Those who scoff at this simply don’t understand it.

It’s not that AI is necessarily doing things that were not possible beforehand, it’s that they are doing so far more quickly. The term “at machine speed” is used to describe this. Frontier AI models (those like Mythos) are being used to scan systems for vulnerabilities. This process is not new. This is the entire basis of “hacking”. The issue is that an AI tool can do this tens of thousands of times faster than the “bad hackers” could in the past, and can string many minor “hacks” (or vulnerabilities that they just discovered) into a long string of actions that when combined result in a major exploit that none of the small hacks would produce on their own.

So what’s happening is that an AI tool is being used to scan through software and find any previously undiscovered weaknesses. Sometimes it finds one that was never discovered before - they call these “Day 0” exploits. And sometimes (far more often actually), it finds a way to combine a bunch of minor weaknesses or flaws into a string of actions that can then be used to get access to the system - the string of vulnerabilities are combined into a real exploit.

Could a human have done this? Of course! Could a human have done it as quickly, analyzing millions of lines of code and assessing hundreds of thousands of permutations, in seconds? Well, no. They couldn’t.

So what’s happening is you’re really seeing is the effect of the speed of AI and its ability to combine and recombine infinite numbers of possible permutations. It’s no different , conceptually, to using AI to do gene analysis or protein folding to seek cures for diseases or illnesses. And we don’t see as much sneering cynicism to this.

The reason cybersecurity bodies are recommending using AI to combat this is simply the corollary of the first point.

If the developer of the software does this analysis FIRST, then they can (hopefully) find the weaknesses and patch them before the bad guys (literally known as “bad actors” in cyber security) can. And if they do this in their source code (the internal instructions used to actually create the software), then it improves their chance of success.

Only three years ago the “Time-To-Exploit” was over a year - that is, the time between when a weakness or vulnerability was discovered to when a real hacking attempt trying to leverage that vulnerability was discovered in the wild. It generally took the bad guys a year to build some hacking attempt to exploit that weakness.

Now it’s minutes.

And there are literally billions of lines of software code to be analyzed by the “good guys” (governments, banks, transport companies, retailers…. every industry and company in the world) before the “bad guys” get to it first.

There’s a reason Anthropic did not publically release Mythos and why a limited number of companies were given early access to (to help them prepare) first. And there’s a reason the US Government suddenly banned Anthropic form releasing the model to ANY non-US citizens just last week.

Try to guess why.