AI Cybersecurity: The System is the Moat, Not the Model

In the rapidly evolving field of AI cybersecurity, the focus should not solely be on the size and sophistication of AI models like Anthropic's Mythos, but rather on the systems and expertise that utilize these models. Our tests on smaller, cost-effective models revealed that they can replicate much of the analysis performed by Mythos, demonstrating that AI cybersecurity capabilities do not scale linearly with model size. Instead, the moat lies in the comprehensive system that incorporates deep security expertise.

## The Anthropic Mythos Announcement

On April 7, Anthropic introduced Claude Mythos Preview and Project Glasswing, aiming to leverage their AI model, Mythos, to identify and patch security vulnerabilities in critical software. They committed substantial resources to this initiative, including $100 million in usage credits and $4 million in donations to open-source security organizations. Mythos was reported to autonomously discover thousands of zero-day vulnerabilities, including longstanding bugs in OpenBSD and FFmpeg, and construct sophisticated exploits.

## Testing the Mythos Vulnerabilities

We tested the vulnerabilities highlighted by Anthropic using smaller, open-weight models. These models, despite their modest size and cost, were able to detect Mythos's flagship FreeBSD exploit and other critical vulnerabilities. This suggests that the capability frontier in AI cybersecurity is jagged, with no single model consistently outperforming others across different tasks.

## The Jagged Frontier of AI Cybersecurity

Our experience at AISLE, running an AI system that discovers and patches zero-day vulnerabilities, supports the notion that AI cybersecurity is a modular pipeline. Tasks such as broad-spectrum scanning, vulnerability detection, triage, and patch generation each have different scaling properties. The Mythos announcement oversimplifies this by presenting AI cybersecurity as a singular capability, whereas in practice, it involves multiple inputs and expertise.

## The Importance of System Over Model

The real value in AI cybersecurity lies in the system: the targeting, iterative deepening, validation, and maintainer trust. Our tests showed that small, inexpensive models, when orchestrated expertly, can provide significant results. This changes the economics of the defensive pipeline, allowing for broad deployment of cheap models to cover more ground.

## Experiments and Findings

We conducted experiments using small models on tasks related to the Mythos announcement. These models performed well in detecting vulnerabilities and assessing exploitability, demonstrating that much of the core reasoning is accessible with current technology. However, the creative engineering required for novel exploit delivery remains a frontier capability.

## The Broader Implications

The Mythos announcement is a positive development for the ecosystem, validating the category and raising awareness. However, the narrative that AI cybersecurity depends on restricted, frontier models is overstated. The discovery and analysis capabilities are broadly accessible, and the focus should be on building the systems and relationships necessary to integrate these capabilities into workflows.

## Conclusion

The moat in AI cybersecurity is the system, not the model. The capabilities for discovery and analysis are available now, and the priority should be on developing the infrastructure and expertise to utilize these effectively. The models are ready; the question is whether the ecosystem is prepared to integrate them.