks who are not software engineers can sift through all the buzz surrounding this quickly evolving technology.

Skip ahead to:

• Why are cybersecurity experts so worried about Mythos?
• Why would Anthropic limit who can use this technology?
• Is the federal government also using Mythos?
• Why use such a powerful — but unpredictable — technology at all?

This conversation has been edited for length and clarity.

Mina Kim: What is Mythos capable of?

Alex Stamos: Mythos is a model that Anthropic has not released publicly. They’ve provided it to a very small number of large companies to use privately, as well as to some very important open-source projects to use.

Anthropic believes Mythos marks a large-scale change from the AI capabilities that have existed in the past. They’ve now been able to find thousands of vulnerabilities instead of just dozens or hundreds.

What we’ve seen in the past is that these things are really good at finding bugs, and they’re much faster than humans. But now Mythos is even better than the best human security consultants and security engineers.

You’re describing an incredible tool to find bugs, holes and issues that we have not seen before so that we can defend against them. So why is it scaring people so much?

It’s scaring people because the first step in attacking a system is finding flaws in that system. In the cybersecurity world, we use a term called the kill chain. This is a term we borrowed from the military.

When the military uses it, it refers to discovering an asset, doing reconnaissance, and figuring out how to deliver a weapon on a target.

In the cyber world, the kill chain involves reconnaissance, finding a flaw in a system used by a target, weaponizing that flaw, delivering the exploit, establishing command and control of the system, exploring the network, moving through it, and then doing whatever you want — whether that’s stealing data, shutting down a system, or encrypting it for ransom.

Major AI companies, like Anthropic and OpenAI, have released threat reports — building on earlier efforts from companies like Facebook and Google— that show how people use these platforms for malicious activity.

Those reports show that advanced threat actors are using AI to automate other parts of the attack process, like exploring networks, breaking in and establishing control channels.

What we’re seeing is attackers taking tasks that used to require human effort — and therefore had limits — and using AI to make them faster and cheaper.

And I imagine that our ability to patch or defend against these activities pales in comparison, or am I wrong? Do the patches exist, and are they easy to implement?

This is where AI can help. AI can find flaws, and it can also write patches. That’s the good news. That’s why Anthropic is providing Mythos to companies and open-source maintainers — not just to find bugs, but to fix them.

What we’re trying to do as an industry right now is fix vulnerabilities before adversaries can exploit them. There’s a race underway. The most advanced models — what we call foundation models, like those from Anthropic, OpenAI and Google — are currently ahead of open-weight models, many of which are developed by Chinese companies.

A listener writes: ‘Anthropic is releasing their models as a warning, but there’s no federal or state guidelines on this. Are we close to government regulatory action at all?’

The current administration came down on Anthropic because they thought they were too ethical … Of the major AI labs, I think Anthropic is the one with the most deep-seated ethical frameworks. I think we’re fortunate that they have the models that are the best at bug-finding, and they’re setting a good standard here.

Do you know the extent to which the federal government is also using Mythos to search for and patch its own security vulnerabilities?

My understanding is that U.S. Cyber Command has been testing Mythos. Now the fascinating question is: How is the U.S. government going to use it?

In the National Security Agency, after the Snowden disclosures, there is the creation of this thing called the Vulnerabilities Equities Process, which is the process by which NSA and U.S.

Cyber Command — which have both a defensive responsibility and an offensive responsibility — are supposed to think about if we know of a bug, do we use it against America’s enemies, or do we get it fixed to defend America?

Are they only gonna use Mythos to find bugs to be used against America’s enemies, or are they going to use it for defensive purposes? And what is Anthropic’s response going to be?

Will Anthropic put restrictions so you can only use Mythos for defensive purposes —or will they allow Mythos to be used for offensive purposes?

Can they even control that once they let them have access to it?

I don’t know. I don’t think so. For the most part, my understanding is Anthropic’s models that the NSA is using and Cyber Command are probably running in Amazon Bedrock … what’s called Amazon’s top secret cloud, which means that Anthropic’s employees — at least those without top secret clearance — will not have access to any of the logs there.

A listener writes: ‘If Anthropic lacks capacity to handle Mythos right now, why release it at all? If they want big companies to evaluate it, why publicize it? Seems fishy.’

I don’t think it’s fishy. This is a normal part of any release process is that you have a small set of testers. They’re also improving it by doing this. Anthropic gets feedback on this.

These people find bugs. They also find false positives. If Mythos finds a bug and JPMorgan Chase says, ‘This isn’t a real bug,’ then that goes back into the training set for the next build of Mythos. Anthropic, I think, truly believes they’re doing the right thing here by getting these bugs fixed.

There’s really no going back once this tool is out there, right? But I can hear people asking, why even build these tools in the first place? Why are they even free to do this in the first place if they’re so dangerous and can create such havoc? Is it just inevitable?

We’re getting philosophical. This is the core conflict at the heart of Anthropic, but also other AI companies’ reason for existence … Part of the argument here is it’s just math. Once these ideas were released, it was inevitable people would have this progress.

It’s not like the atomic bomb, where you have to have uranium and a huge industrial base. This just requires laptops and graphics cards. Other countries, other people, other companies will be doing it.

If you believe that you can build an ethical framework to do it well, then you believe that you should do it first and do it correctly. In this case, you could try to mitigate the harm by finding all these bugs and getting them fixed or fixing the software first before other people do it and actually do it harmfully.

A listener writes: ‘You’re talking about cyberattacks on a large scale with large companies or countries. But what about me? Should I be worried about people hacking into my personal computer or phone or something?’ What can we do?

About Mythos, nothing. That’s not something that individual people should be dealing with. The way normal people are hacked in 2026 is the same way normal people were hacked in 2016, 2006 and maybe even 1996. The number one way normal people are hacked is they use the same password in every single website all day.

Get a password manager and put all your passwords in there. Have it generate random passwords and then have one really good password, and then you can write it down. I know people say don’t write down passwords, but that’s really stupid because nobody can steal the password in your pocket from Russia. If it’s in your wallet or your purse, they can’t reach from five thousand miles away and take it out of your wallet or purse. Nobody mugs you for your password.

What are we likely to see in the next couple of years with these models rolling out? What should we be prepared for in this sort of initial period?

Our product road map at Corridor is three months long right now. Because if you plan beyond three months, everything has changed in our industry. For the first time ever, technology is building technology. From a security perspective, a lot depends on which of two futures we’re living in.

In the optimistic future, the bug curve flattens out. The superhuman capabilities end up not inventing entirely new classes of vulnerabilities. At least the types of bugs are the kinds we’ve seen before. There’s a finite number of them, and we’re just draining the swamp.

The pessimistic future is that these new things invent things that I don’t know exist. The hard part is, I can’t really guess because I am predicting superhuman capabilities here. For superhuman models that are gonna be invented by the models that exist right now. In the pessimistic view, we are going to have to work with AI to rebuild the systems that our lives rely upon, using memory-safe and type-safe languages, using formal models.