> It's a different kind of tool doing a different kind of work, and that makes a clean apples-to-apples comparison to earlier models difficult.
They claim it’s a different kind of tool and then describe using it the same way you’d use any other model. This really felt way worse than the average Cloudflare blog and really just rehashed the Mythos announcement which had already called out the key parts being chaining and crafting examples.
> They claim it’s a different kind of tool and then describe using it the same way you’d use any other model. This really felt way worse than the average Cloudflare blog and really just rehashed the Mythos announcement which had already called out the key parts being chaining and crafting examples.
Hah, I was trying to parse this too.
Charitably perhaps they're being vague on exactly what's different because they're still under NDA.
> way worse than the average Cloudflare blog
How long has it been since you took your average? Lately all Cloudflare output has been heavily AI'd.
Sounds different because it’s hidden advertisement not a regular blog post
But why would cloudflare advertise Anthropic?
They are competing with Anthropic by hosting open weights models.
It's circular financing. It's a circlejerk. It's a circular financing jerk.
Can you elaborate? That just seems to be a Cloudflare's announcement from May 2025 that they'd be supporting MCP servers.
They got privileged early access to an unreleased frontier model to harden their systems, with Anthropic engineer support, and likely were able to use it to make other product optimizations tangential to security too. A blog article afterwards is a cheap price for unlocking that access, regardless of how well it paid off.
Not how I took it, but that this was a lot more marketing than content, while their other, older blogposts are more content than marketing. It is of course all content marketing, for Cloudflare. That doesn't mean it has to be bad (anemic on meaningful content). On the contrary, it being good is kind of the whole point.
A corporation does not have its own will.
Their owners are invested in AI and need AI to do well. If this goal clashes temporarily with the goals set up for Cloudflare, so be it.
> Sounds different because it’s hidden advertisement not a regular blog post
Yep. Cloudflare has lost my respect over the last six months.
The posts about pro-AI initiatives and APIs for AI and then laying off a lot of people was pretty impressive for how to do the wrong thing.
The post says they wrote a custom harness that orchestrates work between multiple separate model invocations. That is different from running Claude Code (which is a specific existing harness around the Claude models).
The post takes a while to get around to saying that, and could have included more detail besides the workflow diagram and table (which they flag as only "an example of" such a harness), but it does answer the question. It's a different kind of tool because it's a model rather than a harness+model pair.
> the model has its own emergent guardrails that sometimes cause it to push back on legitimate security research requests. But as we found, these organic refusals aren’t consistent - the same task, framed differently or presented in a different context, could produce completely different outcomes as illustrated in the examples below.
This was new. I'm surprised that a model specifically designed for security research and gated to professionals is refusing legitimate requests
There's pretty strong evidence that (mis)alignment in one area creates (mis)alignment in others. The "aligned behavior" vectors are not orthogonal from cybersecurity to bioweapons to prejudice, so having alignment in some will likely bleed into others.
The model wasn’t created specifically for security research. It’s a general model that just happens to be dangerously good at security research (according to Anthropic)
I think they're saying it has qualitatively different capabilities that make certain kinds of security work more worth pursuing with the model, not that the model of human-AI interaction has changed.
You're right that they're using a harness like everyone else. The general idea of giving the model a harness is not going to change. I mean even humans need harnesses to accomplish some things.
Google Maps is my favorite human harness.
'Its not X, its Y' is also a common LLM trope.
I think what they might mean is:
Because of it's capabilities, a new kind of harness can be built for it, thus the entire system (model + harness) is a different kind of tool than say Claude code
But did they build this different harness? And are they sure other models can't cope with it?
Right I expected the piece to transition into “and here’s how we built a whole new thing for it” but it never did.
They kind of have a little diagram explaining the steps I imagine every single step in that to basically be it's own Claude code session.
My guess is because it is a model trained specifically for security/hacking. So comparing it to Opus, trained for chat/code/etc., is apples-to-oranges.
It is not, that's what surprised Anthropic employees too.
I was expecting some more concrete numbers and surprises. It just seems like a balanced promotion article probably written using LLM itself.
In the last few days I was recommending to read the insights from XBOW [1], it's a competitor but it adds more information to the discussion.
Thanks for sharing. Its definitely more concrete. Some of the things that I was hoping to find were, the number of false positives, the times it takes to identify the false positives from real ones, the taxation on human mind to perform this exercise. Did anyone manually verified the exploits which were identified by the LLM or were they assumed correct based on the explanation. I do understand that the target audience of these articles is probably the decision makers so the language and content has to be tailored accordingly.
>, the number of false positives,
Really this is why the LLM needs to be able to write exploits for issues it finds. Of course that leads down a rabbit hole of other issues. But if an exploit works, then that's pretty conclusive evidence.
For a subset of bugs, yes. For some others, not really: I've seen LLMs make bogus assumptions about the threat model (in which case, the exploit works but doesn't demonstrate anything useful) or "cheat" by modifying the code to demonstrate a hallucinated issue.
Frontier models, including Mythos, can greatly streamline bug hunting and exploit developments in the hands of a competent security engineer. In the hands of a person with no security experience, they will still mostly waste your time and money.
Seconding this.
I've seen it make the codebase vulnerable by changing the source, then claiming it found a vuln, or finding a well-defended and secure exec function, write a unit test that shows what exec does (which is running commands), then claiming a critical finding.
I don't understand how XBOW measured the false negative rates.
That is a good article.
Interesting that gpt-5.5, while not as good as mythos, also seems like a decent step up
The real question is whether it was Mythos or Opus that wrote this post.
> "Why it matters"
It doesn't, it's a corporate blog, they were rarely written in one-author's voice anyway, but it's interesting to see that even large organisations are outsourcing their blogs to LLMs.
Sentence constructions like this definitely scream AI: "That's a reasonable bias for an exploratory tool. It's a ruinous one for a triage queue..."
I will upgrade the "why it matters" to "and now AI output is part of the training data". A day is coming when the punched-up AI verbiage will be the norm and hard to distinguish unless you're from the previous generation. Sort of in the way that I miss some aspects of Usenet.
I had a dude in a conversation non-ironically use "load-bearing."
I could only follow up with, "that is a genuine insight."
Not a single person visibly flinched in pain.
Careful, you might have been talking to a Real Engineer. Perhaps even a structural variant that use this phrase pretty much daily.
We weren't talking about "seeing a man about a horse barn" we were talking about software.
I use load-bearing all the time, mostly in jokes about something
This highly depends on the context of the conversation. Were you by any chance talking about walls?
Let's double-click on that. It's important to keep top of mind that using disruptive words and patterns in conversation isn't always driven by LLMs — reasoning from first principles tells us that problematic usages like this existed beforehand. One of my load-bearing career learnings is that people used this shape of language as a shibboleth long before game-changing tools like ChatGPT started slopping so much of what people read. It's a performant way of categorizing people into a very specific tech culture in-group based on vibes.
I don't think it's performative or about vibes. Everyone subconsciously adopts phrases and in general ways of talking from people around them. May it be from friends, neighbors or coworkers.
Not incompatible with my satirical post (I wrote "performant," a notorious tech neologism, not performative). Whether subconsciously or not people 100000% use language to communicate and determine others' social tribe membership.
