this post was submitted on 23 Apr 2026
130 points (95.1% liked)

Technology

84431 readers
4514 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
130
Anthropic Mythos shaping up as nothingburger (www.theregister.com)
submitted 2 weeks ago by HaraldvonBlauzahn@feddit.org to c/technology@lemmy.world
39 comments fedilink hide all child comments
 

cross-posted from: https://feddit.org/post/28915273

[...]

That marketing may have outstripped reality. Early reports from Mythos preview users including AWS and Mozilla indicate that while the model is very good and very fast at finding vulnerabilities, and requires less hands-on guidance from security engineers - making it a welcome time-saver for the human teams - it has yet to eclipse human security researchers.

"So far we've found no category or complexity of vulnerability that humans can find that this model can't," Mozilla CTO Bobby Holley said, after revealing that Mythos found 271 vulnerabilities in Firefox 150. Then he added: "We also haven't seen any bugs that couldn't have been found by an elite human researcher." In other words, it's like adding an automated security researcher to your team. Not a zero-day machine that's too dangerous for the world.

you are viewing a single comment's thread
view the rest of the comments
[–] MangoCats@feddit.it 7 points 2 weeks ago (13 children)

In other words, it’s like adding an automated security researcher to your team. Not a zero-day machine that’s too dangerous for the world.

Missing the point? Hiring an elite human researcher isn't easy, or cheap. It's beyond the means of the vast majority of people out there. $20/Month Claude Pro subscription? Not so much.

The question for me: How much better is Mythos than Opus 4.6 or 4.7, or Sonnet for that matter? Those models and similar from other companies are already being effectively leveraged by threat actors. If Mythos reduces the time x money cost of finding a new zero-day by a factor of 10 vs Opus 4.7 - that's concerning. If it's a factor of 1.1 - meh... the world is going to have to learn how to deal with these things sooner than later, and that means the "white hats" are going to need superior funding to the "black hats" along with cooperation to close the gaps they find, or the "black hats" are going to be getting a lot more annoying than they already are.

[–] HaraldvonBlauzahn@feddit.org 3 points 1 week ago (1 children)

Hiring an elite security researcher isn't easy, or cheap"

You still need to hire one:

https://feddit.org/post/28915273/12684094

[–] MangoCats@feddit.it 1 points 1 week ago

no CVE list, no CVSS distribution, no severity bucket, no disclosure timeline, no vendor-confirmed-novel table, no false-positive rate

Yeah, that's cooked data - it's too easy to ask the LLM to give you the CVE list, the CVSS distribution / severity buckets, timelines, everything you might want.

I have LLMs doing pull request reviews and as a default response they just give potshots, but if you prompt them they will point directly to the files and line numbers where the problems they are pointing out reside...

load more comments (11 replies)