Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiawu642y4ux5ksjq7x2t6empmeluanrt3hzvzrp2r5wprgpas2zxu",
    "uri": "at://did:plc:rrwxywdlrz5fkwj5g4u4jnrk/app.bsky.feed.post/3mnhervm7p3u2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreidwr6uq6aqpr6qkpa5fyrhceed5hwkfip6npkvwxbprlq22hyljsu"
    },
    "mimeType": "image/jpeg",
    "size": 2873085
  },
  "path": "/article/4180920/beware-the-son-of-mythos-security-experts-warn.html",
  "publishedAt": "2026-06-04T07:00:00.000Z",
  "site": "https://www.csoonline.com",
  "tags": [
    "Artificial Intelligence, Security Software, Threat and Vulnerability Management",
    "Project Glasswing",
    "signals a structural shift for cybersecurity",
    "Anthropic is now adding roughly 150 more vetted partners",
    "Gunter Ollmann",
    "two from China are not far behind",
    "Paul Chichester",
    "incident response exercises",
    "CSO Cybersecurity Awards and Conference",
    "Jim Reavis"
  ],
  "textContent": "LONDON — Enterprise security teams were urged by security experts at Infosecurity Europe to brace for impact as both Anthrophic and OpenAI expand access to their frontier AI models for vulnerability discovery.\n\nAnthropic, in particular, is significantly expanding Project Glasswing, its scheme to provide select organizations with access to Claude Mythos, an AI-powered vulnerability discovery tool that many industry observers and practitioners believe signals a structural shift for cybersecurity.\n\nAfter initially granting access to around 50 organizations in April, Anthropic is now adding roughly 150 more vetted partners to its program.\n\nIn a parallel development, OpenAI reportedly has offered nine major UK banks access to its cybersecurity AI tool, GPT-5.5 Cyber.\n\n## Prepare for the son of Mythos\n\nSpeaking at Infosecurity Europe, Gunter Ollmann, CTO at penetration testing and security services firm Cobalt, said frontier AI models from Google and two from China are not far behind in their capabilities.\n\n“Security teams should prepare for the son of Mythos,” said Ollmann. “These frontier AI tools are still restricted in their access, but they are only going to get cheaper as we go along.”\n\nPaul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), backed up this assessment by citing estimates that China was eight months behind. Misuse of frontier AI models represents a threat while also offering defenders the opportunity to push additional costs onto adversaries, Chichester told Infosec Europe delegates.\n\n“Organisations can use AI to write better code and look for vulnerabilities,” said Chichester, who added that frontier AI tools have the potential to democratise security assessments and penetration testing.\n\nOrganisations should improve cybersecurity by hardening access controls and running incident response exercises, Chichester advised.\n\nDaniel Wilcock, threat intelligence analyst at managed security services firm Talion, warned that organisations that fail to explore advanced AI risk falling behind those that are using the technology to accelerate vulnerability discovery and security operations.\n\n“Advanced AI platforms are already being used by malicious threat actors, and all organisations must be prepared for this,” Wilcock warned.\n\n## Exploit chains\n\nOllmann told CSO that AI is far from replacing security experts such as penetration testers.\n\n“The combination of AI-driven analysis and human expertise is proving far more effective than either operating alone,” Ollmann said. “The organizations that benefit most from these advances will be the ones that can rapidly validate, prioritize, and remediate the issues being discovered before attackers find them first.”\n\nOllmann added: “Mythos appears to be operating with a level of software access and analysis flexibility that most commercial security researchers and testing platforms don’t typically have, including the ability to examine code and behaviours that may otherwise be restricted by licensing or terms of service. That creates a unique opportunity to identify classes of vulnerabilities that conventional testing approaches often miss.”\n\nFor example, Mythos makes it easier to chain together several medium severity vulnerabilities to create a high impact risk.\n\nThe topic of AI flaw-chaining was also central to a panel on Mythos at the recent CSO Cybersecurity Awards and Conference in the US.\n\n“When we’re doing threat modeling, we have some sense that these are the known vulnerabilities that we are modeling against and here’s where we think we are weak, and that kind of goes away with chaining multiple vulnerabilities,” Jim Reavis, CEO and co-founder of Cloud Security Alliance (CSA) told attendees. “CVSS scoring, it seems like that’s not super relevant anymore.”\n\nJon Yeoh, chief scientific officer at CSA, agreed, touching on the “son of Mythos” threat as well.\n\n“It’s not just about Anthropic. It’s about what these next-generation AI will be doing,” he said. “This is a major step change in what AI can do.”",
  "title": "Beware the ‘son of Mythos,’ security experts warn"
}