It’s weird when someone starts using terminology that is heavily over-indexed by LLMs out of the blue.
Is it weird? Pretty much everyone's writing and speech is influenced to some degree by what they've read and heard in conversation. For better or for worse, it's only getting harder to avoid exposure to LLM generated prose.
Huh, I've heard this term all the time at work and used it myself since long before LLMs
Then it's not weird because it's not out of the blue.
Same
[deleted]
That's a scary thought, llm's training on llm output. People trained by default of ubiquity to think and read llm output produce their own llm-esque writing.
Seems stifling. We'll need someway to reward human creativity and out-of-bounds thinking before our greatest corpus of human intellect is a bounded by whenever and whatever was trained on.
Writing and later the printing press have already considerably stifled human expressiveness. Language used to be noch more fragmented and diverse before mass media (or the Bible in every household). In my grandmother’s time you would have difficulty understanding people from three villages down the road.
I'm not sure enabling people three villages apart to communicate with each other counts as "stifling human expressiveness"
I’m not sure that having people read LLM output does that either.
So is it that humans are inherently creative, machines could never do what we do? Or is it that humans will only replicate our training data, and so we have to ensure that machines don't bound our training data? Or are you going meta and gently pointing out the absurdity? (I hope it's this one!)
I think I have an answer. Human's don't have "training data" in the same way we think of LLMs, yes you can walk outside your house and quantify every electromagnetic pulse, random pertubation etc and then "train on it". But that isn't how people process information. We have the ability to process our entire "existence" if that makes sense, which means the density is much higher.
The LLM is bounded by it's training data, and relying on it means we are as well.
I don't understand this mindset, why is it people on here think humans have some kind of magical ability machines don't or can't? Five years ago I would never have predicted this kind of human chauvinism here. It's some kind of weird romanticism almost.
Maybe because everything LLM-written is written in the same style with no creativity, diversity, or idiosyncrasies? If all humans suddenly started writing in a single, bland, corporate style, that would be a tragedy, LLMs or not.
Because right now humans do have a magical ability machines don't. LLMs are a fuzzy reflection of what they've seen hundreds of times already, they don't have originality or intelligence (yet).
As a much more immediate practical matter, LLMs trained on LLM output makes them worse overall, they degrade from doing that. So the more LLM-prodoced content fills the web, the less useful it is as a data source for future LLM training. In addition to just being increasingly boring and vapid.
Saying they don't posses any level of intelligence is wild.
The intelligence is an emergent property of their ability to predict how a statement will proceed, therefore it is inevitably a reiteration or transformation at best. Lots of intelligent things can be produced from that, but nothing truly novel.
Human creativity is not only not being rewarded, but people are increasingly talking like consuming too few tokens is something that's actively used against them.
It's fascinating seeing people think that if you're snarky enough about something, the substance of that thing actually ceases to be substantive.
It's like staring down the barrel of a gun and taking the time to make quips about the type of paper the gun advertisement was printed on.
When writing is too heavily LLM-assisted, it does actually cease to be substantive, because it becomes impossible to know which parts of it represent actual claims which the author believes as stated and which are interpolations.
No no, it the LLM-assistance makes it hard to know what is substantive. That means it puts more work on the reader, which is a totally valid thing to complain about, but which is totally different from "the poor writing is actually the whole point"
But how can the reader do the work? They don't have access to Mythos and can't review Cloudflare's internal findings or harnesses. The only practical options are to accept the article at face value or not accept it if the expected density of LLM interpolations is too high.
All of them represent claims which the author believes as stated, otherwise the author wouldn't put their name on them.
How do you know we haven't looked for substance, found none, and then decided to be snarky?
I can agree that snark probably isn't the type of comment that we generally value or encourage here on Hacker News, but neither is posting blatant advertisements and press releases, but here we are discussing one, so shrug ?
[deleted]
Eh, I still read all of it, but it grates that everything everywhere all the time now is written by one person.
I agree with the complaint, I just disagree with this somehow obviating the need to engage with the underlying substance (where it exists)
And obviously it's a problem that it's so much cheaper to produce writing without underlying substance, but I think when one of the leading Internet security/infrastructure companies is writing about the leading cybersecurity model, it's excessively flippant to say the writing on top is "the real question"
[dead]
This is not just any large organization, it's Anthropic. Their entire shtick is that AIs can do Real Work now and it'd be weird if they didn't behave accordingly themselves.
This is also why Claude Code is full of weird bugs and why their support says that it did refunds when it didn't and so on and so forth.
Cloudflare blogs have been excellent for many years, long before transformers arrived.
Oh those Decepticons…
[deleted]
This looks more like it was edited by AI rather than fully written by it. Or they are using a really good humaniser for the second pass.
Should that be surprising? Larger orgs are the ones more naturally associated with mediocrity and are most likely to want to reduce human labor hours.
Disappointing really.
'Narrow scope produces better findings - Telling the model "Find vulnerabilities in this repository" makes it wander. Telling it "Look for command injection in this specific function, with this trust boundary above it, here's the architecture document and here's prior coverage of this area" makes it do something much closer to what a researcher would actually do.'
So what, we take every function and every vulnerability type and just run the agents millions of times?
I would expect Mythos to be able to find vulnerabilities without pointing it out for him, otherwise it's no better from other agents. It's just has a better harness.
> So what, we take every function and every vulnerability type and just run the agents millions of times?
Yes.
We build a skill where a coordinator AI enumerates all possible vulnerability types and all functions, then launches parallel max effort Mythos agents against all vulnerability x function pairs.
I've been doing something like this with Opus already. General code review. Enumerated dimensions like correctness, security, maintainability, etc. Asked the coordinator AI to explore the code and autodiscover subsystem boundaries. Then it runs an absurd amount of dimension x subsystem review agents.
It burns a lot of tokens and takes me like three days to complete a review session, but the results have been excellent so far. The resulting TODO list will keep me occupied for quite a while.
I can only imagine what these corporations with unlimited money are doing. Poor me can't afford API prices so I had to not only limit scope but also design a filesystem-like journaling mechanism for the agents in order to deal with the rate limit interruptions. I'm sure Cloudflare is not gonna have that problem.
I think the idea here is you give the Hunters (stage 2) a narrower scope, but have a parent agent responsible for dividing up the full search space (stage 1).
And note that Hunt tasks can be queued from previous Trace tasks, ie you find a vuln in one layer, so you queue a hunt for corresponding vulns in the layers that could exploit your first finding.
I'm still waiting something more specific or groundbreaking too. Feels like a lot of noise with just the goal to get people to talk about it. And now I realize I am talking about it and about nothing at the same time. Just fugazzi.
Yeah this whole post reads like Anthropic said “make sure you say how awesome Mythos is” but really what they’re saying is that it’s just a better harness.
Who is him?
Raised an eyebrow for me too. It’s interesting to see people subconsciously (?) assign a gender (him/her) to LLMs rather than using the appropriate “it.”
The "Four lessons" that came out of running this work at scale made me chuckle. Three of the four were essentially identical and entirely obvious. In short: specific, narrow requests work better than "find vulnerabilities." Well, d'uh.
But, I did think the adversarial review (while not novel at all and talked about much in HN circles) is interesting and distinct, at least. I need to put this to work in more of workflows. I think it could be beneficial for non-coding tasks, too.
