Come vulnerabilities were found within hours, but that does not mean the model was able to exploit them within that time, the official said.
The post Anthropic’s Mythos Model Found Vulnerabilities in Classified US Government Systems, Official Says appeared first on SecurityWeek.
Intelligence agencies for the United States, Canada, UK, Australia and New Zealand are warning that advanced AI models capable of wreaking havoc in the cyber domain are “months away” from being publicly available.
In a joint statement, the Five Eyes alliance say they expect the kind of advanced hacking capabilities provided by frontier models like Anthropic’s Fable 5 and OpenAI’s Daybreak to become broadly available the public within the year, despite efforts by AI companies to withhold them or restrict their access.
“Frontier Al models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities,” the agencies said. “The timeline is not years, it is months.”
The statement, which included signatures from NSA’s Director of the Cybersecurity Directorate David Imbordino and acting CISA Director Nick Andersen, does not specifically cite secret or classified sources or methods to reach this conclusion.
But much of the underlying justification provided by the intelligence agencies also aligns with what public cybersecurity and AI experts have been warning about for months.
AI models capable of exploiting cybersecurity weaknesses are already available today through multiple channels: older commercial models, open-source versions, or foreign and black-market sources. And while newer models like Mythos are reportedly significantly more powerful for cybersecurity-related tasks, the breakneck pace of frontier model development often means that yesterday’s restricted frontier AI is tomorrow’s free, open-source AI.
Representative Andrew Garbarino, R-N.Y., Chair of the House Homeland Security Committee, said the warning from intelligence agencies “underscores what the Committee has repeatedly heard through roundtables, briefings, and hearings with industry leaders: China is just months, if not now weeks, away from achieving frontier AI capabilities comparable to those of the United States.”
“This threat reinforces the urgency of ensuring that federal agencies and critical infrastructure operators can responsibly leverage advanced U.S. models, and receive the guidance and support necessary to do so, to find vulnerabilities before adversaries can exploit them,” said Garbarino in a statement.”
The agencies flag legacy systems, sluggish patching loops, unnecessary internet connectivity, weak identity and access controls, and a lack of pre-incident planning by organizations as key weaknesses that AI will excel at exploiting.
“The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years,” the agencies wrote. “We must act before and be prepared to adapt and withstand evolving threats.”
Since large language models burst onto the scene, open-source models have run about 6-8 months behind the largest frontier AI companies.
To give an idea of how quickly the field develops: the capabilities described in the Amazon threat intelligence report that convinced the Trump administration to place export controls on Fable 5 could already be accomplished through older models like Claude Opus and Claude Sonnet, as well as open-source Chinese models.
Anthropic shut down access to their Fable 5 and Mythos 5 models as a result, and despite releasing a statement that they believe the White House decision was a “misunderstanding” the dispute remains resolved.
Programs like Anthropic’s Project Glasswing and OpenAI’s Trusted Access for Cyber Program provide AI systems to organizations for cyberdefense. The goal is to give defenders a head start in finding and fixing vulnerabilities before AI systems can exploit them routinely in the coming years.
However, for all the fear surrounding the new technology, the recommended guidance is largely the same as it has been for decades. Governments, businesses and leaders must stop treating the digital security of their work as an afterthought or compliance issue.
“Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy,” the agencies wrote. “Those that do not will face growing operational and strategic disadvantage.”
06/23/2026: This story was updated to include comment from Rep. Andrew Garbarino, R-N.Y.
The post Intel agencies: Frontier AI models will reshape cybersecurity faster than expected appeared first on CyberScoop.
Members of Congress responded with skepticism and caution Tuesday to the Trump administration’s decision to impose export controls on Anthropic’s newest AI models.
The Friday order, which Anthropic said forced it to disable its Fable 5 and Mythos 5 artificial intelligence models, was prompted by what the administration said were national security concerns that a large number of cybersecurity professionals have dismissed as ill-founded.
Several Hill Democrats told CyberScoop they were concerned that the administration’s decision was driven by other considerations. Notably, the administration has feuded with Anthropic over use of its models for domestic surveillance and fully autonomous weapons.
Sen. Angus King, a Maine independent who caucuses with Democrats, said he would need to be convinced it was a legitimate national security order and hadn’t yet seen a full justification.
“What they did was pretty extreme, and I’d want to see what the basis was, as opposed to all the other issues that are swirling around in cybersecurity,” he said. “I’m a little skeptical because of their otherwise announced antipathy to this company.”
Leaders of the House Homeland Security Committee had contrasting takes, with Chairman Andrew Garbarino, R-N.Y., offering a two-pronged response and the top Democrat on the panel, Bennie Thompson of Mississippi, panning the order.
“The administration is right to treat advanced AI cyber capabilities as a national security issue, especially when foreign adversaries and cybercriminals are actively looking for ways to weaponize these tools,” Garbarino said in a statement. “At the same time, we need to make sure our response does not unintentionally disadvantage American companies, allied partners, or critical infrastructure defenders who need access to the best secure tools available in order to protect our networks here at home.”
The United States, not China, needs to set standards for trusted AI, Garbarino said.
But Thompson said the order adds evidence to the appearance that the Trump administration doesn’t “have a coherent plan for mitigating the cybersecurity risks” of frontier AI models, he told CyberScoop in a statement.
“AI regulations should rely on standards and procedures that provide confidence to the public that decisions are based on the evidence and not on politics,” he said. “Instead, the Trump administration has adopted an ad hoc approach where decisions are made by political appointees in the White House rather than experts and where companies are left guessing on how to comply.”
