iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🔓

The True Threat of Mythos Isn't 'Genius Thieves,' It's the 'Vanishing Time' for Defense

に公開
Security
OpenAI
Zero Trust
Anthropic
Mythos
idea

The real terror of Mythos is not a "genius burglar," but that "time disappears"

There has been a lot of strong language used recently regarding the cyber capabilities of AI. The talk surrounding Anthropic's Mythos is one such example.

"AI finds vulnerabilities."
"AI creates attack code."
"It might surpass human experts."

When you hear that, it naturally sounds terrifying.

I should mention upfront that these kinds of stories are often spread through secondary or tertiary summaries, not primary sources. Therefore, I will write carefully based on information I have been able to trace. Please read "Mythos" in this article not as the specific details of a particular product, but as a synonym for the high-capability AI discussed in reports.

However, I feel that if we perceive this story simply as "AI has become very smart," we will miss the essence.

What is important here is the perspective of being "inaccurately correct."

The flow of this article

  • What is "inaccurately correct"? (The "yardstick" for reading this article)
  • 1–3. The core of the threat through analogies (Spare keys / Grading / Locksmiths)
    1. But we must not forget the plain reality
    1. So, how do we protect ourselves?
    1. Why is only Mythos making noise? (The restaurant analogy)
    1. Looking not to be afraid, but to prepare correctly
  • Closing

The yardstick of "inaccurately correct"

First, here is this "yardstick" in one image.

An illustration of the "inaccurately correct" yardstick. It divides communications into three categories—"Misinformation" (❌: knowledgeable people can correct it → it gets corrected) / "Accurate and Deep" (✓: understanding deepens → judgment improves) / "Inaccurately correct" (⚠: it's not a lie, so experts stay silent, and the listener is in a fog. It is hard to correct, and judgment does not improve). Conclusion: "The most troublesome thing is when it's not a lie, yet it doesn't cultivate judgment."

In short, "inaccurately correct" refers to information that is factually not wrong, but is so shallow in granularity that it does not improve the listener's judgment.

I believe there are roughly three types of information.

The first is obvious misinformation. Knowledgeable people can correct this by saying, "That is wrong." Listeners can also learn from that correction.

The second is accurate and deep information. This advances the reader's understanding and improves their judgment. It is very healthy.

The third is inaccurately correct information.

This is the most troublesome. Because it is not a lie, it cannot be easily denied. If an expert critiques it, they look like they are splitting hairs. As a result, the more knowledgeable people are, the more likely they are to stay silent.

Consequently, the listener thinks, "This person is saying something correct." But because the granularity of the talk remains shallow, the judgment axis remains fixed at low resolution. At first glance, it looks enlightening. But in reality, it doesn't cultivate the ability to think; it creates an intellectual paralysis. This is the horror of "inaccurately correct" communication.

For example, a health influencer says, "Processed foods are not good for you, so be careful." Factually, this is not entirely wrong. But if it stops there, the listener doesn't know "so, what should I choose and how?" They feel like they have heard something correct. However, their own ability to judge doesn't really improve. If it were misinformation, someone could correct it. But this is not a lie. That is exactly why it easily becomes a trap.

I believe we need to be careful of this in the Mythos story as well. "AI is used for cyberattacks. It's dangerous." This is not wrong. But that alone is coarse. What we really need to look at is what changed, at what granularity, and how.

I don't think the truly scary part of a Mythos-level threat is that the burglar becomes a genius. What is truly scary is that the "few days" of leeway we had until we changed the locks disappears.

1. The spare key analogy: The core of the threat is that "time disappears"

First, let's look at an overview of this section in one image.

A comparison chart between "until now (manual work, takes days)" and "Mythos-level (instantly automates the same steps)". It shows that the attack steps are the same, and only the "few days" leeway that defenders had to change the locks disappears.

For example, suppose a defect is found in a house door lock and it is publicly announced.

Until now, it required effort from the burglar's side. They needed to perform the following steps in order:

  1. Verify if the house's door actually uses that lock.
  2. Travel to the site.
  3. Make a spare key that opens it.
  4. Actually try it to confirm it opens.

These steps 1 to 4 used to take several days. That's why residents had the luxury of a few days to change the locks. In the world of security, this is the time taken to apply a patch.

However, with a Mythos-level threat, this time disappears. Because the same steps run automatically the moment the vulnerability is announced:

  1. Automatically scan houses worldwide.
  2. Identify doors that will open.
  3. Create a functional spare key.
  4. Prove that it actually opens.

