A New Kind of AI That Can Find What Hackers Only Dream Of
Artificial intelligence has long promised to make our digital lives safer — but Anthropic's latest model, dubbed Mythos, is making some of the world's top cybersecurity experts genuinely nervous about what comes next.
In a preview released by the San Francisco-based AI startup, Mythos was described as uncovering thousands of major security vulnerabilities across every major operating system and web browser. That's not a small bug report — that's a seismic finding that cuts to the heart of how we've built the digital infrastructure billions of people rely on every day.
Why Cybersecurity Experts Are Spooked
The alarm isn't coming from nowhere. Security researchers have long used automated tools to scan for software flaws, but those tools work within known patterns. Mythos appears to operate at a different level entirely — reasoning through complex codebases the way a deeply experienced human analyst might, only orders of magnitude faster.
The concern, experts say, is a dual-use problem. The same capability that lets Mythos flag a vulnerability for a developer to patch could — in the wrong hands — be used to exploit it before anyone knows it exists. That window between discovery and patch, known as a zero-day, is exactly where bad actors do their worst damage.
For Canadian organizations — from federal government departments to Crown corporations — that exposure is very real. Canada's Communications Security Establishment (CSE) has been tracking AI-assisted cyber threats for years, but a model of Mythos's apparent capability represents a meaningful step change.
Banks Are Watching Closely
The financial sector, which sits atop layers of legacy software and is a perennial target for cybercriminals, is paying especially close attention. Canadian banks already spend billions annually on cybersecurity, and the prospect of an AI that can rapidly identify weaknesses in systems that took decades to build is not a theoretical concern — it's a business risk.
Industry groups are now quietly calling on regulators at the Office of the Superintendent of Financial Institutions (OSFI) to clarify how Canada's existing cybersecurity guidance applies to AI-driven threat vectors. OSFI updated its Technology and Cyber Risk Management guidelines in 2023, but those frameworks were written before models like Mythos existed.
The Other Side: AI as a Defence Tool
Anthropics's position — shared by most in the responsible AI community — is that finding vulnerabilities is fundamentally defensive work. The company argues that identifying these flaws before malicious actors do is exactly the kind of proactive security work the industry needs more of, not less.
There's real merit to that argument. Bug bounty programs exist precisely because the best way to find holes in software is to actively look for them. Mythos is, in effect, doing that at an unprecedented scale.
The question Canada's cybersecurity community is wrestling with isn't whether AI should do this work — it's who controls it, who it reports to, and what guardrails prevent the same capability from being turned into a weapon.
What Comes Next
No major breach has been tied to Mythos, and Anthropic has not released the model publicly. But the preview alone has been enough to prompt serious conversations among security professionals, regulators, and the banking sector about how quickly the threat landscape is evolving.
For Canadians who bank online, use a smartphone, or simply browse the web — which is to say, nearly everyone — the implications of AI-powered vulnerability discovery are worth understanding, even if they feel abstract today.
Source: CBC Business via CBC News RSS feed.
