Anthropic Claude Mythos Suggests Vulnerability Management Will Soon ‘Break’: Forrester

‘If true — and we have little reason to doubt the veracity of the claims — this will break the vulnerability management playbook,’ Forrester analysts write.

Following claims by Anthropic and its collaborators on a new software security initiative announced this week, it’s clear that AI could soon totally upend existing vulnerability management practices, according to Forrester analysts.

“If true — and we have little reason to doubt the veracity of the claims — this will break the vulnerability management playbook and perhaps the cybersecurity approaches of today,” wrote Forrester analysts including Senior Analyst Erik Nost in a blog post.

Anthropic disclosed this week that the preview version of its Claude Mythos frontier model points to the fact that “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.”

In response, Anthropic has launched a new initiative, “Project Glasswing,” focused on combating software vulnerabilities with involvement from a number of major industry players.

Cybersecurity vendors taking part in the initiative include CrowdStrike and Palo Alto Networks, which have released statements supporting Anthropic’s claims about the proficiency of Claude Mythos for vulnerability discovery.

In a statement included in Anthropic’s blog post, for instance, CrowdStrike CTO Elia Zaitsev said that “the window between a vulnerability being discovered and being exploited by an adversary has collapsed.” Already at this stage, “what once took months now happens in minutes with AI,” Zaitsev said in the statement.

And while Claude Mythos Preview “demonstrates what is now possible for defenders at scale,” it also means threat actors will inevitably seek to exploit these capabilities as well, he said.

The disclosure by Anthropic is a signal that organizations will likely soon be forced to “drastically rethink their approaches to vulnerability management and patching,” wrote Nost and other Forrester analysts in the post.

That will mean “moving from today’s often-glacial pace to something much, much faster,” the analysts wrote.

The arrival of AI models that can discover software bugs this rapidly may also force an overhaul of the current CVE (Common Vulnerabilities and Exposures) disclosure process and impact difficult-to-patch legacy IT systems in a major way, according to the Forrester analysts.

Ultimately, in the very near future, a “30-day waiting period for patching won’t be acceptable in an environment where attackers can go from discovery to exploit in minutes,” the analysts wrote.

In addition to CrowdStrike and Palo Alto Networks, Project Glasswing will also include participation from AWS, Apple, Broadcom, Cisco, Google, JPMorganChase, the Linux Foundation, Microsoft and Nvidia.

The industry collaborators on the initiative will be able to utilize the preview version of Mythos “as part of their defensive security work,” Anthropic said in its post.

“Project Glasswing partners will receive access to Claude Mythos Preview to find and fix vulnerabilities or weaknesses in their foundational systems—systems that represent a very large portion of the world’s shared cyberattack surface,” Anthropic said.

Palo Alto Networks CEO Nikesh Arora wrote in a LinkedIn post that “by prioritizing defensive access to these powerful capabilities, Anthropic is helping us ensure that while intelligence is being weaponized, the defenders are the ones with the superior stack.”

In other words, “AI becomes the defender,” Arora wrote.