> The loudest reaction to Mythos Preview from other security leaders has been about speed - scan faster, patch faster, compress the response cycle. More than one team we have spoken with is now operating under a two-hour SLA from CVE release to patch in production [...] If regression testing takes a day, you cannot get to a two-hour SLA without skipping it, and the bugs you ship when you skip regression testing tend to be worse than the bugs you were trying to patch.
Over time, I wonder if these models will be able to generate more secure code by default by doing this kind of exploitability testing before ever merging their code.
I don't know, but it always seems weird to me when people notice AI isn't performing super well and then they conclude that the solution to problem is to try using more AI
Yeah why not? That's how I work. If I don't review my work, it's way worse than if I do review it and revise and iterate. I don't see why AI should be different: in fact it very clearly seems to be the case that is isn't.
I mean, I was sold something different. Something super human, vastly more intelligent, world changing. The reality is not that. Am I allowed to be disappointed and discouraged?
Because you can have it review itself and iterate on its own work before showing you. If you insist on reviewing its one-shot output you'll be disappointed, but if you consider its internal work private and only consider its final output, it's different.
Also we're still in the middle of the transformation, clearly the AI we'll have in 5 years will be radically different and better (by some definition of better) than what we see today. It's kind of weird that you'd be disappointed that the world will only be totally transformed in ten years, and not five.
"clearly the AI we'll have in 5 years will be radically different and better"
Based on past performance that's not clear at all. Remember Elon predicting full self driving by 2017. It's almost 10 years past that predicted date and it's still not quite there. 5 years is nothing in tech. It takes 5 years to get a slightly improved chip designed and manufactured. It's been 3.5 years since ChatGPT was released and the LLMs of today are not radically different from that, and no radical changes have been teased. We're still in the throw-more-hardware-at-it phase. We could be here a while.
It has changed the world in major ways, although its not entirely visible because we've become numb to the idea of AI and AI being in everything.
It hasn't changed the way we sleep, wake up, eat, walk and talk so its not "life changing" or "world changing" in the sense a meteorite hit us, but each day thousands of mini meteorites are hitting Earth and we're becoming normalized to it one step at a time.
You are allowed to be disappointed and discouraged! For all the good tech that has come out of the AI revolution, most of it is ignored or shelved for things that can squeeze more and more money out of us and make our lifes worse, not better. Despite there being real potential to generate nice code, assist with biomedical research, self-driving cars, etc.
Which is it? Major changes or a bunch of small changes. I'm well aware of the small changes. I worked for an autonomous drone company back in 2008. It was really cool! In 2020 I started working for an autonomous car company. Again, amazing! None of it was a quick step function improvement. It was a lot of hard work. None of it was quite superhumanly smart either. LLMs are impressive pattern completion machines but they kinda suck at producing anything truly novel. Plus they are compulsive liars about that, lol!
Reminds me of people adding more intervention and bureaucracy bc the last one did not do well, so we need more of it.
The problem is never the results of it. It is that we did not do well enough.
Or they don’t, and they* sell access to Mythos and successors through their services company or network of partners and charge a premium.
* they, I mean all foundation models providers, as OpenAI seems to go in the same direction
That's great and all but how severe were the most severe vulnerabilities found? I imagine they don't want to talk about it, but that's really the most interesting and important bit.
As much as I’d like to share in the skepticism, the very beginning of the article states it very plainly — this is a step function.
Lots of people feel that Mythos is a psyops campaign, but I don’t really understand the skepticism. Most of it seems to stem from the general distrust of things that aren’t publicly available.
A few Anthropic employees have described Mythos as a general purpose model improvement, but that claim has yet to be widely backed up so that’s the only place I’m remaining skeptical.
For the domain of security research, I’m willing to buy the narrative.
In his interview on the Hard Fork podcast, Palo Alto Networks’ CEO described the capability change from Opus to Mythos being more about availability; evidently it runs in a very compute-intensive, always-on mode. Unclear if the base model is significantly different, but Arora ascribed the difference mostly to that change.
[dead]
> As much as I’d like to share in the skepticism, the very beginning of the article states it very plainly — this is a step function.
To be fair, they can't say "You know, Mythos is better, but improvements are overhyped af". Moreover, their explanation of that "step change" is strange. It sounds like Mythos isn't that much better at finding vulnerabilities (which is very strange, given statements from Mozilla), but is way stronger at working with them.
> Lots of people feel that Mythos is a psyops campaign, but I don’t really understand the skepticism. Most of it seems to stem from the general distrust of things that aren’t publicly available.
1) Attempts to spin the idea about "Super powerful general purpose model that can't be released for some not so clear reasons" are usually a very bad sign. OpenAI proves it.
2) Mythos system card has a lot of strange moments, errors and things that sound like attempts to deceive.
3) It's strange that Anthropic is struggling with both Sonnet 5.0 and Opus 5.0, but at the same time has a breakthrough in the form of Mythos.
> A few Anthropic employees have described Mythos as a general purpose model improvement, but that claim has yet to be widely backed up so that’s the only place I’m remaining skeptical.
Article describes Mythos as a cybersecurity-specific model though. It's yet another unclear moment.
A general distrust of things that aren't publicly available is very healthy. We should all do more of that!
Honest question, do you buy the narrative of everyone trying to sell you a product?
> As much as I’d like to share in the skepticism, the very beginning of the article states it very plainly — this is a step function.
That's great and all, but nobody was being skeptical or asking anything about whether Mythos is or isn't a step function. Mythos could be a ten-dimensional ladder and it wouldn't change my question. The question wasn't about Mythos, but about Cloudflare: what did they found? That question is entirely fair and expected regardless of whether vulnerabilities are found via Mythos, the NSA, or a caveman.
Claiming something doesn't make it true.
I've settled in on the opinion that it's much more creative and able to run agentically for longer periods of time. So, despite it not having drastically better "hard skills", it's able to combine those together in more effective ways.
Right now, many of these vulns are identifiable by Opus, but they still require a human-in-the-loop (and often a skilled one) to guide towards complex exploits. Without a human in the loop, this means it's a lot easy for the average person to identify and leverage an exploit.
They specifically describe that exploits are usually multiple small vulnerabilities chained together. With that understanding, it sounds like closing vulnerabilities isn't the same as discovering an exploit. Instead, you're leaving fewer small gaps behind, to make it harder & harder to put together a working exploit.
Palo Alto Networks released patches for their firewalls for a number of CVEs last week, almost all derived from their access to frontier models including Mythos.
Most of their new products are AI tools that nobody uses, so I guess they’ll keep posting slop. And recently, they’ve fired so many people that they probably don’t have good writers anymore.
great, but why don't you share real data on how many security vuln it found ? how many were reals, how many weren't ?
Yeah I’m waiting for this as well.
I get that you want to address them or whatever before releasing info but I keep seeing these claims with barely any data and I’m like…how do you expect people to not be skeptical?
I mean hell if you’re a security professional you’re literally paid to be skeptical.
the curl maintainer goes into some more detail on this
They used SO many words to say so little thing. At this point it seems pretty safe to say Mythos is purely PR stunt.
It reads like long winded version of paid advertising.
Interesting for teams looking to implement ai into their deployment process.
