The Current - How powerful is Anthropic's Mythos?
Episode Date: April 15, 2026Anthropic has not released its latest AI model "Mythos" to the public, but only to a consortium of 40 companies because it says it's too powerful when it comes to cybersecurity. It has found bugs in s...ome of the most protected systems in the world, and if Mythos falls in the wrong hands, it can leave hundreds of organizations vulnerable. Lily Hay Newman, senior writer at WIRED unpacks it all for us.
Transcript
Discussion (0)
So when you were growing up, how would you have felt about having a famous parent?
I mean, maybe your gut reaction is, oh, great.
You know, get access, you get money.
If you ask Dan Levy, who you might know from Schitt's Creek,
he'll tell you that it wasn't what it was cracked up to be.
In fact, it was a point of pain between him and his dad,
the comedy legend, Eugene Levy.
So Dan will tell you why he felt that way and how they worked through it.
Hear that conversation now to search for Q with Tom Power,
wherever you get your podcasts.
This is a CBC podcast.
Hello, I'm Matt Galloway, and this is the current podcast.
For the past several years, the push for artificial intelligence has often been defined by a race between companies, countries, to create the most powerful tools.
Now one company says its latest tool might be too powerful.
The tech company Anthropic has chosen not to release its newest AI model, mythos, to the public.
Instead, it shared it with a group of about 40 companies, including Microsoft, Google,
and Cisco in financial institutions like Goldman Sachs.
Anthropic says the model is too powerful and could expose these organizations and others to
cybersecurity threats.
Here's the chief security and trust officer at Cisco, Anthony Greco, in a video posted by Anthropic.
These models have capabilities which are raising the bar from a cybersecurity point of view
with their ability to help defenders as well as potentially help adversaries.
Lily Hay Newman is a senior writer at Wired who focuses on information security, digital privacy, and hacking.
She is in New York. Good morning.
Good to be with you.
There was a reporter here in Canada who said that this sounds like a villain from a Mission Impossible movie.
What is mythos and how powerful is it?
Yeah, so this is Anthropics new model and it is an incremental improvement in, you know, the AI capability.
broadly that have been growing and growing. But particularly the focus here is on new powers and
potentially sort of crossing a threshold, Anthropic is saying, on the ability, on cybersecurity
related capabilities. So, for example, the ability to find vulnerabilities in software,
develop proofs of concept that those vulnerabilities can be exploited. And,
even automatically or autonomously develop exploits that someone could use for hacking.
They're claiming that it can find vulnerabilities in every major operating system and every
major web browser. How is that possible? Well, these capabilities, just for some context,
have been emerging in AI models for a while. So, you know, this isn't completely out of the blue.
There's a vulnerability research or finding flaws in software. It's like an established field of research. It's something humans can do. And so, you know, AI is sort of systematizing that and architecting it into its capabilities. And that has been increasing and increasing. And yeah, Anthropic is saying, you know, now this is a moment. This is a turning point where mythos is crossing along.
Here's how Anthropic itself describes what makes this product so powerful.
This is Nicholas Carlini, who is a research scientist who's working on the project.
It has the ability to chain together vulnerabilities.
So what this means is you find two vulnerabilities, either of which doesn't really get you very much independently.
But this model is able to create exploits out of three, four, sometimes five vulnerabilities
that in sequence give you some kind of very sophisticated end outcome.
Can you translate that into language that we would understand?
What does that mean for cybersecurity?
Well, yes, the main thing to understand is that, right,
a hacker could exploit a vulnerability to, like, gain deeper access into a system.
And kind of all you need to know is that these chains of vulnerabilities were what I've sort of been calling
Rube Goldberg machine style hacking.
Like one thing leads to another leads to another.
These chains of vulnerabilities and exploits are,
are already used in offensive hacking around the world.
So again, this is already something where humans have been finding these chains
and they become extremely valuable to actors who might want to exploit them.
But they're very rare and sort of seen as very powerful because humans, it's hard to find them.
