Nathaniel Whittemore

During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so.

By the way, for those of you who don't know the term, a zero-day vulnerability is a security flaw that is unknown to the vendor or software creator for which no patch is available.

The term zero-day refers to the fact that developers have zero days to fix the issue because malicious actors can already exploit it before the creator becomes aware.

Going back to the cybersecurity blog post, they continue, the vulnerabilities it finds are often subtle or difficult to detect.

So three key examples demonstrated the performance.

First, Mythos found a 27-year-old vulnerability in OpenBSD, which is widely regarded as the most security-hardened operating system available, often used to run firewalls and critical infrastructure.

The vulnerability allowed any user to remotely crash any system running the operating system by connecting to it.

In another example, Mythos discovered a 16-year-old exploit in FFmpeg, a common video encoding library.

The exploit simply crashes the system and isn't a critical vulnerability, but this is a library that has been scanned for decades with no one uncovering the bug with traditional methods.

A third example had Mythos stringing together multiple exploits in the Linux kernel to gain full access to a system from an ordinary user account.

This is a completely new level of hacking ability for an AI system.

Anthropic notes, We did not explicitly train Mythos Preview to have those capabilities.

Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy.

The same improvements that made the model substantially more effective at patching vulnerabilities also made it substantially more effective at exploiting them.

Now, taking this a step further, identifying zero-day vulnerabilities is a huge indicator of model performance because, by definition, unknown vulnerabilities can't be included in the training data.

On a more sinister note, Anthropic wrote,

Non-experts can also leverage Mythos Preview to find and exploit sophisticated vulnerabilities.

Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight and woken up the following morning to a complete working exploit.

In other cases, we've had researchers develop scaffolds that allow Mythos Preview to turn vulnerabilities into exploits without any human intervention.

And these are the reasons that Anthropic is not releasing Mythos to the general public.