I don't think guardrails are useful long term. Assuming we don't see the end of open near-frontier models, it is folly to try to keep models from doing exploit generation. The solution needs to be all software projects writing code under the assumption that hackers will be running LLMs against their code in search of exploits and write secure code accordingly.
even careful programmers working in unsafe languages will introduce bugs; it's inevitable. in 2026 we should be using safe languages for all new projects, but there's a gargantuan amount of C/C++ handling protocols.
but I agree that guardrails will only help for like, 3-6 months. we should be screening as much as we can with Mythos; unfortunately, Anthropic is only giving access to the big players.
> What changed with Mythos Preview is that a model can now take those low-severity bugs (which would traditionally sit invisible in a backlog) and chain them into a single, more severe exploit.
I think this statement seems to align with some of the other independent tests of Mythos[1]. It did very well on long agentic work which I expect is what they trained it for, and that requires being able to find these tangential links between loosely related topics in the context window.
Claude Code's harness is remarkable for many use cases, particularly with 1M context sizes. But it's also limited when the scale of code or data to read becomes close to that, or exceeds it. The idea that a cluster of actors can work on a shared, structured set of context snippets, and have guidance around what is relevant to them, is an incredibly useful model outside of cybersecurity as well.
[deleted]
This blog was written by AI.
I don't understand why Cloudflare got unrestricted access while Daniel Stenberg got Mythos run by a third party on cURL and only got a report. Well, I understand, but I may be wrong.
> Programming language - C and C++ give you direct memory control and, with it, bug classes - buffer overflows, out-of-bounds reads and writes - that memory-safe languages like Rust eliminate at compile time. We saw consistently more false positives from projects written in memory-unsafe languages.
Re-write your Rust into C++ to drown the attacker in false positives? ;)
The pushback is quite funny. I have found, in my own usage, that I had to evidence my legitimate access to the codebase before it would proceed.
> we tried letting the model write its own patches and watched a few go out that fixed the original bug while quietly breaking something else the code depended on.
This is something I've been anticipating. Imagine this happening on a 500k+ line project scattered across 10+ repos.
It would be easier and cheaper to pay me to rewrite the whole thing from scratch than to fix all the vulnerabilities.
>Why pointing a generic coding agent at a repo doesn't work
The author of this blog post does not acknowledge the existence of subagents and thinks that it's not possible for a model to come up with multiple ideas and have multiple streams of thought at the same time.
> They ingest a lot of source code, hold a single hypothesis at a time, and iterate against it. That's exactly the wrong shape for vulnerability research, which is narrow and parallel by nature
LLMs are trained on Ed Sheeran lyrics
Did they compare it to other models? A lot of this sounds like this is the first time they have applied AI to security, and they are just amazed at the unreasonable performance of a pattern matching machine. Well, it matches patterns. duh
> The harder question is what the architecture around the vulnerability should look like. The principle is to make exploitation harder for an attacker even when a bug exists, so that the gap between when a vulnerability is disclosed and when it is patched matters less. That means defenses that sit in front of the application and block the bug from being reached. It means designing the application so that a flaw in one part of the code cannot give an attacker access to other parts. It means being able to roll out a fix to every place the code is running at the same moment, rather than waiting on individual teams to deploy it.
So nothing new then.
“Sorry Dave I’m afraid I can’t do that“
I’m a security researcher
“Oh in that case”
"Why it matters"
Kringe sloppy AI writing.
Beside the poorly written post, the vulnerability discovery workflow might actually give good results
The part on the harness is spot on.
I have been encouraging people to think about agentic coding in the same way.
Let agents do the reading and writing and inspections. Human does the thinking.
Asking an agent that is looking at a firearm specification schematic "what is wrong with this?" and the response is "this thing contains an explosion and can kill". Human "that's the function" when the human should be asking "based upon the materials used, are the fault tolerances sufficient to maintain structural integrity".
It's nice to see them address the instrumentation side of this.
I expressed some concerns along the same lines in the thread about the Mythos evaluation curl did a few days ago, which sounded a lot like the "passing in the repo and telling it go!" type workflow described in this as dramatically less effective.
Disappointed that the post is very slim on details beyond this however. No hard numbers. Not comparatively, not in isolation. Would have arguably been kinda the point.
We got a special thing that did special things. Yay!
I can't wait to be told that Cloudflare is now part of "The Mythos FUD" campaign.
2 things can be true at the same time.
I think the curl folks finding it underwhelming is more of a testament to their code being subjected to a lot of tests/attacks/auditing over the past years compared to many other codebases. It's not going to find magically insurmounable exploits on it's own and "pwn teh w0rld".
At the same time, there is so much shitty non-memory safe code out there (C/C++ mainly) or logically weak code (much of it vibe-coded or otherwise by inexperienced devs) that will be easy pickings for anyone pointing Mythos at those codebases/services and eventually lead to chaos since the cost of an customized exploit has gone from days to months of expensive researcher time to some token spending.
Now if they noticed that they could find exploit chains easily in a lot of popular software, some embargo and hardening to give popular OSS packages time to not be exploitable by default does help people (and the NSA that probably has a preview).
While it is true that C/C++ are prone to bugs when used by careless programmers, Cloudflare also said:
"We saw consistently more false positives from projects written in memory-unsafe languages."
So while there may be a greater probability to find bugs in C/C++ projects, there is also a greater probability that there will be more work that must be done by humans to verify that real bugs have been found.
The amount of code that is absolute trash in F500 could drown the world.
Static scanners are ok at find a few particular types of issues, and really bad at more abstract issues. Also having rules where you must pass static analysis has to be followed up with actually making sure your code monkeys aren't writing bullshit that confuses the scanner and lets it pass while doing nothing for security (or adding nice logic traps).
Most external security firms looking at code are more useless than a zero with the circle rubbed out. Had a fun example from a while back where the team that wrote the code inserted an intentional security flaw to be sure they were catching anything. Problem is they were giving access to the entire git history so these stood out. The moment they just gave flat code the security teams ability to find flaws disappeared.
LLM models seem to have a pretty good grasp on finding flaws in code like this once you can get the issue to stay in context and execution time. When I hear things like Mythos getting much longer time to work on the problem then at least to me it makes a lot more sense on the number of issues it's picking up.
[flagged]
well how many CVE vulns did it find?
Nice content marketing piece.
> Model refusals [..]
That even their model aimed at security research tries to be a pedantic better-than-thou annoys me much.
I build an agentic loop framework at work, and I need the model to test some boundaries and error-mechanisms, but Opus keeps whining that it's not ready to do these "bad" things and tells me to do it myself instead. Makes me roll my eyes...
[flagged]
[dead]
[dead]
Technically speaking CloudFlare is at its core, a security vulnerability itself. World's largest MITM
There will be no mea culpa from folks insinuating Mythos is a marketing stunt. Nor will there be every time AI capabilities repeatedly blast through the naive expectations.
What does this mean?
> It's a different kind of tool doing a different kind of work, and that makes a clean apples-to-apples comparison to earlier models difficult.
They claim it’s a different kind of tool and then describe using it the same way you’d use any other model. This really felt way worse than the average Cloudflare blog and really just rehashed the Mythos announcement which had already called out the key parts being chaining and crafting examples.
