Following the Mythos announcement and Project Glasswing, everyone’s talking about a new era in cybersecurity. I’ve been watching this space for years, and I have some thoughts on what actually matters here.
What Mythos Actually Is
Mythos is a frontier AI model — a large language model trained on code. Nothing shocking there; LLMs have been getting better at code tasks for a while. What’s interesting is the system around it. Mythos isn’t just a model that spits out patches. It’s a whole pipeline: compute power, training data, scaffolding for probing vulnerabilities, speed, and some autonomy.
That system recipe is what makes it work. And it’s why smaller models with better system design could match or beat it. AI cybersecurity capability doesn’t scale smoothly with model size. The system matters more.
Mythos proved something we already suspected: you can build an AI system that finds and patches software vulnerabilities autonomously. But we’re just starting to understand what that means when the AI can act on its own.
Openness as a Structural Advantage
Here’s where I push back on the usual “open source is risky” narrative. As autonomous vulnerability-finding systems multiply (and they will), open code and tooling level the playing field. Software security is now a speed race across four stages: detection, verification, coordination, and patch propagation.
Open ecosystems distribute these stages across a community. Closed-source projects centralize everything inside one vendor, creating a single point of failure. Only one organization can see and fix the code. That’s fragile.
Open development is more robust. Look at the Linux kernel security team, the Open Source Security Foundation, or Hugging Face’s own model security work. Distributed communities catch things faster.
A common counterargument is proprietary obscurity — hiding the code. But AI systems are getting better at reverse engineering stripped binaries. Most legacy firmware and embedded code is closed, binary-only, and unmaintained. That’s a huge attack surface, and AI tools are making it more accessible by the day.
There’s another risk: companies using AI coding tools under bad incentives. When engineers are evaluated by feature volume instead of code quality, AI-accelerated development introduces more vulnerabilities into proprietary code. Those vulnerabilities sit behind a closed firewall, while AI-enabled attackers find them from outside. More vulnerabilities, faster, behind a single-organization wall — that’s exactly the imbalance open ecosystems avoid.
Underneath all this is capability asymmetry between attackers and defenders. Open models and tooling narrow that gap. Defenders get access to the same capabilities attackers use, instead of those capabilities being concentrated in a few well-resourced entities.
Semi-Autonomous Agents Are the Sweet Spot
Mythos appears capable of near-full autonomy. I’ve advised against that. Loss of control is real.
Semi-autonomous agents are different. You prespecify what actions they can take. Certain steps require human approval. People stay in control; the AI handles specific subtasks. This works with open code that organizations run privately within their own infrastructure, specifying allowable tools, skills, and access privileges.
That setup lets you deploy AI agents defensively — finding vulnerabilities, assisting with patches, without handing over the keys. It’s not as flashy as full autonomy, but it’s where the real value is.
The future of cybersecurity isn’t about who has the biggest model. It’s about who builds the best system, and whether that system is open enough to let the community help defend it.
Comments (0)
Login Log in to comment.
Be the first to comment!