Virginia Sen. Mark Warner, the top Democrat on the Intelligence Committee, had also previously highlighted the administration’s quarrel with Anthropic in response to the order in a statement to CyberScoop.
Behind the scenes, the administration and Anthropic were reportedly continuing to try to forge a truce Tuesday. More broadly, the administration’s AI executive order had a rocky rollout as the administration swung back-and-forth on how involved the government should be.
Some lawmakers deferred on commenting Tuesday, such as Senate Homeland Security Committee Chairman Rand Paul, R-Ky., who told CyberScoop he didn’t have anything to say on the order.
Others said they were still seeking information from the administration.
“I have not had the opportunity to get a brief specifically as to the logic, the reasoning behind it, and so forth,” said Sen. Mike Rounds, the South Dakota Republican who chairs the Armed Services Subcommittee on Cybersecurity. “So I’m going to withhold judgment until I get an opportunity to get the rest of the story, so to speak.”
The post Lawmakers leery about Trump administration’s Anthropic order appeared first on CyberScoop.
While Washington D.C. frets over the potential impact of Anthropic’s Claude Fable 5, security researchers continue to track how the integration of frontier AI tools are transforming the digital security landscape for malicious hackers and defenders alike.
The breakneck speed of model releases may be creating short, silent security gaps for developers who must choose between performance and security, according to a new report.
Researchers at Backslash Security pored through update logs for Claude Code, Anthropic’s flagship coding model, finding the company was patching dozens of newly discovered security vulnerabilities in the program between April and early June 2026.
The logs revealed the details of more than 30 security relevant patches implemented over that timeframe, but Anthropic did not publicize them. Instead, Backslash Security researchers found them by reviewing update logs for every new version of a Claude Code release in the last two months, noted the security-relevant fixes and traced each one back to the version and date it shipped.
The patches included fixes for data poisoning, prompt injection and arbitrary code execution vulnerabilities. One bypassed core safeguards put in place to prevent Claude Code from accepting catastrophic deletions commands, such as erasing an entire codebase, by adding a single backslash to the command. Another leaked user OAuth credentials, while a third allowed an AI agent to plant a backdoor in shell startup files.
There is nothing inherently odd about this: most companies regularly update and patch their software and anyone who had auto-updates turned on would automatically be switched to the newest, secure version of Claude Code.
But Yossi Pik, co-founder and chief technology officer at Backslash Security, told CyberScoop that the research concluded “the way AI agents are released is different than previous software.”
“We debated internally, because when I originally said I wanted to write about this, I was told ‘Okay, every company has the [same] issue, then they patch and fix,” he said. “This is the nature of software, but I think that what makes this unique is the cadence and frequency of the releases.”
AI companies keep a ferocious pace when updating their models. Claude Code’s changelog indicates there have been 16 different versions through the first half of June, while OpenAI’s Codex was updated 6 times.
Because model updates often bring short-term performance and stability issues, software developers typically wait a week or more before upgrading to a new version.
These time gaps create small windows of vulnerability and force developers to choose between security and performance. The report identifies several reasons why developers don’t automatically update their AI models, including companies that may rely on internal vetting or release schedules, operate in regulated or air-gapped environments where model versions are frozen, and the need to maintain long-running sessions or use manual installations.
Pik said some IT and security teams have also told him they prefer not to install any new version of an AI model without letting it run on other environments first.
“You don’t have that much flexibility, either I go to the latest and I’m getting a less stable version [of the model] or I’m waiting for a few days or a week until I can install it, and hope that nothing would happen during this time,” said Pik.
The Backslash report is not intended as a dig at the security rigor of Anthropic, noting the company tends to “patch fast and document more than anyone” and has addressed every issue and vulnerability identified in the report.
Rather, it’s to highlight the series of mostly silent and persistent security exposures that an organization faces when adopting AI into their workflow.
Other software programs and technology products face similar tradeoffs through different updates, but most of the vulnerabilities detailed in the change log – such as getting an agent to leak data or accept malicious prompts – are unique to large language models and AI systems.
That means integrating AI tools can bring new security problems to an organization, both from outsiders who can poison or influence the model and insiders who can maliciously or accidentally direct the model to access or leak systems, data and identities.
For most Claude Code users, this process runs automatically in the background. Yet Yik points out that just as AI is transforming work itself, it’s also changing how we need to approach software security and updates.
“It should not be compared to [Microsoft] Office that is installed and gets patched once in a while,” he said. “It’s a completely different beast that keeps evolving, and we don’t want to limit it…I think that it’s great for everyone. We just need to make sure that we do it in a secure way, and every organization should understand what that means for them.”
The post AI’s constant patching treadmill can be a security problem appeared first on CyberScoop.
The U.S. government on Friday ordered Anthropic to immediately suspend foreign access to Fable 5 and Mythos 5, its two most advanced artificial intelligence models, citing national security concerns tied to a reported method of bypassing the models’ safety restrictions.
The directive, issued late Friday afternoon by Secretary of Commerce Howard Lutnick in a letter to Anthropic Chief Executive Dario Amodei, placed the two models under export controls that prohibit use by foreign nationals, whether inside or outside the United States.
Because of the scope of the restrictions, which includes foreign-born Anthropic employees, the company announced Friday evening that it disabled the models to ensure compliance. Access to the company’s other AI models was not affected.