Steps 1 to 4, which would have taken days of human labor, end almost simultaneously. The order is the same, but the time required approaches zero.

What is happening here is not simply a story of "a smart burglar has arrived."

🔧 For engineers: Technically speaking

The "few days" for the defender is the time difference (exposure window) between when a vulnerability is disclosed and when it is practically exploited. Manpower is required at each stage: CVE assignment → Metadata assignment like CVSS by NVD → Impact assessment by each organization → Patch/mitigation. Historically, the attacker also needed time to create a PoC (Proof of Concept) and confirm reachability. The difference in these delays on both sides was the defender's buffer.

Breaking down the attack kill chain, it consists of: Detection (candidate discovery) → Reachability (can the input reach a vulnerable sink or bypass mitigations?) → Proof (functional PoC/exploit) → Weaponization/Chaining. While "candidate discovery" is becoming commoditized via LLMs, what historically kept human labor as the bottleneck was confirming reachability and synthesizing the PoC. If this can be closed autonomously, the window from disclosure to a practical exploit shrinks to nearly zero.

What is actually effective is often not a new 0-day, but an N-day (already disclosed but unpatched vulnerability). Disclosed vulnerabilities have abundant clues and are successful if unpatched. In practice, EPSS (estimating exploitation probability) and CISA KEV (catalog of vulnerabilities with observed exploitation) are used as practical indicators of what is currently dangerous.

Therefore, the numerical target for defenders is to minimize the patch delay (exposure window) and the N-day window.

2. The grading analogy: "Grading everything without selection" becomes the problem

Let's consider this story with another analogy.

A comparison chart between "until now (both defenders and attackers select manually; they look at 10 important-looking questions out of 100, and briefly check the rest; they can't see everything)" and "Mythos-level (a tireless grader solves all 100 questions, proves them, and finishes overnight)". It shows the asymmetry of offense and defense where the side that first masters the tireless grader finds more vulnerabilities.

Until now, security teams were like teachers handed a 100-question test. They wanted to grade everything carefully, but they lacked the time. So, they prioritized looking at the 10 important-looking questions and only briefly checked the rest.

Attackers were the same. Even if there were many vulnerabilities, it took effort to actually weaponize them. Therefore, attackers only chose to target the "low-hanging fruit" vulnerabilities.

However, the situation changes when a Mythos-level AI emerges. A tireless grader solves all 100 questions overnight and proves the answers. It doesn't select; it sees everything. And it never rests.

In fact, it is reported that even NIST is shifting towards operations that prioritize important vulnerabilities rather than viewing every report at the same granularity, as the number of vulnerability reports continues to increase. Because the number of reports has grown too large for human operations to keep up.

Even though the same flood is coming, the side that masters the tireless grader first becomes advantageous. Herein lies the asymmetry between offense and defense.

🔧 For engineers: Technically speaking

Publicly disclosed vulnerabilities are fundamentally organized by NVD (CVE + CVSS + impacted product CPE, etc.). With the increase in report volume, operations that manually analyze all items with the same granularity have reached their limit, shifting toward operations that prioritize based on exploitation confirmation and severity—this is the same flow as in practical fields, moving away from relying solely on CVSS severity and narrowing down based on EPSS (exploit probability) / KEV (known exploited) / asset criticality / reachability.

Defense is structurally built on the premise that "you cannot handle all CVEs," so priorities are assigned. The problem is that if the attacker can automatically try "everything," the gaps in the defender's "looking only at important stuff" (the remainder they couldn't handle) will be exploited. In other words, the numerical essence of the asymmetry is not a difference in intelligence, but a difference in triage processing capacity.

3. The locksmith analogy: When costs collapse, targets change

In the past, skilled locksmiths capable of making functional duplicate keys were few and far between in the world. This was a realm restricted to state-level elite units or highly specialized experts. Consequently, the costs were high, and their numbers were limited. For this reason, the primary targets were large entities like banks, government agencies, and major corporations.

But what if that locksmith were copied one hundred million times, and moreover, never slept? Suddenly, not just banks, but ordinary homes also fall within range.

This corresponds to the "attack version" of the story I am writing separately about a "world with one hundred million tireless researchers." The structure is exactly the same. (That article will be published in the near future. Once it is, I will add a link here.)

