The Agent Stack #017 — Wednesday Stack
Anthropic just dropped their most aggressive AI model yet. Mythos isn’t for chatting about your weekend plans.
It’s designed to break things. And it’s terrifyingly good at it.
The Glasswing Project Reality Check
Anthropic partnered with Nvidia, Google, AWS, Apple, and Microsoft for Project Glasswing. The pitch? Use Mythos to find security vulnerabilities before the bad actors do.
Early results are sobering. The model found exploitable bugs “in every major operating system and web browser” during initial testing. That’s Windows, macOS, Linux, Chrome, Safari, Firefox - the lot.
This isn’t theoretical red-teaming. We’re talking production systems that billions of people use daily. The participating companies are now scrambling to patch vulnerabilities that Mythos flagged in their own products.
The technical approach is clever. Mythos combines traditional static analysis with LLM reasoning about code patterns. It can spot logic flaws that automated scanners miss - the subtle bugs that require understanding context and intent.
But here’s the rub: if Anthropic can build this, so can others. The same techniques that make Mythos brilliant at defence work equally well for offence. It’s the classic dual-use problem on steroids.
Production Realities
I’ve been testing similar approaches with smaller models. Even basic vulnerability scanning with Claude Sonnet finds issues that traditional tools miss. The false positive rate is manageable - maybe 15-20% compared to 60%+ for legacy scanners.
The real advantage isn’t speed or scale. It’s contextual understanding. These models can read documentation, understand business logic, and spot architectural flaws. They’re not just pattern matching - they’re reasoning about attack vectors.
Current limitations are compute and access. Running comprehensive scans on large codebases needs serious hardware. Anthropic isn’t sharing Mythos publicly yet - it’s enterprise-only through the Glasswing programme.
Cost is £2-4 per thousand lines of analysed code based on my estimates. That’s expensive for hobby projects but reasonable for production systems where bugs cost millions.
The Bigger Picture
This changes the security landscape fundamentally. Traditional pen-testing takes weeks and costs tens of thousands. AI-powered analysis runs overnight for hundreds of pounds.
But it also democratises offensive capabilities. The barrier to entry for sophisticated attacks just collapsed. Every script kiddie with API access can now think like a security researcher.
Anthropic is trying to get ahead by partnering with the big tech companies first. Give them the defensive tools before releasing anything public. Smart strategy, but it won’t hold forever.
Quick Hits
• Arcee AI raised serious funding for their open-source LLM that’s gaining traction with OpenClaw users - the 26-person startup is punching above their weight against the giants
• Google’s offline dictation app uses Gemma models to compete with Wispr Flow - finally, decent speech-to-text that doesn’t phone home every keystroke
• Suno vs music labels is getting messy over AI-generated song sharing rights - Universal and Sony want control over what users can do with AI music they create
One Thing to Try
Set up basic vulnerability scanning with Claude or GPT-4 on your codebase. Even without Mythos-level capabilities, these models spot issues that traditional tools miss. Start with authentication logic and input validation - that’s where I’m finding the most actionable results.
The defensive AI race is accelerating faster than anyone expected.