Fable 5 and Mythos 5 had been released earlier this week, with Anthropic describing them as the most capable systems it had ever deployed. Mythos was available to members of Project Glasswing, which allowed selected cybersecurity companies to use the model to identify and address security flaws.
It’s unclear how the Commerce Department action affects Project Glasswing. Anthropic did not respond to a request for comment.
The Commerce Department‘s letter did not detail the specific national security concern. In its blog post Friday night, the company said its understanding is that the government became aware of a technique for “jailbreaking” Fable 5, a term for methods that circumvent a model’s built-in safety guardrails. According to Anthropic, the government provided only verbal evidence of what it described as a “narrow, non-universal jailbreak,” which essentially involved prompting the model to read a specific codebase and identify software flaws.
Anthropic disputed the severity of the finding. The company said it reviewed a report it believes formed the basis of the government’s directive and found that the capabilities demonstrated were already available in other publicly accessible models, including OpenAI’s GPT-5.5. The company said those same capabilities are used routinely by cybersecurity professionals for defensive purposes.
Katie Moussouris, chief executive of the cybersecurity firm Luta Security, posted on BlueSky Saturday that the issue stems from “Defense Oriented Prompting,” a security-first method of engineering AI system instructions that treats natural language as code.
Other reports claimed that Amazon was responsible for flagging the security issues in the model. The company did not respond to CyberScoop’s request for comment.
Anthropic acknowledged in its statement that perfect jailbreak resistance is not achievable for any model provider, and said it had designed Fable 5 around a “defense in depth” strategy, combining narrow jailbreak resistance with active monitoring. The company said no testers had found a universal jailbreak capable of broadly bypassing the model’s safeguards.
“We disagree that the finding of a narrow potential jailbreak should be cause for recalling a commercial model deployed to hundreds of millions of people,” Anthropic wrote. “If this standard was applied across the industry, we believe it would essentially halt all new model deployments for all frontier model providers.”
Friday’s directive is the latest episode in a prolonged dispute between Anthropic and the Trump administration. In February, President Donald Trump moved to bar Anthropic’s products from federal agencies after the company sought stronger restrictions on how the Pentagon used its technology.
Despite that, as Anthropic released Mythos under Project Glasswing, the National Security Agency was given Mythos 5 to conduct offensive cyber operations. Earlier this month, Trump signed an executive order directing federal agencies to bolster cyber defenses and establish a voluntary mechanism for the government to gain early access to powerful AI models before deployment.
The administration’s stated rationale for Friday’s action drew widespread skepticism from researchers and analysts. Dean Ball, a senior fellow at the Foundation for American Innovation, called the move “baffling.” Chris McGuire, a senior fellow at the Council on Foreign Relations, said targeted export controls on model access could be a legitimate policy tool, but called the across-the-board restriction “highly questionable” and the deemed export provisions — which restrict foreign nationals inside the U.S. — “just absurd.”
The broader implications for the AI industry remain uncertain. Aaron Levie, chief executive of Box, described the directive as “a big turning point for AI regulation,” arguing that the government’s willingness to deem specific models too powerful for certain uses establishes a precedent with potentially far-reaching consequences.
Other tech leaders in the government supported the action.
“We fully support @POTUS and @SecWar in prioritizing national security and the security of our warfighters, DIB partners, critical infrastructure, international partners and allies,” DOD CIO Kirsten Davies wrote in a social post on X. “Some things are simply more important than revenue cycles, clickbait, and pre-IPO valuation. America First. Always.”
Anthropic said it believes the situation stems from a misunderstanding and is working to restore access as soon as possible.
The post Anthropic disables new models after government calls them a national security concern appeared first on CyberScoop.
Anthropic takes Fable 5 and Mythos 5 offline to comply with a directive from the Trump administration to prevent use by foreign nationals.
The post Anthropic Says It Has Taken Its Latest AI Models Offline to Comply With New Export Controls appeared first on SecurityWeek.
An AI hacker claims to have achieved a prompt-based jailbreak shortly after Fable 5’s launch, but Anthropic says it’s not a real jailbreak.
The post Anthropic Disputes Fable 5 AI Jailbreak appeared first on SecurityWeek.
Earlier this year, Anthropic executives said that their new AI model, Claude Mythos, had such powerful capabilities for harm that they would not release it publicly.
On Tuesday, the company said it was making an altered version of Mythos available to the public, promising “new guardrails” that thwart the model’s best-in-class performance in hacking and bioweapons research.
Anthropic said Claude Fable 5 was the “same underlying model” as Mythos, but its responses for certain topics like cybersecurity and biology will be drawn from a previous Claude Opus model that is already public.
“Releasing a model this capable comes with risks. Without safeguards, Fable 5’s capabilities in areas like cybersecurity could be misused to cause serious damage,” the company said in a draft blog sent to CyberScoop ahead of the announcement. “We’ve therefore launched the model with safeguards that route queries on a narrow set of topics to our next-most-capable model, Claude Opus 4.8.”
Anthropic also said they subjected Fable 5 to both internal and external red team testing for common model vulnerabilities, like jailbreaking. Anthropic said these tests identified no known “universal” jailbreaking techniques, but does not specify if partial jailbreaking techniques were discovered.
The company is betting that won’t change when Fable 5 is made available to the broader public, but it’s worth noting that cybersecurity researchers have consistently found ways to jailbreak older AI models.
