Synthetic Intelligence & Machine Studying
,
Governance & Danger Administration
,
Subsequent-Era Applied sciences & Safe Improvement
Ex-Microsoft CIO: Mythos Might Floor Identified Flaws Sooner Than Distributors Can Repair Them
Lots of the vulnerabilities found by new synthetic intelligence fashions like Claude Mythos Preview aren’t really new to software program distributors, stated former Microsoft CIO Jim DuBois.
See Additionally: Uncertainty, Undone: A 2026 OT/IoT Cybersecurity Technique for Converged Environments
Giant organizations usually keep inside databases of identified however unfixed points, he stated, prioritizing remediation primarily based on perceived danger and probability of discovery. Mythos disrupts this calculus by successfully surfacing and operationalizing dormant vulnerabilities, turning a manageable backlog right into a mad scramble to patch methods, stated DuBois, who served as Microsoft’s CIO from 2013 to 2017.
“A lot of the safety merchandise which are on the market at this time are both making an attempt to assist us in opposition to identified points or by some means detect whether or not any person is utilizing an unknown to do one thing in opposition to us,” DuBois advised ISMG. “This simply discovered 1,000 unknowns. Most the assaults at this time aren’t leveraging unknowns, however now, there’s going to be a complete bunch on the market.”
Why There’s Asymmetry Between Fast Discovery, Gradual Remediation
The asymmetry between speedy discovery and slower remediation creates a structural problem for your complete trade, DuBois stated, with Mythos poised to determine and exploit vulnerabilities at unprecedented velocity however fixing these points stays a fancy course of involving coding, testing and deployment. Even with AI-assisted instruments, the duty for fixing code stays with the software program proprietor, he stated (see: CrowdStrike Assessments Claude Mythos for Vulnerability Detection).
“To some extent, the problem on software program vulnerabilities has been, ‘Can we get patches deployed on a well timed foundation?'” DuBois stated. “And it is an operational activity.”
Whereas AI can speed up remediation, totally automated patching in manufacturing environments stays dangerous, stated Frank Dickson, group vp for safety and belief at IDC. The potential for unintended penalties signifies that validation and testing cannot be eradicated. As an alternative, he sees a mannequin the place people stay concerned in oversight, validating AI-driven choices quite than executing manually.
“We’ve got a device now that is tremendous efficient at discovering vulnerabilities at scale in a world that is filled with flawed software program,” Dickson advised ISMG.
DuBois praised Anthropic’s method of initially making Claude Mythos Preview accessible solely to a small variety of companions, however stated the corporate must ultimately determine whether or not to launch Mythos-class capabilities extensively or if monetizing the managed entry supplied to ISVs and OS makers is ample. If monetary incentives are inadequate to include Mythos, broader launch might considerably enhance systemic danger.
“I will applaud Anthropic for not simply saying Mythos, however working in a accountable method with all of the totally different firms the place they discovered points,” DuBois stated.
Whereas highly effective, DuBois stated Mythos addresses solely a subset of the risk panorama, with many cyberattacks exploiting id, misconfigurations or social engineering quite than software program flaws. Whereas Mythos dramatically intensifies one assault vector, it does not remove others, which DuBois stated means organizations should nonetheless keep a holistic safety technique.
Why Vulnerability Discovery Instruments Danger Changing into Out of date
Instruments and corporations that focus solely on vulnerability discovery danger turning into out of date, DuBois stated, as Mythos successfully automates and scales that operate past present capabilities. On the similar time, DuBois sees elevated significance for patch administration and deployment applied sciences, which he stated will turn into crucial in dealing with the surge of required fixes.
“I might be sure that my patch administration stuff was world-class, as a result of there’s going to be a bunch extra patches for a bunch extra vulnerabilities that we did not find out about popping out rapidly,” DuBois stated.
Dickson stated vulnerability administration, publicity administration and different safety disciplines contain a variety of capabilities past discovery, together with asset identification, danger evaluation and patch orchestration. Mythos enhances one a part of this course of however does not exchange the necessity for the broader ecosystem, Dickson stated.
“The use case is fabulous,” Dickson stated. “It must be a part of the built-in platform that enables us to really patch code at scale.”
From an adversarial perspective, DuBois distinguishes between nation-state attackers akin to China, which primarily concentrate on espionage, and different actors akin to ransomware teams or hostile states which will prioritize the disruptive capabilities Mythos-class fashions present. IDC’s Dickson stated Mythos inherently makes attackers extra harmful since they solely want to search out one exploitable path.
“China has discovered a bunch of those vulnerabilities already,” DuBois stated. “A variety of their intelligence-gathering efforts, they use these unknown safety vulnerabilities to get in.”