It is not just that capabilities increase slightly. The unit cost of capability drops, and the number of times it can be executed increases. Consequently, attacks that were not previously cost-effective become realistic. I believe this is a point in AI-era security that must not be overlooked.

🔧 For engineers: Technically speaking

Attacker decision-making can be approximated by simple economics. They will execute if Expected Gain > Marginal Cost of Attack. Traditionally, creating a PoC, investigating targets, and lateral movement required human effort, making the marginal cost per target high. Therefore, targets were limited to those of high value.

What autonomy reduces is not intelligence, but this marginal cost. As the cost per target approaches the floor, broad and thin targets (small and medium-sized businesses, individuals, public assets) that were previously not worth the effort enter the range all at once. The technical meaning of "a locksmith for one hundred million people" is not a new superhuman attack, but an increase in attack throughput by orders of magnitude via parallelization × cost reduction—if you consider this to be the automated weaponization of N-days, reconnaissance, and phishing generation, it is accurate.

4. But we must not forget the plain, unglamorous reality

However, there is an important balance to be struck here.

In reality, many intrusions are not occurring solely through hyper-advanced AI attacks. Rather, more common are things like phishing where keys are carelessly handed over, misconfigurations that leave windows wide open, or unpatched software where old keys are left in place. These are plain, unglamorous, yet fundamental issues.

Therefore, being terrified of "super locksmiths" while leaving your windows wide open is the worst possible approach. It is important to know about advanced threats, but that is no excuse to treat fundamental countermeasures lightly. In fact, it is the opposite. In the AI era, basics such as authentication, permissions, patching, configuration, logs, monitoring, and network segmentation become even more critical.

5. So, how do we defend?

I have summarized the defensive approach in a single image as well.

A comparison diagram between the "wrong path to victory (competing to see who can grab the fire extinguisher fastest)" and "how one really needs to defend (building a house that doesn't spread fire = even if one room burns, the fire does not reach the room with the safe)". Zero trust = assuming you will be intruded upon, and minimizing reachability through a layered approach: perimeter -> entrance authentication -> access control -> network segmentation -> permission limits -> critical assets. The bottom section illustrates six defensive points: reduce reach paths / restrict permissions / segment networks / strengthen authentication / detect anomalies quickly via logs / create structures where critical assets cannot be easily touched.

If the time available to react disappears, the path to victory is not "competing to see who can grab the fire extinguisher faster than anyone else." Of course, detecting and responding quickly is important. However, betting everything on that alone is dangerous.

What is truly necessary is to build a house that prevents fire from spreading. For example, separating rooms with fire doors. Even if one room catches fire, ensure the fire does not reach the room with the safe.

In security terms, this is close to the concept of Zero Trust. Instead of thinking based on the premise that you will not be intruded upon, think based on the premise that you will be. And then, ensure that even if an intrusion occurs, the attacker cannot reach critical assets. Specifically, it is the accumulation of the following:

  1. Reduce reach paths
  2. Restrict permissions
  3. Segment networks
  4. Strengthen authentication
  5. Detect anomalies quickly via logs
  6. Create structures where critical assets cannot be easily touched

There is nothing flashy about this. But in a world where time disappears, this accumulation pays off.

🔧 For engineers: Technically speaking

Implementing a "house that prevents fire from spreading" means structurally eliminating the attack path to critical assets. The main components are as follows:

  • Micro-segmentation / Network segmentation: Limiting the blast radius after an intrusion.
  • Least privilege / JIT/JEA, phishing-resistant authentication (FIDO2/passkeys), mTLS, workload identity such as SPIFFE/SPIRE: Restricting who or what can access what, and to what extent.
  • Policy-as-code (OPA, etc.) and configuration-as-code + drift detection: Locking in design intent with code and detecting deviations.
  • SBOM / SLSA / Dependency hygiene: Managing the N-day window and supply chain risk.
  • Telemetry/EDR and attack path (reachability) analysis: Visualizing "provable attack paths" and prioritizing based on them.

The design metric is not just "speed (MTTR reduction)," but minimizing the number of "provable attack paths" to critical assets under the assumption of intrusion. In a world where time disappears, reducing the paths themselves is more effective.

6. Then why is Mythos, of all things, being talked about so much?

This becomes clear when looking at a diagram. Changing the perspective, let us think using the example of restaurants.