“The uplift from Mythos-level capabilities is valuable to many adversaries—for instance, those who could financially gain from cyberattacks—and we therefore expect them to be motivated to try to circumvent our safety measures,” the company wrote.
Anthropic is changing its data retention policies for Fable and Mythos models, keeping all user traffic for 30 days on both its own platforms and third-party services. A White House executive order creates a voluntary framework for AI companies to share frontier models with the government up to 30 days before public release. The company says the retained data won’t be used to train new Claude models or for “any non-safety-related-purpose.”
Following publication, a spokesperson for Anthropic told CyberScoop the company’s data retention policies “are specific to their safeguards work and is unrelated to the EO.”
Most organizations are still deciding whether to adopt AI into their IT and cybersecurity ecosystem. But models like Mythos can scan for vulnerabilities, chain together exploits, and steal data from a victim network in minutes. Automation in hacking existed before AI, but experts have said frontier models like Mythos and OpenAI’s Daybreak can allow even low-level cybercriminals to wreak havoc.
While Anthropic cited its commitment to developing safe and secure AI in its reasons for not publicly releasing Mythos, many organizations have been clamoring for access, and its enhanced cybersecurity functions in cybersecurity and other areas have been the subject of congressional hearings, national security papers and White House executive orders.
Releasing a limited version of the model in Fable 5 represents an attempt to split the difference between those two desires. Anthropic said it would release follow up benchmarks and assets for the model.
Anthropic said it’s possible the restrictions built into Fable will make it harder for the model to fulfill both malicious and legitimate user requests.
“Because we have prioritized safety, we’ve deliberately tuned the safeguards to be cautious, and they are still stricter than would be ideal—for example, sometimes benign requests will trigger our classifiers,” the company wrote. “We recognize that this will be frustrating to some users, and our aim is to reduce false positives as we update and refine the safeguards after launch.”
If Fable 5 draws its cybersecurity and biology answers entirely from Claude Opus 4.8, it will still provide users with impressive – though not unique – dual use cybersecurity capabilities.
According to the system card published for Opus 4.8, the model is a slight improvement on previous models like 4.7 in the realm of cybersecurity but was “generally much less capable than Mythos Preview.”
Opus 4.8 was tested on its ability to write complete end-to-end exploits and build exploit primitives that provide attackers with the ability to execute arbitrary code. It averaged a score just 5 out of 16 in proficiency, compared to Mythos Preview which scored closer to 10.
Without safety guardrails in place, Opus 4.8 can still reproduce nearly 80% of previously discovered vulnerabilities in real open-source software projects when given a high level description of the weakness. The system card said Anthropic’s unspecified safeguards whittle this success rate down to 1%.
Another test assessing Opus’ ability to develop exploits for the popular Firefox browser found that, again without guardrails, the model could identify a full working exploit 8.8% of the time and a partial working exploit 68.8% of the time.
The company also said that members of Project Glasswing – a consortium of public and private businesses given access to a preview version of Mythos – will be able to upgrade to the latest full model, Claude Mythos 5, to continue their work. Access to Mythos 5 will be expanded over time “through a more systematic trusted-access program” including federal agencies.
The post Anthropic’s new model is Mythos on a leash appeared first on CyberScoop.
The AI giant also announced that Project Glasswing partners are being given access to the upgraded Mythos 5.
The post Anthropic Launches Claude Fable 5: Mythos-Class AI With Cybersecurity Guardrails appeared first on SecurityWeek.
AI models such as Anthropic’s Claude Mythos and OpenAI’s Daybreak represent a fundamental inflection point in security. These advances are not only reshaping technology but also redefining trust, risk, and the relationship between humans and intelligent systems. As innovation accelerates, AI governance and responsible deployment are becoming strategic priorities for every organization.
Historically, governments have played a stabilizing role during moments of transformational technological change. Yet the pace and scale of the AI era demand a new model, one built on partnership rather than control, balancing societal responsibility with the need to sustain innovation and global competitiveness.
The White House’s executive order on AI governance signals that collaboration between the industry and policymakers will increasingly shape the future landscape. Proposed frameworks that promote transparency and responsible development point toward a more coordinated approach to risk management.
Effective governance of AI models should balance clear safeguards with the speed of innovation, aligning organizations, policy makers, and technology leaders around a shared goal: advancing AI in ways that strengthen trust, security, and long-term value. The path forward is not defined by heavy-handed oversight, but by building an ecosystem of accountability.
Three key points substantiate this approach.
First, the industry should recognize Anthropic’s release of Mythos as an example of responsible innovation. Company leaders recognized the model’s risks and deliberately delayed broader deployment, allowing early testing to surface vulnerabilities before widespread adoption.
The broader lesson extends beyond a single model release. Responsible leadership means prioritizing decisions that build trust and enable sustained innovation. As AI capabilities accelerate, the most successful organizations that lead will be those that weave accountability through their ambitious pursuits, rather than treating them as competing priorities.
Second, innovation rarely thrives under rigid frameworks. History has shown that many compliance regimes, while well-intentioned, incentivize organizations to optimize for requirements rather than outcomes. Security is strengthened through systems designed for resilience and trust, which goes beyond mere compliance.
Third, slowing U.S.-based AI innovation risks weakening long-term competitiveness. The U.S. remains a leader in AI but maintaining that position will require balancing responsible safeguards with continued investment and progress. Overly restrictive approaches risk slowing domestic advancement while other nations continue accelerating development and capability.