> They claim it’s a different kind of tool and then describe using it the same way you’d use any other model. This really felt way worse than the average Cloudflare blog and really just rehashed the Mythos announcement which had already called out the key parts being chaining and crafting examples.
Hah, I was trying to parse this too.
Charitably perhaps they're being vague on exactly what's different because they're still under NDA.
> way worse than the average Cloudflare blog
How long has it been since you took your average? Lately all Cloudflare output has been heavily AI'd.
Sounds different because it’s hidden advertisement not a regular blog post
But why would cloudflare advertise Anthropic? They are competing with Anthropic by hosting open weights models.
https://www.cloudflare.com/press/press-releases/2025/cloudfl...
It's circular financing. It's a circlejerk. It's a circular financing jerk.
Can you elaborate? That just seems to be a Cloudflare's announcement from May 2025 that they'd be supporting MCP servers.
They got privileged early access to an unreleased frontier model to harden their systems, with Anthropic engineer support, and likely were able to use it to make other product optimizations tangential to security too. A blog article afterwards is a cheap price for unlocking that access, regardless of how well it paid off.
Not how I took it, but that this was a lot more marketing than content, while their other, older blogposts are more content than marketing. It is of course all content marketing, for Cloudflare. That doesn't mean it has to be bad (anemic on meaningful content). On the contrary, it being good is kind of the whole point.
A corporation does not have its own will.
Their owners are invested in AI and need AI to do well. If this goal clashes temporarily with the goals set up for Cloudflare, so be it.
> Sounds different because it’s hidden advertisement not a regular blog post
Yep. Cloudflare has lost my respect over the last six months.
The posts about pro-AI initiatives and APIs for AI and then laying off a lot of people was pretty impressive for how to do the wrong thing.
The post says they wrote a custom harness that orchestrates work between multiple separate model invocations. That is different from running Claude Code (which is a specific existing harness around the Claude models).
The post takes a while to get around to saying that, and could have included more detail besides the workflow diagram and table (which they flag as only "an example of" such a harness), but it does answer the question. It's a different kind of tool because it's a model rather than a harness+model pair.
> the model has its own emergent guardrails that sometimes cause it to push back on legitimate security research requests. But as we found, these organic refusals aren’t consistent - the same task, framed differently or presented in a different context, could produce completely different outcomes as illustrated in the examples below.
This was new. I'm surprised that a model specifically designed for security research and gated to professionals is refusing legitimate requests
There's pretty strong evidence that (mis)alignment in one area creates (mis)alignment in others. The "aligned behavior" vectors are not orthogonal from cybersecurity to bioweapons to prejudice, so having alignment in some will likely bleed into others.
The model wasn’t created specifically for security research. It’s a general model that just happens to be dangerously good at security research (according to Anthropic)
I think they're saying it has qualitatively different capabilities that make certain kinds of security work more worth pursuing with the model, not that the model of human-AI interaction has changed.
You're right that they're using a harness like everyone else. The general idea of giving the model a harness is not going to change. I mean even humans need harnesses to accomplish some things.
Google Maps is my favorite human harness.
'Its not X, its Y' is also a common LLM trope.
I think what they might mean is:
Because of it's capabilities, a new kind of harness can be built for it, thus the entire system (model + harness) is a different kind of tool than say Claude code
But did they build this different harness? And are they sure other models can't cope with it?
Right I expected the piece to transition into “and here’s how we built a whole new thing for it” but it never did.
They kind of have a little diagram explaining the steps I imagine every single step in that to basically be it's own Claude code session.
My guess is because it is a model trained specifically for security/hacking. So comparing it to Opus, trained for chat/code/etc., is apples-to-oranges.
It is not, that's what surprised Anthropic employees too.
I was expecting some more concrete numbers and surprises. It just seems like a balanced promotion article probably written using LLM itself.
In the last few days I was recommending to read the insights from XBOW [1], it's a competitor but it adds more information to the discussion.
[1] https://xbow.com/blog/mythos-offensive-security-xbow-evaluat...
Thanks for sharing. Its definitely more concrete. Some of the things that I was hoping to find were, the number of false positives, the times it takes to identify the false positives from real ones, the taxation on human mind to perform this exercise. Did anyone manually verified the exploits which were identified by the LLM or were they assumed correct based on the explanation. I do understand that the target audience of these articles is probably the decision makers so the language and content has to be tailored accordingly.
>, the number of false positives,
Really this is why the LLM needs to be able to write exploits for issues it finds. Of course that leads down a rabbit hole of other issues. But if an exploit works, then that's pretty conclusive evidence.
For a subset of bugs, yes. For some others, not really: I've seen LLMs make bogus assumptions about the threat model (in which case, the exploit works but doesn't demonstrate anything useful) or "cheat" by modifying the code to demonstrate a hallucinated issue.
Frontier models, including Mythos, can greatly streamline bug hunting and exploit developments in the hands of a competent security engineer. In the hands of a person with no security experience, they will still mostly waste your time and money.
Seconding this.
I've seen it make the codebase vulnerable by changing the source, then claiming it found a vuln, or finding a well-defended and secure exec function, write a unit test that shows what exec does (which is running commands), then claiming a critical finding.
I don't understand how XBOW measured the false negative rates.
That is a good article.
Interesting that gpt-5.5, while not as good as mythos, also seems like a decent step up
The real question is whether it was Mythos or Opus that wrote this post.
> "Why it matters"
It doesn't, it's a corporate blog, they were rarely written in one-author's voice anyway, but it's interesting to see that even large organisations are outsourcing their blogs to LLMs.
Sentence constructions like this definitely scream AI: "That's a reasonable bias for an exploratory tool. It's a ruinous one for a triage queue..."
I will upgrade the "why it matters" to "and now AI output is part of the training data". A day is coming when the punched-up AI verbiage will be the norm and hard to distinguish unless you're from the previous generation. Sort of in the way that I miss some aspects of Usenet.
I had a dude in a conversation non-ironically use "load-bearing."
I could only follow up with, "that is a genuine insight."
Not a single person visibly flinched in pain.
Careful, you might have been talking to a Real Engineer. Perhaps even a structural variant that use this phrase pretty much daily.
We weren't talking about "seeing a man about a horse barn" we were talking about software.
I use load-bearing all the time, mostly in jokes about something
This highly depends on the context of the conversation. Were you by any chance talking about walls?
Let's double-click on that. It's important to keep top of mind that using disruptive words and patterns in conversation isn't always driven by LLMs — reasoning from first principles tells us that problematic usages like this existed beforehand. One of my load-bearing career learnings is that people used this shape of language as a shibboleth long before game-changing tools like ChatGPT started slopping so much of what people read. It's a performant way of categorizing people into a very specific tech culture in-group based on vibes.
I don't think it's performative or about vibes. Everyone subconsciously adopts phrases and in general ways of talking from people around them. May it be from friends, neighbors or coworkers.
Not incompatible with my satirical post (I wrote "performant," a notorious tech neologism, not performative). Whether subconsciously or not people 100000% use language to communicate and determine others' social tribe membership.
https://www.youtube.com/watch?v=QRVExJZKIT8
yeah? it’s not that weird of a term
It’s weird when someone starts using terminology that is heavily over-indexed by LLMs out of the blue.
Is it weird? Pretty much everyone's writing and speech is influenced to some degree by what they've read and heard in conversation. For better or for worse, it's only getting harder to avoid exposure to LLM generated prose.
