Infosec for decades has been 99% “hey I found some low-hanging fruit” only to get treated like a liability by the company you report it to, if you got acknowledgment at all. Because of Mythos though, now Artificial Superhumans can find these same vulns, and anyone could be running such an intelligence! Even better, the rich untouchable people operating this particular Artificial Superhuman can’t just be suppressed or ignored by the other set of rich untouchable people that have routinely not cared in the past. So long as it makes anthropic money, maybe we’ll actually see actual improvements in security!

A. Individual developers get sorta cheesed when an automated tool implies they wrote code with a TOCTOU or off-by-one error. They look for reasons to diminish anything a tool might say

B. Most of these tools do a very bad job of identifying architectural flaws. I spent a year trying to explain the Confused Deputy problem to my coworkers and why I wanted to use capability based security. They ripped it all out when I moved on to another team. Their product continues to have security problems because they forced the association of credentials between domains and didn't do a great job of it.

This is largely on me. I should have spent more time socializing the solution.

C. Management never wants to pay for tools they view as "vitamins" (as opposed to "pain killers.") This is mostly changing as ransomware attacks are on the rise.

But... Long story short... Yes... This will hopefully cause people to use scanning tools. But in a year they'll slack off and complain it's too expensive.

This presumes there is such a thing as "every" vulnerability. It is possible that ever more sophisticated, complicated, and abstract attacks become possible/discoverable as one applies more intelligence to the problem.

IF it is indeed possible to make a piece of software completely secure, then yes, more intelligent systems make the situation better, because it will always be possible to audit a system before it is ever released and make it completely safe.

That is a very big if and, as far as I am aware, remains to be seen if it's the case

-edit- They mention this possibility themselves further down, so the authors know this is a completely speculative point/article. They don't even try to make an argument about why one possibility might be more likely than the other. This article is useless.

I think it's a total overreaction. But the edict was passed down, and here we are go.

Granted, given that most cybersecurity news over the past decade has been grim, both could be true...

Mythos lays bare the folly of allowing procurement to drive technical decisions instead of IT back in the 1980s. We had KeyKOS and then EROS, but settled for ambient authority based junk because it seemed cheaper.

https://x.com/kevinakwok/status/2049984076141281482

I'll believe it when I see it, but it's almost certainly just marketing drivel.