An effective AI governance approach would encourage further responsible AI model development, as demonstrated by Anthropic. It would avoid direct government regulation and instead enforce accountability for companies that are irresponsible with AI development.
Hopefully, the partnership and collaboration between government entities and industry will continue beyond the White House order. Policymakers and industry leaders should create incentives that reward AI vendors for considering societal implications before releasing new solutions. This framework would highlight responsible providers as models for the industry while imposing meaningful consequences based on demonstrated societal harm that direct affects business and technology decisions.
AI models such as Mythos and Daybreak underscore a broader reality: the future of AI will be shaped by the trust around innovation, not merely by its development pace. The next era of AI leadership will require a new model of collaboration between industry and policymakers that maintains the speed and adaptability that innovation demands while establishing meaningful accountability for real-world outcomes.
The objective should be to guide progress responsibly. The organizations and nations that lead in the AI era will be those that demonstrate how innovation and accountability work together to strengthen trust, security, and long-term value creation.
Art Gilliland is CEO of Delinea, a cybersecurity company focused on human, machine and AI identity protection.
The post The AI security race needs accountability, not overregulation appeared first on CyberScoop.
The proposed coordination would let advanced AI labs verify that global rivals have actually stopped or slowed their work.
The post Anthropic Urges Industry Coordination to Allow for a ‘Pause’ in AI Development if Risks Grow appeared first on SecurityWeek.
Government agencies, cybersecurity companies and threat researchers are pouring resources into studying how fast-developing AI tools can be wielded by malicious actors to hack into victim organizations.
But as agentic AI becomes more embedded in business infrastructure, there’s also a high possibility that a breach could be caused by an insider guiding the tool, whether maliciously or due to lack of security controls.
In research shared exclusively with CyberScoop, DTEX researchers detail how a common workflow in Anthropic’s Claude Cowork used in corporate environments offers convenience for AI agent deployment but grants near-total access to the system.
Claude Cowork includes tools that let users remotely control their agents. One particular tool, known as Dispatch, relays commands from a user’s phone to their desktop Claude agent. It also includes a plugin for communicating with Salesforce AI agents that access and transfer data.
DTEX researchers tested two scenarios. The first prompted Claude to summarize information from Salesforce and paste it into a draft Outlook email. The second tasked the agent with archiving selected files and transferring them via the Cowork app.
In both cases, researchers used simple, single-turn prompts and spent between 10-30 minutes preparing to exfil the data.
Alex Desmond, director of insider threat intelligence and innovation at DTEX, told CyberScoop that both improvements in frontier models and deeper integration of AI tools into IT network operations have reduced the time defenders have to react to a breach.
“In cyberattacks, you talk about the kind of execution time of adversaries coming in and dropping ransomware, we’re now seeing the kill chain drop to 30 and 10 minutes depending on what they’re doing,” Desmond said. “Six months ago, that was a couple of hours.”
But that speed, when paired with direct access to business networks or cloud services, can also create an insider threat nightmare for organizations that must monitor for both malicious actors and potential mistakes from legitimate employees using the technology.
Over the past few years, western IT and cybersecurity businesses have been inundated with job applicants secretly working on behalf of the North Korean government. Their salaries are used to evade international sanctions and fund Pyongyang’s nuclear program, but it also positions the individuals to access or steal sensitive data or assets from these companies.
“You’ve got a nation-state actor getting into an environment legitimately,” Desmond said. “Now if you gave them access to AI tools on top of that…you’re like ‘here’s the keys to everything and here’s this awesome tool that’s just going to make your job – stealing our data – easier.’”
Tests by DTEX confirmed that the agents indeed had access to sensitive systems, applications and data – including the ability to download SharePoint corporate data, production documentation in OneDrive, access to Outlook email, Salesforce data (and all the data it can access), and any other files on the user’s endpoint device. For each of these applications, Claude Cowork has a dedicated plugin or API to share externally if prompted.
To be clear, DTEX’s research does not involve exploiting a software bug or configuration vulnerability, and it doesn’t come with a CVE. It’s more of an IT governance and visibility problem. Businesses are racing to integrate AI tools into their workflow and pushing employees to use the technology while failing to put in place the kind of security controls, access policies and monitoring required to spot problems.
For instance, it may not be possible to determine how a data breach or leakage involving an AI agent actually occurred if an organization is not logging and auditing its prompts – or whether the incident was the result of an agent running amok or responding to potentially malicious instructions.
While network and cloud monitoring can identify when data is being accessed or downloaded from SharePoint, that may not be a strong enough signal to stand out for defenders.
“If a user’s normal workflow is to pull sensitive files down to work locally all the time, you don’t have endpoint monitoring and you introduce an AI agent, it then just has access to all that data” along with the ability to exfiltrate it,” Desmond said.
The post Your AI agent could become your biggest insider threat appeared first on CyberScoop.
Troy West was in Warsaw when his dinner was interrupted by his phone. But he was happy about it.
West, associate director of cybersecurity for autonomous offensive security company XBOW, had just learned that a trial version of the company’s platform had found a vulnerability that led to a full takedown of a development environment used by Moderna, the pharmaceutical company primarily known for its work related to mRNA vaccines.
It was, by most measures, exactly the kind of outcome a security team dreads. But for West and Farzan Karimi, Moderna’s deputy CISO, it was something closer to a proof of concept. XBOW’s product had done in hours what a human penetration tester could not — and it had done so with a level of persistence and creativity that neither of them had fully anticipated.
