Mark Warner, the vice-chair of the Senate Intelligence Committee was quoted on June 11th saying this about Mythos:
“When the head of the NSA and Cyber Command came and said, this tool broke into almost all of our classified systems. Not in weeks but in hours”
Is Mythos really that capable?!
First of all no. This is here say and speculative at best.
There’s also the fact that there’s always an agenda with these types of things. You have to consider WHY someone in a political position (independent of party) is saying what they are saying.
I’m not going to get into that here, but just keep in mind that there are tremendous forces of money, power and greed at play here.
This Mythos "hacked the NSA" hype is peak AI theater. It's like someone announcing they've invented a revolutionary new nail gun, then when pointing it at a piece of plywood that's been sitting in the rain for decades and full of rot, are completely shocked when it drives a nail straight through. "Look at this incredible technology!"
We would be surprise if it didn't. But I don’t believe that’s what happened.
Let’s assume though, there is some sliver of truth to this statement.
What does it mean to those of you reading this, and to me.
Little to nothing. Here’s why…
If you’re reading this, than I know you’re part of the proactive crowd. You’re the type of person who’s staying up-to-date on current events as much as threat actor TTPs.
You follow folks on social, subscribe to newsletters and advisories and you generally know way more in advance when “stuff” happens than a majority of people.
That means you also know that “Mythos” or “Opus 4.8” or <insert AI model here> is not hacking anyone or anything.
Of course I mean by itself.
These AI systems and models, currently, must be driven and guided by human operators, in order to carry out sophisticated cybersecurity tasks.
Of course we know that many environments are literally Swiss cheese, but even still, the presence of an attack path in Active Directory doesn’t mean an organization will be compromised or that a compromise of such nature would bring that organization down, or that that attack path would even be abused in the first place.
And while the government is slow and doesn’t innovate quickly, they sure as heck have solid cyber operators.
The kind of operators that “hack” our adversaries. This isn’t a small feat.
So naturally it’s not too much to think that with the awesome capabilities of AI, they would be able to be even more effective.
That’s what’s happening here.
Well-resources, capable human operators have used a tool to be more effective.
We are not at the point yet where you can tell Claude to hack a target and it can complete any kind of sophisticated attack in series with zero involvement from a human. We’re just not there yet.
But, take a capable and smart pentester, red teamer, security researcher, malware developer, reverse engineer, threat hunter, etc. and give them money and powerful tools and they will be able to do amazing things with it.
This AI thing that’s happening right now is a an arms race but not in the way you might think. It’s an arms race for humans to equip themselves with knowledge and understanding and skills on how to use these tools more effectively.
There will be better models year after year for what I think will be many years to come.
Get used to the marketing hype and the news cycles around this.
Keep a level head and focus on doing the foundational things well, and you’ll be just fine.
Hack the planet! 🤘
All the best
Spencer Alessi
PS - If you get value from my newsletter, the best way to “give back” is to refer your friends, colleagues, teammates, etc. to subscribe. Super duper appreciate you!!🙏🙏