And humans can't just find a million.
of them, the way that, you know, human researchers can find lots of books and software all the
time, but finding these chains that interact and work together is much more rare. So this is the crucial
thing that researchers and, you know, experts were relaying to me and my reporting was that this
capability is the big difference and is what, you know, maybe starting this transition into
and more advanced capabilities with mythos is the ability to start to reliably find these exploit chains.
And so Anthropic wouldn't release it publicly. It has released a version of this, a preview with, as I said, this consortium of organizations, Microsoft, Google, Cisco, banks like J.P. Morgan and Goldman Sachs.
Here in Canada, the Canadian Financial Sector Resiliency Group met last week. This includes banks and regulators to try to figure out how to tackle this.
What are they most worried about?
Who is most vulnerable from something like this?
So I think the consortium kind of has two goals.
There is the near term or the immediate use of mythos,
kind of turning it on their own systems
and getting the opportunity to see,
well, what vulnerabilities can it find in our software,
our systems that we can then fix?
you know, before these types of capabilities get into the hands of others.
And then I think they're looking more long term because one of Anthropics' big stated goals
with all of this is to bring up that though, you know, they're saying their model is so powerful
and amazing and this is their new thing, these capabilities will ultimately sort of inevitably
proliferate and be in everybody's models, be in open models.
And so the consortium is also convening to try to think that through sort of, you know, intellectually
and conceptually ahead of this, you know, supposed C change.
Are we surprised by this?
AI was leading to this point in some ways.
You have open AI that is also only partially releasing its latest product because it says
it's too powerful as well for everybody. Are we surprised by this?
I would say no. Both Anthropic and OpenAI specifically said that they are not surprised and that they have been sort of, you know, foreseeing this and working towards this moment and, you know, on the defensive side as well and sort of laying groundwork to try to protect everyone.
But more broadly, I would say cybersecurity experts and researchers also, you know, could see that the models were moving in this direction.
I think Anthropic is just really raising the question of, is there a reckoning coming in how we do cybersecurity?
You know, can we just continue to move in a stepwise fashion or does there need to be more radical change?
What is that radical change?
Part of the conversation here has this idea of a private company like Anthropic being able to release software like this to the public without any government regulation at all.
They say it's so powerful and yet we live in the world where it could disrupt that world.
What can governments do to protect themselves?
I think, you know, there are some, I would say there are kind of two camps on this.
Like some folks I've talked to are skeptical about Anthropics' narratives.
and sort of say that, you know, there's, it's maybe somewhat self-serving.
It's good PR.
Right.
I mean, it's definitely good PR, right?
This model is sounding very powerful and mysterious and exclusive.
So, but, you know, so, and they say that because this has these capabilities in, like, a less mature form have been in the models for a long time, that this is kind of overblown.
But, you know, others say that they do.
do think it's an important concern to be focused on. And I think one thing that everyone
agrees on that kind of gets to your question is that this is an opportunity to kind of motivate
both software developers and organizations that use software to accelerate the urgency
of finding and patching vulnerabilities. And then for organizations,
to invest in adopting patches and sort of overhaul the way they have their IT set up so that they can
patch more quickly.
Because even in the, you know, sort of existing status quo, one of the big issues is that
organizations are sort of hesitant a lot of times to install software updates because they're worried
it'll break things in their environment and, you know, cause problems and just disrupt things
day to day. Lily Hay Newman, good to speak with you about this. Thank you very much.
Thanks for having me. Lily Hay Newman is a senior writer at Wired, who focuses on information
security, digital privacy, and hacking. She was in New York City. This has been the current
podcast. You can hear our show Monday to Friday on CBC Radio 1 at 8.30 a.m. at all time zones.
You can also listen online at cbc.ca.ca slash the current or on the CBCListen app or wherever you get
your podcasts. My name is Matt Galloway. Thanks for listening.
For more CBC podcasts, go to cbc.ca.ca slash podcasts.