The episode is one data point in a much larger shift now rippling through the cybersecurity industry: The artificial intelligence models discovering vulnerabilities are moving faster than the teams that have to patch them.
Across recent conversations and presentations, industry experts said the tools are getting sharper, the attack surface is getting larger, and the gap between finding a problem and fixing it is not closing fast enough. For now, most organizations are caught between the speed of discovery and the slowness of remediation, with vendors across the industry rushing to position their products as the way through.
The inflection point came with Claude Mythos. When Anthropic announced the highly guarded model, security executives at major enterprise technology companies took notice in a way they had not with prior frontier releases.
Zscaler was among the early organizations given access to the model, and CEO Jay Chaudhry told CyberScoop that he directed his team to use it to probe the company’s own applications.
“Are we finding some serious stuff? Yes, indeed,” Chaudhry told CyberScoop at Gartner’s Security & Risk Management Summit. He was careful to note that the findings were not necessarily more severe than those produced by other models. The issue, he said, was volume.
“There aren’t enough resources and cycles to fix all those,” he said.
The reason Mythos changed the calculus, according to Tom Gillis, general manager for infrastructure and security products at Cisco, comes down to code complexity. Legacy network infrastructure was built on tens of millions of lines of code developed over decades, and earlier AI models lacked the context window and reasoning capacity to comprehend it in full.
“The models couldn’t understand the entirety of it before,” he told CyberScoop. “Now they can. That’s why they’re finding all these vulnerabilities.”
The problem runs deeper than application code. Firewalls and network switches often run for decades without updates or reboots, and many have never been patched in any meaningful way. The combination of aging infrastructure and newly capable AI models has created what Gillis described as a meaningful and accelerating shift in attacker capability that the industry’s existing operational rhythms were not built to absorb.
Cisco’s answer to the oncoming vulnerability deluge is a technology it calls Live Protect, a compensated control built on eBPF, a Linux feature that lets security software operate at the kernel level to block threats without rewriting system code.
“It’s a pinpoint, laser-fine control that can shield a vulnerability on a production system,” Gillis said. “We’re not touching or modifying the binaries of that production system.”
The intent is to shrink the window between discovering a vulnerability and the next scheduled patch, allowing IT teams to fix issues without taking systems offline.
“This is a finger in the dike that plugs a hole until you get to new change control windows,” he said, acknowledging that some customers may be tempted to treat the shields as a permanent solution.
The product has been shipping since October, but customer urgency shifted noticeably after Mythos. “Customers are like, ‘Oh, good story, Tom. I’ll think about it.’ Now it’s like, ‘Oh my God, turn this thing on right now.’”
He also noted that eBPF is open source, and said he expects the broader industry to follow.
“While I’m very proud of Cisco leading the market with these compensated controls, I know my competitors have to do this.”
But shielding vulnerabilities only works if you know they exist. Karimi, the Moderna deputy CISO, faced a different problem: His vulnerability management system was surfacing hundreds of high-severity findings with no reliable way to know which ones an attacker could actually exploit. His team had skilled red-teamers, but they were finite resources. What he needed was something that could test continuously, everywhere.
“We have some very senior red-teamers and pen-testers in our organization that are pointed in a specific direction,” Karimi said during a presentation at the Gartner summit. “XBOW is covering different attack stories for us.”
West, who leads offensive security for XBOW, describes the platform as a response to a structural problem in how offensive security has traditionally worked. Human testers scope an engagement, run it, write a report, and move on. The window between tests is where risk accumulates.
“Historically you have exploit developers spending time finding the right vulnerabilities, writing the exploits, finding if those exploits are reachable, and then finding a way to chain them all together,” West said. “That takes a long time.”
Given the realities, Karimi decided to put XBOW through a trial, which produced two notable findings.
In the first, XBOW identified a web application firewall bypass on a company application built on the Spring Boot framework. The bypass involved encoding a single character (a capital “A”) as its percent-encoded URL equivalent (A), which the WAF interpreted as a legitimate request, allowing the bot unfettered access.
The second finding, which was the cause for West’s dinner interruption, was more consequential. West had provided XBOW with access to the source code of an internal application called Orders, used by Moderna’s research partners to procure drug substances, but no login credentials. The platform identified a valid API key embedded in the source code, used it to authenticate, and then began probing the application’s APIs for SQL injection vulnerabilities.
What happened next was not entirely planned. One of those APIs handled a malformed SQL injection attempt in an unexpected way, dumping garbage data into a shared routing application that other services depended on.
“Not only was it able to kick that Orders app I showed you, but it somehow kicked over the entire ecosystem of apps,” West said.
Human pen-testers who reviewed the findings afterward confirmed they were valid, and said they would not have found them on their own. Karimi said despite the outage, his team recognized the value immediately.
“If we’re able to demonstrate where you could have an outage in a safe testing environment, that’s a great signal,” he said.
The broader value, Karimi argued, is in forcing prioritization when bugs are discovered. “If you have exploit proofs, you can provide that plus-one modifier and really point your developers to remediate the top tier of real risk that’s been validated.”
But he does worry about the volume of bugs that will be surfaced by these tools.
“How do we now handle the volume of bugs that have gone up due to AI-driven scale?” he said. “That’s a whole other problem space.”
Across these conversations, a consistent theme was that even as defenders are trying to get arms around the forthcoming wave of bugs, it’s going to be a tremendously uphill battle. That mirrors what some of the industry’s top leaders have been saying for months.
