FRONTIER AI CROSSES INTO PRACTICAL OFFENSIVE CAPABILITY; VENDORS MOVE TO LOCK DOWN ACCESS AND CHANNEL IT TO DEFENSE
Independent tests and a new industry initiative signal that frontier models can autonomously hack real targets, and vendors are gating access to use them for de...
Independent tests and a new industry initiative signal that frontier models can autonomously hack real targets, and vendors are gating access to use them for defense.
Anthropic’s Project Glasswing gives vetted partners access to its unreleased Claude Mythos preview to find high‑severity bugs at scale, claiming thousands found across major OSes and browsers. The program includes $100M in model credits and support for open‑source security orgs.
A UK evaluation summarized by WebProNews reports Mythos models autonomously solved 26/78 real CTF‑style challenges—nearly doubling prior Claude performance—indicating meaningful, not toy, capability. Commentary from Simon Willison frames this as a token‑economics race: spend more tokens, find more bugs, which makes shared investment in OSS pay off analysis.
OpenAI appears to be countering with a fine‑tuned GPT‑5.4‑Cyber and a “Trusted Access for Cyber” identity‑verified flow, though it still requires extra application steps per this write‑up.
AI can now find and chain real exploits with less human guidance, shifting security from talent scarcity to compute budgets and access controls.
Defenders can productize this capability today, but so can attackers; governance, gating, and cost-aware workflows become first-class concerns.
-
terminal
Pilot AI-assisted vuln discovery on a high-value service and top OSS deps via Glasswing or OpenAI Trusted Access; track true positives, validation time, and cost per finding.
-
terminal
Run a scaling study: double the token budget per target and measure marginal bugs discovered to set a defensible spend cap.
Legacy codebase integration strategies...
- 01.
Add an AI red-team stage after SAST/DAST in CI for crown-jewel services; require human confirmation before tickets block merges; log prompts/outputs for audit.
- 02.
Harden model access: PAM-backed identities, VPC egress allowlists, secrets-free sandboxes, and clear DPAs for code/data exposure.
Fresh architecture paradigms...
- 01.
Treat security review as a compute workload from day one: periodic AI fuzzing on ephemeral staging targets with budget SLOs.
- 02.
Prefer well-adopted OSS and upstream fixes; shared ‘proof-of-work’ security spend benefits all consumers.