TLDR;
This video discusses how Anthropic's AI model, Claude Mythos, discovered significant security flaws in major operating systems and web browsers. It explores the implications of this AI's ability to find and exploit vulnerabilities, the potential impact on the cyber security industry, and investment strategies in light of these developments. The key takeaways include:
- Mythos can find vulnerabilities faster than humans, posing a threat to the traditional cyber security model.
- The cyber security industry is shifting towards prediction and prevention rather than just detection and response.
- Companies in Anthropic's Project Glasswing (like Crowdstrike and Palo Alto Networks) are well-positioned to benefit from this shift.
Introduction: AI Finds Security Flaws [0:00]
An AI model has identified serious security vulnerabilities in major operating systems and web browsers, including a 27-year-old flaw in OpenBSD. This AI, named Claude Mythos, was developed by Anthropic and given to 12 powerful companies. The model's ability to find these flaws raises questions about the future of cyber security and how to invest in it.
FFmpeg Bug and AI Detection [0:48]
A bug in FFmpeg, a foundational software used in online video streaming, was discovered by Claude Mythos. This bug, present since 2010, could allow attackers to control machines processing video. Traditional automated testing tools missed this flaw, but Mythos, a general-purpose language model, identified it by reading the code, generating a custom test, and confirming the vulnerability on its first attempt.
Claude Mythos: A General-Purpose Tool [2:21]
Anthropic developed Claude Mythos as a coding assistant, but it became adept at identifying flaws in code. The model operates in an isolated environment, reading through millions of lines of code to find potential bugs, writing test programs, and generating vulnerability reports. Mythos can process an entire codebase in hours, understanding the code and reasoning about potential failures, far surpassing the speed of human analysts.
Cyberjimy Benchmark and OpenBSD Bug [3:52]
In the Cyberjimy benchmark, Claude Mythos scored 83%, a significant improvement over the previous Claude model's 66%. It also found a 27-year-old bug in OpenBSD, an operating system known for its security. This bug, consisting of two chained vulnerabilities, could crash a machine from anywhere on the internet without authentication. Mythos also found flaws in FreeBSD and Linux, turning them into functional attacks.
Delete Me Advertisement [5:53]
The video includes a promotional segment for Delete Me, a subscription service that removes personal information from online data brokers. The service helps protect personal and family data by removing it from these brokers, offering a quarterly privacy report detailing their actions.
AI Arms Race and Market Reaction [6:57]
The AI arms race in cyber security is accelerating. Mythos found thousands of vulnerabilities across major systems, building working attacks around them. A leak of this information caused cyber security stocks to decline, as the market questioned the need for a large cyber security industry if AI could find vulnerabilities so quickly. Alex Stamos estimates that within six months, smaller open-source models will match Mythos's capabilities, making AI-powered exploit discovery accessible to a wider range of actors.
The Uncomfortable Truth for Cyber Security [8:57]
The main issue in cyber security isn't finding exploits, but deploying patches quickly. Most breaches involve known, patchable vulnerabilities that organisations fail to address promptly. AI is removing the speed limit for attackers, collapsing the time between bug discovery and exploitation from months to hours. The defensive model of the cyber security industry is breaking down because attackers can automate vulnerability discovery while defenders face delays due to regulations and legacy systems.
Smaller Models and Offensive vs. Defensive Capabilities [10:43]
Smaller, cheaper, publicly available AI models are already reproducing Mythos's findings. The focus is shifting from the model itself to the systems built around it, such as targeting and validation. The AI model used for finding bugs is the same one used for exploiting them, with no architectural difference between offensive and defensive capabilities. Anthropic briefed government agencies on Mythos's implications for cyber operations.
Anthropic's Decision and Project Glasswing [12:19]
Anthropic, valued at $380 billion, possesses software exploits for major companies but chose not to sell Mythos to the government or open-source it. Instead, they formed Project Glasswing, granting early access to powerful publicly traded companies like Amazon, Apple, and Microsoft. This decision caused cyber security stocks to rebound, as Mythos shifted from being a threat to a protective shield.
Investing in the New Cyber Security Landscape [13:59]
The cyber security industry is undergoing a shift towards predicting and preventing threats. Companies in Project Glasswing are being armed with Mythos, positioning them to lead this new era. Crowdstrike, focusing on endpoint detection and response, and Palo Alto Networks, offering a consolidated security platform, are key beneficiaries. The hyperscalers (Microsoft, Google, Amazon) are using Mythos to manage risk across their infrastructure.
Crowdstrike and Palo Alto Networks [14:52]
Crowdstrike's Falcon platform proactively patches vulnerabilities across its customer base. Their latest quarter showed strong revenue growth and customer retention. Palo Alto Networks integrates Mythos into its Cortex platform for proactive threat detection. While Crowdstrike is growing faster, Palo Alto Networks is the cheaper stock.
The Hyperscalers and Market Growth [17:17]
Microsoft, Google, and Amazon form the platform layer of Project Glasswing, using Mythos internally and potentially adding it to their security offerings. The global cyber security market is expected to grow rapidly, driven by AI, from $380 billion in 2026 to $1.2 trillion in 2034.
Unpatched Vulnerabilities and Palantir's Role [18:51]
Less than 1% of the vulnerabilities discovered by Mythos have been patched. Anthropic will release a public report detailing the findings and the status of fixes. The effectiveness of the defensive edge depends on the percentage of bugs that have been fixed. Palantir may play a role in addressing this challenge, particularly for regulated industries.
Anthropic's IPO and Conclusion [19:44]
Anthropic's potential IPO in October 2026 raises a conflict between cyber safety and shareholder value. The company's 90-day security report will be crucial. The key question is whether Mythos's defensive capabilities can outpace AI-powered offense. The market has yet to fully price in these factors.
