00:00There is a great reason to have you onto the program to talk about Mythos in the cybersecurity context,
00:05because what HackerOne does, it's the biggest offer of bug bounties, right?
00:09You pair companies of all sorts with someone that can identify a vulnerability
00:15and then in some cases suggest how to patch it.
00:17That's exactly how the banks are supposed to be using Mythos.
00:21And I wonder just initially your take on the model and what you know about it.
00:25Well, I think it's very exciting that we are starting to see capabilities where we can, at scale,
00:33identify vulnerabilities more quickly and use them in a defensive capability to eliminate that risk.
00:39And so this is a very great complement to what we have been doing for decades,
00:43which is human-driven vulnerability discovery.
00:46Where the bottleneck truly is, though, these days is no longer really with the vulnerability discovery,
00:53but it's much more in the back part of the find-to-fix cycle.
00:56It's how quickly can you validate that those vulnerabilities are truly exploitable
01:00and how quickly can you get them remediated?
01:03Kara, last week I spoke to Mike Krieger, who co-leads Anthropics Labs,
01:07and I tried to get him to just be succinct about why Mythos is good in the cybersecurity context.
01:13Listen to what he had to say.
01:15You can't isolate a capability.
01:17I mean, you probably could with enough effort, but typically these things kind of emerge.
01:22The fact that it is very good at solving general-purpose coding problems and debugging
01:27and doing all the things that you'd want it to do in the ordinary course of practice
01:30also makes it really good for cybersecurity.
01:33It's really fascinating to actually watch it in practice in a moment like this one,
01:36where it's not the revenue-optimizing move in the short run,
01:39but I think it's absolutely the right one.
01:42If you can't isolate a model's single capability, in this case cyber,
01:47why is it so good in that domain?
01:50Well, I think about it as coding and building is one side of a coin,
01:55and breaking is the other side, and they kind of go hand in hand.
01:58And one of the truly big advancements that Mythos has
02:04is this ability to chain together exploits
02:07and basically turn what could be multiple vulnerabilities
02:11into a much more critical or severe issue.
02:13And that is fundamentally building and putting something together
02:16across a number of building blocks.
02:18Can you, Cara, just push back against perhaps some cynicism
02:22that's been building into the market about the power of Mythos?
02:27Some saying, look at benefits, Anthropik, to make out that it's quite so powerful,
02:31and actually it's not doing all that much new than was already out there,
02:34or indeed it's just more a compute issue than actual sheer terror
02:37as to why they put it into the hands of a small amount of players.
02:41Articulate just how powerful this is.
02:43Well, I think the capabilities that are explained in the Mythos release
02:48are quite good, and they're definitely an advancement.
02:53The frontier is certainly moving.
02:54And yes, some of those capabilities can be achieved
02:57with other models out there, perhaps through a more complicated workflow.
03:02But what we're seeing here is a general advancement
03:05in the ability of AI to really play a powerful force
03:09in the cyber security space.
03:11And so I would put less emphasis specifically on this release of Mythos,
03:16but really acknowledge that the frontier is moving,
03:18and it's moving much more quickly than security teams are able to keep up.
03:21And that frontier is being moved by other players as well,
03:24and we know that OpenAI has been trying to work
03:26with the cyber community as well.
03:27We had Fortalice join the show last week,
03:30and their idea is, look, smaller companies should be able to have access
03:33to Mythos to be able to drive forward this vision to make sure we're safe.
03:39Is that something HackerOne wants?
03:40Would you like to be on this small amount of groups
03:42who are out there testing vulnerabilities?
03:45Well, certainly we would like to have access to this.
03:48Now, I recognize the risk equation that Anthropic has taken here
03:52in terms of a smaller release to a limited number of organizations.
03:56But look at HackerOne, for example.
03:58Last week alone, we automatically validated 4,000 vulnerabilities
04:02that came in through our various vulnerability discovery programs.
04:07And that kind of capability and Mythos that would help us supercharge
04:11our validation capabilities would be greatly appreciated.
04:15The access to Mythos is clearly being closely controlled.
04:19It seems strange to not bring up the war in Iran
04:22and the competence that Iran has in as a cyber bad actor.
04:27You know, put two and two together.
04:29What is the likelihood that a malicious actor from Iran or elsewhere
04:34would have access to that level of technology and pose a threat, therefore?
04:39I'll put it this way, Ed.
04:41I think this year in 2026, civilians, businesses, and organizations
04:46are markedly less safe than we were just even last year
04:50from a cybersecurity perspective.
04:53We now have much more capable AI models.
04:56Those models are rapidly proliferating,
04:58even if Mythos itself is still within limited release.
05:02And we now have, you know, a number of sophisticated threat actors
05:06that can put those capabilities to use.
05:09And we're seeing an increasing number of breaches and supply chain issues
05:13across the open source ecosystem and across corporations.
Comments