A diagram showing "why Mythos alone is being talked about." Anthropic Cafeteria, which published its inspection results prominently, is swamped with reporter crews, while OpenAI-tei quietly posts its detailed safety evaluation report. The scoreboard in the center shows public benchmarks—UK AISI Expert tasks: Mythos 68.6% / GPT-5.5 71.4%, The Last Ones: 3/10 vs 2/10, CyberGym: 83.1% / 81.8%—indicating that both are at a very similar level. The conclusion at the bottom is "Look at what is being measured and how it is disclosed, not the headlines."

Suppose there are two restaurants: Anthropic Cafeteria and OpenAI-tei.

Anthropic Cafeteria put up a large notice in front of the store: "We have inspected our kitchen in detail, and these are the risks we found. We are making the results public." It is quite honest. However, the notice is a bit scary.

OpenAI-tei also inspects its kitchen. Moreover, if you look at the culinary skills of its chefs and the processing capacity of its kitchen, they seem to be at a level quite close to Anthropic Cafeteria.

For example, in a difficult culinary exam, the chef from OpenAI-tei scored 71 points, and the chef from Anthropic Cafeteria scored around 68 points. In an exam to complete a long course meal, Anthropic Cafeteria succeeded 3 out of 10 times, while OpenAI-tei succeeded 2 out of 10 times.

In other words, at least based on the information made public, it is a bit sloppy to view it as "Anthropic Cafeteria is a particularly dangerous kitchen, while OpenAI-tei is in a safe zone." Both are kitchens capable of advanced cooking. Both are subjects that should be watched with care.

However, what is important here is not to decide "which one is more dangerous" just by looking at the scores.

There are many types of culinary exams. Knife skills tests. Exams for completing a long course. Tests on identifying rare ingredients. Tests on whether the entire kitchen can be operated safely. Each measures something different.

Therefore, just because the scores are close in one exam does not mean "the risk levels of these two restaurants are completely the same." But conversely, it is also wrong to look only at Anthropic Cafeteria, which posted a scary notice in front of the store, and think "only this one is dangerous." Furthermore, assuming "Anthropic Cafeteria is selling anxiety" or "OpenAI-tei is indifferent to safety"—both assumptions are equally sloppy, and simply swapping one prejudice for another will not reveal anything.

Being mentioned in the news does not necessarily mean you have the highest risk. It might just be because they were the first to disclose their inspection results in an easy-to-understand way.

This is a point to be careful about regarding the Mythos talk. The name "Mythos" appears in the news. As a result, it inevitably looks like "only Mythos is dangerous." But in reality, GPT-5.5 also shows quite high capabilities in the cyber domain. As far as the published evaluations show, there are parts that appear to be at a level close to Mythos Preview.

A diagram showing "headline fear is not a ranking of danger." On the left, sensational headlines ("Mythos is dangerous," "AI becomes a hacker," "Take measures now," etc.—easier names make headlines first), on the right, safety evaluation reports (6 perspectives: test scope/conditions/environment, autonomy scope, reproducibility, limitations, operation/monitoring). Showing "look at the content, not the name" with scales and a magnifying glass, the conclusion is "only after looking at that much can you have a discussion."

Therefore, what you should look at is not the scariness of the name. What did they measure in which exam? Under what conditions, and to what extent were they able to act autonomously? How close to the real world is the evaluation? What restrictions are placed on the provided product? How is it operated and monitored? Only after looking at that can you have a discussion.

In short, viewing it as "Mythos is abnormally dangerous and GPT-5.5 is in a safe zone" is too crude. Instead of reacting to scary names, look into the kitchen. Instead of the headline, look at the inspection content. Instead of the scores, look at what was measured to get those scores. In security for the AI era, I believe this perspective becomes very important.

🔧 For engineers: What each benchmark measures

When saying "the scores are close," the meaning changes depending on what those scores measured. It is safer to read benchmarks by dividing them into "Cyber-specific" and "Foundation of general capabilities." Mixing them up makes the communication itself "inaccurately correct."

Classification Evaluation What to see/Notes
Cyber-specific UK AISI Expert-level cyber tasks (95 questions, CTF format) Vulnerability research/exploitation, reverse engineering, Web exploitation, cryptography. GPT-5.5 71.4%, Mythos Preview 68.6% (± approx 8%) = strong basis for closeness.
Cyber Range The Last Ones (32-step enterprise NW attack) / Cooling Tower (7-step ICS attack) Completion rate of long attack chains. Mythos Preview 3/10, GPT-5.5 2/10. However, Cooling Tower is at the "none completed" stage = cannot discuss superiority here.
Cyber-specific CyberGym Mythos Preview 83.1% / GPT-5.5 81.8% (Public snapshot, treated as display-only, not a comprehensive ranking).
Foundation (General) SWE-Bench Pro / Terminal-Bench 2.0 Long-term coding/tool usage, which becomes the foundation for exploit development. Not cyber capability itself.
Foundation (General) Humanity's Last Exam Background indicator of advanced reasoning/knowledge. Not cyber-specific.