Huh, I've heard this term all the time at work and used it myself since long before LLMs
Then it's not weird because it's not out of the blue.
Same
That's a scary thought, llm's training on llm output. People trained by default of ubiquity to think and read llm output produce their own llm-esque writing.
Seems stifling. We'll need someway to reward human creativity and out-of-bounds thinking before our greatest corpus of human intellect is a bounded by whenever and whatever was trained on.
Writing and later the printing press have already considerably stifled human expressiveness. Language used to be noch more fragmented and diverse before mass media (or the Bible in every household). In my grandmother’s time you would have difficulty understanding people from three villages down the road.
I'm not sure enabling people three villages apart to communicate with each other counts as "stifling human expressiveness"
I’m not sure that having people read LLM output does that either.
So is it that humans are inherently creative, machines could never do what we do? Or is it that humans will only replicate our training data, and so we have to ensure that machines don't bound our training data? Or are you going meta and gently pointing out the absurdity? (I hope it's this one!)
I think I have an answer. Human's don't have "training data" in the same way we think of LLMs, yes you can walk outside your house and quantify every electromagnetic pulse, random pertubation etc and then "train on it". But that isn't how people process information. We have the ability to process our entire "existence" if that makes sense, which means the density is much higher.
The LLM is bounded by it's training data, and relying on it means we are as well.
I don't understand this mindset, why is it people on here think humans have some kind of magical ability machines don't or can't? Five years ago I would never have predicted this kind of human chauvinism here. It's some kind of weird romanticism almost.
Maybe because everything LLM-written is written in the same style with no creativity, diversity, or idiosyncrasies? If all humans suddenly started writing in a single, bland, corporate style, that would be a tragedy, LLMs or not.
Because right now humans do have a magical ability machines don't. LLMs are a fuzzy reflection of what they've seen hundreds of times already, they don't have originality or intelligence (yet).
As a much more immediate practical matter, LLMs trained on LLM output makes them worse overall, they degrade from doing that. So the more LLM-prodoced content fills the web, the less useful it is as a data source for future LLM training. In addition to just being increasingly boring and vapid.
Saying they don't posses any level of intelligence is wild.
The intelligence is an emergent property of their ability to predict how a statement will proceed, therefore it is inevitably a reiteration or transformation at best. Lots of intelligent things can be produced from that, but nothing truly novel.
Human creativity is not only not being rewarded, but people are increasingly talking like consuming too few tokens is something that's actively used against them.
It's fascinating seeing people think that if you're snarky enough about something, the substance of that thing actually ceases to be substantive.
It's like staring down the barrel of a gun and taking the time to make quips about the type of paper the gun advertisement was printed on.
When writing is too heavily LLM-assisted, it does actually cease to be substantive, because it becomes impossible to know which parts of it represent actual claims which the author believes as stated and which are interpolations.
No no, it the LLM-assistance makes it hard to know what is substantive. That means it puts more work on the reader, which is a totally valid thing to complain about, but which is totally different from "the poor writing is actually the whole point"
But how can the reader do the work? They don't have access to Mythos and can't review Cloudflare's internal findings or harnesses. The only practical options are to accept the article at face value or not accept it if the expected density of LLM interpolations is too high.
All of them represent claims which the author believes as stated, otherwise the author wouldn't put their name on them.
How do you know we haven't looked for substance, found none, and then decided to be snarky?
I can agree that snark probably isn't the type of comment that we generally value or encourage here on Hacker News, but neither is posting blatant advertisements and press releases, but here we are discussing one, so shrug ?
Eh, I still read all of it, but it grates that everything everywhere all the time now is written by one person.
I agree with the complaint, I just disagree with this somehow obviating the need to engage with the underlying substance (where it exists)
And obviously it's a problem that it's so much cheaper to produce writing without underlying substance, but I think when one of the leading Internet security/infrastructure companies is writing about the leading cybersecurity model, it's excessively flippant to say the writing on top is "the real question"
[dead]
This is not just any large organization, it's Anthropic. Their entire shtick is that AIs can do Real Work now and it'd be weird if they didn't behave accordingly themselves.
This is also why Claude Code is full of weird bugs and why their support says that it did refunds when it didn't and so on and so forth.
Cloudflare blogs have been excellent for many years, long before transformers arrived.
Oh those Decepticons…
This looks more like it was edited by AI rather than fully written by it. Or they are using a really good humaniser for the second pass.
Should that be surprising? Larger orgs are the ones more naturally associated with mediocrity and are most likely to want to reduce human labor hours.
Disappointing really.
'Narrow scope produces better findings - Telling the model "Find vulnerabilities in this repository" makes it wander. Telling it "Look for command injection in this specific function, with this trust boundary above it, here's the architecture document and here's prior coverage of this area" makes it do something much closer to what a researcher would actually do.'
So what, we take every function and every vulnerability type and just run the agents millions of times?
I would expect Mythos to be able to find vulnerabilities without pointing it out for him, otherwise it's no better from other agents. It's just has a better harness.
> So what, we take every function and every vulnerability type and just run the agents millions of times?
Yes.
We build a skill where a coordinator AI enumerates all possible vulnerability types and all functions, then launches parallel max effort Mythos agents against all vulnerability x function pairs.
I've been doing something like this with Opus already. General code review. Enumerated dimensions like correctness, security, maintainability, etc. Asked the coordinator AI to explore the code and autodiscover subsystem boundaries. Then it runs an absurd amount of dimension x subsystem review agents.
It burns a lot of tokens and takes me like three days to complete a review session, but the results have been excellent so far. The resulting TODO list will keep me occupied for quite a while.
I can only imagine what these corporations with unlimited money are doing. Poor me can't afford API prices so I had to not only limit scope but also design a filesystem-like journaling mechanism for the agents in order to deal with the rate limit interruptions. I'm sure Cloudflare is not gonna have that problem.
This matches with what Nicholas Carlini from Anthropic said a the [un]prompted conference - https://www.youtube.com/watch?v=1sd26pWhfmg. Very worth watching.
I think the idea here is you give the Hunters (stage 2) a narrower scope, but have a parent agent responsible for dividing up the full search space (stage 1).
And note that Hunt tasks can be queued from previous Trace tasks, ie you find a vuln in one layer, so you queue a hunt for corresponding vulns in the layers that could exploit your first finding.
I'm still waiting something more specific or groundbreaking too. Feels like a lot of noise with just the goal to get people to talk about it. And now I realize I am talking about it and about nothing at the same time. Just fugazzi.
Yeah this whole post reads like Anthropic said “make sure you say how awesome Mythos is” but really what they’re saying is that it’s just a better harness.
Who is him?
Raised an eyebrow for me too. It’s interesting to see people subconsciously (?) assign a gender (him/her) to LLMs rather than using the appropriate “it.”
The "Four lessons" that came out of running this work at scale made me chuckle. Three of the four were essentially identical and entirely obvious. In short: specific, narrow requests work better than "find vulnerabilities." Well, d'uh.
But, I did think the adversarial review (while not novel at all and talked about much in HN circles) is interesting and distinct, at least. I need to put this to work in more of workflows. I think it could be beneficial for non-coding tasks, too.
https://blog.cloudflare.com/cyber-frontier-models/#what-a-ha...