It also mirrors what the model developers themselves have consistently been warning about. In its announcement about expanding access to Mythos, Anthropic admitted the timeline for a publicly available tool similar to its cybersecurity-focused model is shortening, and there are no guarantees it will be released with safeguards.
“In that world, cyberattacks could occur much more often, and in much more unpredictable forms,” the blog post reads.
Gillis was blunter about what happens to organizations that don’t move.
“Some people will be slow to change,” he said. “But the consequence of not making that change is gonna be front-page news. It’s a massive, massive compromise. You know, like, ‘you gave up every credit card number.’ Bummer.”
The post Inside the race to adapt to an AI-powered security world appeared first on CyberScoop.
Anthropic is broadening access to its Project Glasswing program, adding approximately 150 organizations in 15 countries, the company announced Tuesday, as its restricted Claude Mythos Preview model has already surfaced more than 10,000 high- or critical-severity software vulnerabilities since the program launched in early April.
The expansion follows an initial cohort of roughly 50 partners that were announced when Anthropic first unveiled the initiative. Those members included technology companies such as Amazon Web Services, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, among others.
According to the announcement, the new group covers sectors that were underrepresented in the first wave, including power, water, healthcare, communications, and hardware. Many of the new partners are vendors whose codebases underpin critical infrastructure systems.
The company did not give any further details on what companies or organizations were part of the new cohort. Sources tell CyberScoop that NetSkope and Rubrik, which specialize in cloud security and data management, is part of the group given access in this latest round.
The scale of what Mythos Preview has already found is drawing attention across the security industry. Cloudflare identified 2,000 bugs across its critical-path systems, including 400 rated high or critical, with a false-positive rate the company described as better than that of human testers. Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing the model, more than 10 times the number found in a previous Firefox version using an earlier Anthropic model. Several other partners reported that their rates of bug discovery increased more than tenfold after deploying the model.
Anthropic also used Mythos to scan more than 1,000 open-source projects, flagging 23,019 potential vulnerabilities, 6,202 of them estimated as high or critical. Of 1,752 high- or critical-rated findings independently reviewed, over 90% were confirmed as valid.
The findings have shifted what Anthropic describes as the central issue in cybersecurity. Despite the enhanced ability to discover flaws, the company admits there are challenges with verifying, disclosing, and patching them before attackers can take advantage.
“The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them,” the company said in its blog post.
That bottleneck has broader implications. A joint report from the Cloud Security Alliance, the SANS Institute, and OWASP concluded that organizations are “likely to be overwhelmed” in the near term by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them.
Anthropic has said it will not release Mythos-class models to the general public, citing the absence of safeguards sufficient to prevent serious misuse. In the interim, it has released Claude Security, a product using its publicly available Claude Opus 4.8 model that has been used to patch more than 2,100 vulnerabilities in three weeks.
The program’s expansion comes as the Trump administration signed a scaled-back executive order on AI security. The order, which was signed hours after Anthropic’s announcement, sets up a voluntary framework requiring AI developers to submit advanced models to a government review up 30 days before public release.
The post Anthropic expanding access to Project Glasswing appeared first on CyberScoop.
Only approximately 50 companies have had access to Mythos until now and they have found thousands of vulnerabilities in their products.
The post Anthropic Expanding Mythos Access to 150 New Organizations appeared first on SecurityWeek.
Anthropic said its month-old Project Glasswing initiative has uncovered more than 10,000 high- or critical-severity software vulnerabilities across systemically important code, a finding the company says has shifted the central problem in cybersecurity from discovering flaws to verifying and patching them.
The findings, drawn from partner reports and independent evaluations, mark one of the first large-scale accountings of what a frontier AI model can do when pointed at widely used code, and of the bottlenecks that emerge once it does.
Several partners reported that their rates of bug discovery had increased more than tenfold. Cloudflare identified 2,000 bugs across its critical-path systems, including 400 rated high or critical, with a false-positive rate the company said it considered better than that of human testers. At one unnamed partner bank, the model was credited with helping detect and prevent a fraudulent $1.5 million wire transfer initiated after a customer’s email account was compromised and followed up with spoofed phone calls.
External evaluations cited in the update tracked with the results Anthropic released. The United Kingdom’s AI Security Institute found that Mythos Preview was the first model to solve both of its cyber ranges — simulations of multistep cyberattacks — from end to end. Mozilla said it found and fixed 271 vulnerabilities in Firefox 150 while testing the model, more than 10 times the number found in Firefox 148 using an earlier Anthropic model. AI-powered security platform XBOW called the model a significant step up over existing systems on its web exploit benchmark.
Anthropic also used Mythos to scan more than 1,000 open-source projects. The model has flagged 23,019 potential vulnerabilities, 6,202 of them estimated as high or critical. Of 1,752 high- or critical-rated findings reviewed by six independent security research firms or by Anthropic itself, over 90% were confirmed as valid, and over 62% were confirmed to be high or critical.
The company did note that while it’s good at finding vulnerabilities, there is still a gap in having people fix every issue.
“The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them,” the report states.
Open-source maintainers have also been contending with a wave of low-quality, AI-generated bug reports, and Anthropic said it tries to reproduce and assess each issue before reporting it. At maintainers’ request, it has sometimes disclosed bugs without further vetting, reporting 1,129 such cases, of which the model estimated 175 to be high or critical.
