144
Anthropic Mythos shaping up as nothingburger (www.theregister.com)
submitted 5 days ago by HaraldvonBlauzahn@feddit.org to c/programming@programming.dev
25 comments fedilink hide all child comments

[...]

That marketing may have outstripped reality. Early reports from Mythos preview users including AWS and Mozilla indicate that while the model is very good and very fast at finding vulnerabilities, and requires less hands-on guidance from security engineers - making it a welcome time-saver for the human teams - it has yet to eclipse human security researchers.

"So far we've found no category or complexity of vulnerability that humans can find that this model can't," Mozilla CTO Bobby Holley said, after revealing that Mythos found 271 vulnerabilities in Firefox 150. Then he added: "We also haven't seen any bugs that couldn't have been found by an elite human researcher." In other words, it's like adding an automated security researcher to your team. Not a zero-day machine that's too dangerous for the world.

you are viewing a single comment's thread
view the rest of the comments
[-] MissesAutumnRains@lemmy.blahaj.zone 28 points 5 days ago

I'm a bit confused because the quotes do seem to do Mythos quite a bit of justice here. Saying it is essentially the equivalent of an elite security researcher seems... good, right?

Isn't the threat that's being discussed "what if anyone could point this at anything and then actively exploit the things it finds"?

[-] justOnePersistentKbinPlease@fedia.io 23 points 5 days ago

The article does not.

It states that logs indicate that the LLM was pointed at known bugs and reproduced known bug reports.

For FreeBSD, they state that the logs indicate that it was hand-guided to known issues.

For firefox, they ran it in a sandbox with most of Firefox's security disabled/stripped out.

It states that Mythos found no zero days.

[-] higgsboson@piefed.social 6 points 5 days ago

Much of Lemmy is ideologically against AI, so it is difficult to have rational conversation about the topic here.

Yes, for many enterprises, an "automated security researcher" is likely to be quite useful... and by the same measure, likely to be dangerous in the wrong hands. People attempting to pounce on this as some sort of gotcha mostly havent engaged beyond the headline.

[-] HaraldvonBlauzahn@feddit.org 1 points 5 days ago

Saying it is essentially the equivalent of an elite security researcher seems… good, right?

Well, you should read the article.

[-] MissesAutumnRains@lemmy.blahaj.zone 1 points 5 days ago

I did, but it seems very much like authorial biases kind of overshadowed over what was being said. Maybe I just have a different perspective on things, though.

this post was submitted on 23 Apr 2026
144 points (93.4% liked)

Programming

26725 readers
159 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
UlrikHD@programming.dev
bugsmith@programming.dev
Spyro@programming.dev