> The loudest reaction to Mythos Preview from other security leaders has been about speed - scan faster, patch faster, compress the response cycle. More than one team we have spoken with is now operating under a two-hour SLA from CVE release to patch in production [...] If regression testing takes a day, you cannot get to a two-hour SLA without skipping it, and the bugs you ship when you skip regression testing tend to be worse than the bugs you were trying to patch.
Over time, I wonder if these models will be able to generate more secure code by default by doing this kind of exploitability testing before ever merging their code.
I don't know, but it always seems weird to me when people notice AI isn't performing super well and then they conclude that the solution to problem is to try using more AI
Yeah why not? That's how I work. If I don't review my work, it's way worse than if I do review it and revise and iterate. I don't see why AI should be different: in fact it very clearly seems to be the case that is isn't.
I mean, I was sold something different. Something super human, vastly more intelligent, world changing. The reality is not that. Am I allowed to be disappointed and discouraged?
Because you can have it review itself and iterate on its own work before showing you. If you insist on reviewing its one-shot output you'll be disappointed, but if you consider its internal work private and only consider its final output, it's different.
Also we're still in the middle of the transformation, clearly the AI we'll have in 5 years will be radically different and better (by some definition of better) than what we see today. It's kind of weird that you'd be disappointed that the world will only be totally transformed in ten years, and not five.
"clearly the AI we'll have in 5 years will be radically different and better"
Based on past performance that's not clear at all. Remember Elon predicting full self driving by 2017. It's almost 10 years past that predicted date and it's still not quite there. 5 years is nothing in tech. It takes 5 years to get a slightly improved chip designed and manufactured. It's been 3.5 years since ChatGPT was released and the LLMs of today are not radically different from that, and no radical changes have been teased. We're still in the throw-more-hardware-at-it phase. We could be here a while.
It has changed the world in major ways, although its not entirely visible because we've become numb to the idea of AI and AI being in everything.
It hasn't changed the way we sleep, wake up, eat, walk and talk so its not "life changing" or "world changing" in the sense a meteorite hit us, but each day thousands of mini meteorites are hitting Earth and we're becoming normalized to it one step at a time.
You are allowed to be disappointed and discouraged! For all the good tech that has come out of the AI revolution, most of it is ignored or shelved for things that can squeeze more and more money out of us and make our lifes worse, not better. Despite there being real potential to generate nice code, assist with biomedical research, self-driving cars, etc.
Which is it? Major changes or a bunch of small changes. I'm well aware of the small changes. I worked for an autonomous drone company back in 2008. It was really cool! In 2020 I started working for an autonomous car company. Again, amazing! None of it was a quick step function improvement. It was a lot of hard work. None of it was quite superhumanly smart either. LLMs are impressive pattern completion machines but they kinda suck at producing anything truly novel. Plus they are compulsive liars about that, lol!
Reminds me of people adding more intervention and bureaucracy bc the last one did not do well, so we need more of it.
The problem is never the results of it. It is that we did not do well enough.
Or they don’t, and they* sell access to Mythos and successors through their services company or network of partners and charge a premium.
* they, I mean all foundation models providers, as OpenAI seems to go in the same direction
That's great and all but how severe were the most severe vulnerabilities found? I imagine they don't want to talk about it, but that's really the most interesting and important bit.
As much as I’d like to share in the skepticism, the very beginning of the article states it very plainly — this is a step function.
Lots of people feel that Mythos is a psyops campaign, but I don’t really understand the skepticism. Most of it seems to stem from the general distrust of things that aren’t publicly available.
A few Anthropic employees have described Mythos as a general purpose model improvement, but that claim has yet to be widely backed up so that’s the only place I’m remaining skeptical.
For the domain of security research, I’m willing to buy the narrative.
In his interview on the Hard Fork podcast, Palo Alto Networks’ CEO described the capability change from Opus to Mythos being more about availability; evidently it runs in a very compute-intensive, always-on mode. Unclear if the base model is significantly different, but Arora ascribed the difference mostly to that change.
[dead]
> As much as I’d like to share in the skepticism, the very beginning of the article states it very plainly — this is a step function.
To be fair, they can't say "You know, Mythos is better, but improvements are overhyped af". Moreover, their explanation of that "step change" is strange. It sounds like Mythos isn't that much better at finding vulnerabilities (which is very strange, given statements from Mozilla), but is way stronger at working with them.
> Lots of people feel that Mythos is a psyops campaign, but I don’t really understand the skepticism. Most of it seems to stem from the general distrust of things that aren’t publicly available.
1) Attempts to spin the idea about "Super powerful general purpose model that can't be released for some not so clear reasons" are usually a very bad sign. OpenAI proves it.
2) Mythos system card has a lot of strange moments, errors and things that sound like attempts to deceive.
3) It's strange that Anthropic is struggling with both Sonnet 5.0 and Opus 5.0, but at the same time has a breakthrough in the form of Mythos.
> A few Anthropic employees have described Mythos as a general purpose model improvement, but that claim has yet to be widely backed up so that’s the only place I’m remaining skeptical.
Article describes Mythos as a cybersecurity-specific model though. It's yet another unclear moment.
A general distrust of things that aren't publicly available is very healthy. We should all do more of that!
Honest question, do you buy the narrative of everyone trying to sell you a product?
> As much as I’d like to share in the skepticism, the very beginning of the article states it very plainly — this is a step function.
That's great and all, but nobody was being skeptical or asking anything about whether Mythos is or isn't a step function. Mythos could be a ten-dimensional ladder and it wouldn't change my question. The question wasn't about Mythos, but about Cloudflare: what did they found? That question is entirely fair and expected regardless of whether vulnerabilities are found via Mythos, the NSA, or a caveman.
Claiming something doesn't make it true.
I've settled in on the opinion that it's much more creative and able to run agentically for longer periods of time. So, despite it not having drastically better "hard skills", it's able to combine those together in more effective ways.
Right now, many of these vulns are identifiable by Opus, but they still require a human-in-the-loop (and often a skilled one) to guide towards complex exploits. Without a human in the loop, this means it's a lot easy for the average person to identify and leverage an exploit.
They specifically describe that exploits are usually multiple small vulnerabilities chained together. With that understanding, it sounds like closing vulnerabilities isn't the same as discovering an exploit. Instead, you're leaving fewer small gaps behind, to make it harder & harder to put together a working exploit.
Palo Alto Networks released patches for their firewalls for a number of CVEs last week, almost all derived from their access to frontier models including Mythos.
https://security.paloaltonetworks.com
Most of their new products are AI tools that nobody uses, so I guess they’ll keep posting slop. And recently, they’ve fired so many people that they probably don’t have good writers anymore.
great, but why don't you share real data on how many security vuln it found ? how many were reals, how many weren't ?
Yeah I’m waiting for this as well.
I get that you want to address them or whatever before releasing info but I keep seeing these claims with barely any data and I’m like…how do you expect people to not be skeptical?
I mean hell if you’re a security professional you’re literally paid to be skeptical.
the curl maintainer goes into some more detail on this
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-v...
Page won't open, but archive.is has it: https://archive.is/bfPZc
Mozilla published some numbers and actual bugs.
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardenin...