Three notes on reading: ① Treat SWE-bench/HLE as "foundation capabilities," not cyber-specific. ② Do not use Cooling Tower as a basis for "equality" since it is in an unreachable domain. ③ CyberGym public values are display-only = do not read as a danger ranking.

Sources: UK AISI's GPT-5.5 cyber capability evaluation / OpenAI GPT-5.5 introduction page / BenchLM CyberGym

7. Look not to be scared, but to prepare correctly

I do not want to make people overly afraid of stories like Mythos. However, I also believe we should not take them lightly.

Through AI, the power to find vulnerabilities, the power to verify them, and the power to assemble attack procedures will definitely change. And the essence of that change is not just "becoming smarter." Time shortens. Costs decrease. Trial counts increase. Targets that were not aimed at before are now being targeted. It is important to understand these changes.

Beyond that, instead of being afraid more than necessary, go back to basics. Apply patches, reduce configuration errors, strengthen authentication, restrict permissions, watch logs, segment networks, and reduce paths to critical assets. And, assuming the possibility of intrusion, design systems so that damage does not spread. I believe this is the realistic way to face security in the AI era.

Conclusion

To wrap up, everything up to this point is in a single image.

A summary diagram of the entire article "Look at the structure, not the fear." Hourglass = the "few days" for the defender disappear, partitioned house = even if one room burns, fire does not reach the safe (Zero Trust), sensational articles = fear of headlines, person looking at reports with a magnifying glass = looking at the content not the name, icons of basic measures at the bottom. Conclusion: "The accumulation of plain, basic measures becomes the strongest defense."

When talking about security in the AI era, I want to be careful about "inaccurately correct" stories.

"AI is dangerous," "Mythos is dangerous," "Cyberattacks are becoming more sophisticated"—these might not be factually wrong. But that alone does not improve your judgment. What you should really look at is what has changed. Which time has disappeared? Which cost has decreased? Which defensive measures have become less effective? And which basic measures have become more important than ever?

The scariness of a Mythos-level threat is not that a thief became a genius. It is that the "few days" of grace we had to replace our keys have disappeared.

Therefore, the answer is not just a race to replace keys faster. It is to remodel your house so that even if a key is broken, you cannot reach the critical rooms. It is to partition it so that if one part burns, it does not spread to the whole. It is to minimize reach paths under the assumption that you will be intruded upon.

And one more thing. The company whose name appeared in a scary article is not necessarily the most dangerous company. Rather, the more a company discloses its inspection results itself, the sooner its name appears. So, do not judge just by the scariness of the company name or the headline. Look at what they measure, what they disclose, what restrictions they place, and how they are trying to protect.

Lastly, I will write a little about my own experience as someone involved in security design. In design, the question I spend the most time on is not "Can we block this quickly?" but "Even if we can't block it, can they reach critical areas?" The time spent confirming that plain question is probably much longer than the time spent chasing news about flashy threats. Rather than bracing yourself for words like Mythos, advancing that one question by a little bit each day—that, in the end, is the most certain preparation I can make.

Writing "look at the structure" is abstract, but the "true form" we looked at in this article was quite concrete. The nature of the threat is not AI getting smarter, but the time and cost from finding → verifying → weaponizing disappearing. The nature of defense is not a race to close things quickly, but creating a structure where even if you can't close it, you cannot be reached. The nature of the reporting was not a ranking of danger, but the visibility of names. Once these three shapes become visible beneath the headlines, you will be less likely to be swayed by the news.

One more thing. From now on, being able to read the nature of the AI models themselves—what they can do, how far they have been verified, and what their limitations and operational premises are—will become part of defense. Attacks and defenses will ultimately happen on top of those models. Even if you are not an expert, the habit of reading model cards and evaluation conditions as "content" rather than "names" will be effective from here on out.

On top of that, carefully accumulate plain, basic measures. Rather than being swayed by fear, look at the structure and keep moving your hands. That, in the end, is the most certain way to protect yourself.

Discussion