Anthropic said it has not released Mythos-class models publicly because no company, including itself, has developed safeguards to prevent serious misuse. In the interim, it has released Claude Security in public beta for enterprise customers, which it said has been used to patch more than 2,100 vulnerabilities in three weeks using the publicly available Claude Opus 4.7, and has begun a Cyber Verification Program for security professionals.
The company said it plans to expand Project Glasswing with additional partners, including U.S. and allied governments, before any broader release of the underlying model.
“Glasswing helps the most systemically important cyber defenders gain an asymmetric advantage. However, there is an urgent need for as many organizations as possible to shore up their cyber defenses,” the report states. “We hope that our generally available models, and the new tools, resources, and research we’re providing to accompany them, will support those organizations to improve their cybersecurity posture.”
The post Anthropic: Mythos finds more than 10,000 software flaws in first month appeared first on CyberScoop.
The AI giant says the new plugin, which helps developers find vulnerabilities as they write code, has been used extensively internally.
The post Anthropic Releases New Claude Sandbox, Security Guidance Plugin appeared first on SecurityWeek.
Notable integrations include CrowdStrike, Palo Alto Networks, Microsoft, Okta, Zscaler, Netskope, Cloudflare, Fortinet, and Wiz.
The post Anthropic Expands Claude’s Enterprise Security Governance With 28 New Integrations appeared first on SecurityWeek.
As defenders get their hands on newer AI models with more powerful cybersecurity capabilities like Anthropic’s Mythos and OpenAI’s Daybreak, organizations are being told to prepare for a flood of new vulnerability reports.
But for bug bounty programs across the nation, that day may already be here, as yesterday’s frontier models and today’s open-source AI tools have dramatically increased the volume of bug reports flowing into companies around their own products or on larger bounty platforms online.
GitHub, one of the world’s largest online code repositories, said it is tightening its definition of a “complete” bug report after a significant increase in AI-assisted submissions over the past year.
Although the influx has had some benefits, many reports are submitted without proof of concept, are reliant on unrealistic attack scenarios or cover issues already listed as ineligible. As a result, the company is having difficulty separating signal from noise.
“This isn’t unique to GitHub,” wrote Jarom Brown, senior product security engineer at GitHub. “Programs across the industry are grappling with the same challenge, and some have shut down entirely.”
Brown said GitHub does not want to ban the use of AI generated reports entirely, calling it a “force multiplier” for security in the right context. But in a world where it’s never been easier to use AI to generate theoretical bugs, the company wants researchers to go the extra mile to confirm that their discoveries can actually be exploited in real-world conditions.
What we need is the same standard we’ve always expected: validation,” Brown wrote. “An AI-assisted finding that’s been verified, reproduced, and submitted with a working proof of concept is a great submission. An unvalidated output submitted as-is without reproduction or demonstrated impact is not.”
Grant Bourzikas, chief security officer at Cloudflare, said triaging bugs and proving they can be exploited has always been one of the hardest parts of vulnerability research, and AI vulnerability scanners and code have “made it worse.”
For instance, code written in C and C++ programming languages are vulnerable to a range of exploits – like buffer overflows and out-of-bounds reading and writing – that don’t exist in memory safe languages like Rust. AI tools scanning software written in memory unsafe programming languages are far more likely to generate false positives.
But one of the biggest flaws continues to be that AI tools are also designed to give the user what they’re asking for, even when it’s not there. This leads to the generation of bug reports filled with speculation and qualifiers around exploitability that require human follow up.
“That’s a reasonable bias for an exploratory tool,” Bourzikas wrote. “It’s a ruinous one for a triage queue, where every speculative finding spends human attention and tokens to dismiss, and that cost compounds across thousands of findings.”
Cloudflare recently shared results from testing Mythos on 50 of its own code repositories, looking for exploits. Bourzikas called Mythos “a different kind of tool doing a different kind of work” from other frontier models, and that it made significant progress in reducing false positives.
For example, he pointed to two Mythos capabilities that stood out compared to other models: chaining exploits together and generating its own proof-of-concept code to confirm exploitability.
Older models could spot many of the same bugs, but they often couldn’t figure out how to exploit them effectively, or show that the issue could be exploited in real world conditions.
Others have argued that the gap in bug hunting capabilities between newer frontier AI models and older ones, or open source models available today is not as large as advertised.
Swedish software developer Daniel Stenberg, lead developer for curl, an open source file transfer tool used around the world, recently wrote about his experience with Mythos Preview. Like others, he has also seen a higher volume of AI-fueled bug reports over the past year, but said the flood of low-quality reports has tapered off significantly since March as models have improved.
Curl is mature and polished by the standards of most software: Stenberg estimates each line of code has been rewritten or altered at least four times, and he said he has used both human and AI tools in the past to implement hundreds of bug fixes over Curl’s existence.
That makes it a unique testing ground for the enhanced capabilities of Mythos, which was reportedly so powerful at finding vulnerabilities that Anthropic opted not to release it to the general public.
After gaining access to Mythos, Stenberg received the results of a scan of 178,000 lines of curl code. Ultimately, the scan flagged five “confirmed” vulnerabilities. Further exploration by human researchers found that 4 of the bugs were false positives or had no security impact. The one remaining bug Mythos found? A low-severity flaw that will be fixed in a regular June update.
Even as he praised the impact of AI on cybersecurity generally, Stenberg concluded that for all the hype, Mythos is only “a bit better” than previously released models.
“My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,” he wrote. “I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.”
The post AI might cut false positives, but it won’t stop the slop appeared first on CyberScoop.
Login