They used SO many words to say so little thing. At this point it seems pretty safe to say Mythos is purely PR stunt.
It reads like long winded version of paid advertising.
Interesting for teams looking to implement ai into their deployment process.
I don't think guardrails are useful long term. Assuming we don't see the end of open near-frontier models, it is folly to try to keep models from doing exploit generation. The solution needs to be all software projects writing code under the assumption that hackers will be running LLMs against their code in search of exploits and write secure code accordingly.
even careful programmers working in unsafe languages will introduce bugs; it's inevitable. in 2026 we should be using safe languages for all new projects, but there's a gargantuan amount of C/C++ handling protocols.
but I agree that guardrails will only help for like, 3-6 months. we should be screening as much as we can with Mythos; unfortunately, Anthropic is only giving access to the big players.
> What changed with Mythos Preview is that a model can now take those low-severity bugs (which would traditionally sit invisible in a backlog) and chain them into a single, more severe exploit.
I think this statement seems to align with some of the other independent tests of Mythos[1]. It did very well on long agentic work which I expect is what they trained it for, and that requires being able to find these tangential links between loosely related topics in the context window.
[1] I'm mainly referring to https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos...
This is worth a read specifically for this section and the ones following it, re: custom vs. agentic-coding harnesses. https://blog.cloudflare.com/cyber-frontier-models/#why-point...
Claude Code's harness is remarkable for many use cases, particularly with 1M context sizes. But it's also limited when the scale of code or data to read becomes close to that, or exceeds it. The idea that a cluster of actors can work on a shared, structured set of context snippets, and have guidance around what is relevant to them, is an incredibly useful model outside of cybersecurity as well.
This blog was written by AI.
I don't understand why Cloudflare got unrestricted access while Daniel Stenberg got Mythos run by a third party on cURL and only got a report. Well, I understand, but I may be wrong.
> Programming language - C and C++ give you direct memory control and, with it, bug classes - buffer overflows, out-of-bounds reads and writes - that memory-safe languages like Rust eliminate at compile time. We saw consistently more false positives from projects written in memory-unsafe languages.
Re-write your Rust into C++ to drown the attacker in false positives? ;)
The pushback is quite funny. I have found, in my own usage, that I had to evidence my legitimate access to the codebase before it would proceed.
> we tried letting the model write its own patches and watched a few go out that fixed the original bug while quietly breaking something else the code depended on.
This is something I've been anticipating. Imagine this happening on a 500k+ line project scattered across 10+ repos.
It would be easier and cheaper to pay me to rewrite the whole thing from scratch than to fix all the vulnerabilities.
>Why pointing a generic coding agent at a repo doesn't work
The author of this blog post does not acknowledge the existence of subagents and thinks that it's not possible for a model to come up with multiple ideas and have multiple streams of thought at the same time.
> They ingest a lot of source code, hold a single hypothesis at a time, and iterate against it. That's exactly the wrong shape for vulnerability research, which is narrow and parallel by nature
LLMs are trained on Ed Sheeran lyrics
Did they compare it to other models? A lot of this sounds like this is the first time they have applied AI to security, and they are just amazed at the unreasonable performance of a pattern matching machine. Well, it matches patterns. duh
> The harder question is what the architecture around the vulnerability should look like. The principle is to make exploitation harder for an attacker even when a bug exists, so that the gap between when a vulnerability is disclosed and when it is patched matters less. That means defenses that sit in front of the application and block the bug from being reached. It means designing the application so that a flaw in one part of the code cannot give an attacker access to other parts. It means being able to roll out a fix to every place the code is running at the same moment, rather than waiting on individual teams to deploy it.
So nothing new then.
“Sorry Dave I’m afraid I can’t do that“
I’m a security researcher
“Oh in that case”
"Why it matters"
Kringe sloppy AI writing.
Beside the poorly written post, the vulnerability discovery workflow might actually give good results
The part on the harness is spot on.
I have been encouraging people to think about agentic coding in the same way.
Let agents do the reading and writing and inspections. Human does the thinking.
Asking an agent that is looking at a firearm specification schematic "what is wrong with this?" and the response is "this thing contains an explosion and can kill". Human "that's the function" when the human should be asking "based upon the materials used, are the fault tolerances sufficient to maintain structural integrity".
It's nice to see them address the instrumentation side of this.
I expressed some concerns along the same lines in the thread about the Mythos evaluation curl did a few days ago, which sounded a lot like the "passing in the repo and telling it go!" type workflow described in this as dramatically less effective.
Disappointed that the post is very slim on details beyond this however. No hard numbers. Not comparatively, not in isolation. Would have arguably been kinda the point.
We got a special thing that did special things. Yay!
I can't wait to be told that Cloudflare is now part of "The Mythos FUD" campaign.
2 things can be true at the same time.
I think the curl folks finding it underwhelming is more of a testament to their code being subjected to a lot of tests/attacks/auditing over the past years compared to many other codebases. It's not going to find magically insurmounable exploits on it's own and "pwn teh w0rld".
At the same time, there is so much shitty non-memory safe code out there (C/C++ mainly) or logically weak code (much of it vibe-coded or otherwise by inexperienced devs) that will be easy pickings for anyone pointing Mythos at those codebases/services and eventually lead to chaos since the cost of an customized exploit has gone from days to months of expensive researcher time to some token spending.
Now if they noticed that they could find exploit chains easily in a lot of popular software, some embargo and hardening to give popular OSS packages time to not be exploitable by default does help people (and the NSA that probably has a preview).
While it is true that C/C++ are prone to bugs when used by careless programmers, Cloudflare also said:
"We saw consistently more false positives from projects written in memory-unsafe languages."
So while there may be a greater probability to find bugs in C/C++ projects, there is also a greater probability that there will be more work that must be done by humans to verify that real bugs have been found.
The amount of code that is absolute trash in F500 could drown the world.
Static scanners are ok at find a few particular types of issues, and really bad at more abstract issues. Also having rules where you must pass static analysis has to be followed up with actually making sure your code monkeys aren't writing bullshit that confuses the scanner and lets it pass while doing nothing for security (or adding nice logic traps).
Most external security firms looking at code are more useless than a zero with the circle rubbed out. Had a fun example from a while back where the team that wrote the code inserted an intentional security flaw to be sure they were catching anything. Problem is they were giving access to the entire git history so these stood out. The moment they just gave flat code the security teams ability to find flaws disappeared.
LLM models seem to have a pretty good grasp on finding flaws in code like this once you can get the issue to stay in context and execution time. When I hear things like Mythos getting much longer time to work on the problem then at least to me it makes a lot more sense on the number of issues it's picking up.
[flagged]
well how many CVE vulns did it find?
Nice content marketing piece.
> Model refusals [..]
That even their model aimed at security research tries to be a pedantic better-than-thou annoys me much.
I build an agentic loop framework at work, and I need the model to test some boundaries and error-mechanisms, but Opus keeps whining that it's not ready to do these "bad" things and tells me to do it myself instead. Makes me roll my eyes...
[flagged]
[dead]
[dead]
Technically speaking CloudFlare is at its core, a security vulnerability itself. World's largest MITM
There will be no mea culpa from folks insinuating Mythos is a marketing stunt. Nor will there be every time AI capabilities repeatedly blast through the naive expectations.