The CISO, or chief information security officer, has suddenly become one of the most high-pressure roles in business.
Loading audio narration…
This spring, Anthropic’s Mythos and OpenAI’s GPT‑5.5 models sparked a wave of fear that attackers armed with advanced AI models could soon crack systems worldwide. And the unease adds to the issues that cybersecurity already faces.
More companies use outside code libraries than in eras prior, which could make it easier for hacks to spread if there are vulnerabilities in those packages of code. And last year, coding tools from OpenAI and Anthropic took off, helping developers churn out millions of lines of new code. Those tools are prone to creating errors and vulnerabilities that developers miss — putting researchers, companies, and governments on high alert.
“Everyone’s predicting that there will be a lot more hacking this year,” said Isaac Evans, CEO of cybersecurity startup Semgrep.
An OpenAI spokesperson pointed to a recent spree of cyber-focused announcements and releases that aim to have AI improvements help defenders work more quickly and effectively. The company’s “Daybreak” page lets developers request a security scan. Anthropic, which is also in the midst of a cybersecurity push, did not respond to a request for comment from Business Insider.
Before Anthropic announced Mythos, security pros were already overburdened
Evans’ startup focuses on code security and operates a free, widely used code-scanning tool. He said that a recent threat prompted his company to scour its codebase for vulnerabilities, and the team found two — both contributed by Anthropic’s Claude product.
It’s a drawback of the AI-coding boom. Evans said if a company generates 10 times the lines of code, it should expect 10 times the number of vulnerabilities, or worse.
Feross Aboukhadijeh, CEO of cybersecurity startup Socket, reiterated Evans’ worries about developers reviewing new code less carefully. That, plus using outside code libraries to complement a company’s internal code, creates a “perfect storm” of danger, Aboukhadijeh said.
Open-source code libraries are often well-maintained, following the principle that transparency helps remove bugs. Now, so many companies use code from these repositories — AI tools often pull from them — that a single security gap can imperil many firms.
“The vulnerability surface of all software is expanding really quickly,” Aboukhadijeh said.
The “Mythos Moment” triggered a reckoning — and a lot of work for security teams
Security teams already use new AI models to search for vulnerabilities while also worrying about attackers gaining access to models of similar strength. Then, on April 7, came what’s now being called the “Mythos Moment.”
That day, Anthropic announced that its new general-purpose AI model, dubbed Mythos, had found thousands of severe security vulnerabilities, some that humans had missed for over a decade. While it identified vulnerabilities, it could also exploit “every major operating system and every major web browser,” the company wrote, adding that some engineers at the lab had used the technology to find working hacks over a single night.
The company decided not to release the model beyond a group of trusted partners, giving defenders a head start. The Mythos announcement put it plainly: “Ultimately, it’s about to become very difficult for the security community.”
Anthropic’s warning — that it’d made a model too dangerous to immediately release — reverberated around the world. The Trump administration began discussing a system to review new AI models.
UK government officials also released an open letter about Mythos, warning businesses, “If your board has not recently discussed cyber risk, do so at your next meeting and then regularly. This is not an issue to delegate to your IT team and forget about.”
Meanwhile, the corporate world’s security community leaped into action, either hunting for Mythos access or racing to test it. Some early reviews affirmed Anthropic’s worries.
A team at Mozilla, the organization behind Firefox, wrote that Mythos helped them find and fix more security bugs than they had in the previous year. Researchers with the security firm Calif say Mythos helped them identify bugs in MacOS, link them together, and ultimately figure out a way to corrupt part of the famously secure technology. (Apple did not respond to a request for comment from Business Insider, though it told The Wall Street Journal it is reviewing the findings.)
Cybersecurity giants like CrowdStrike, Palo Alto Networks, and Fortinet have each posted recent announcements warning about the potential dangers of frontier AI.
Manoj Nair, who leads the emerging technologies and solutions office at the security startup Snyk, said that with Mythos and OpenAI’s GPT-5.5 landing on top of other security issues, “If you’re a CISO today, you’re living in what I call the ‘AI fog’.”
Nair’s company, like Socket and Semgrep, has signed onto a partnership with OpenAI to try to beat back the storm of worries. Anthropic is also hatching these partnerships, giving companies like Snyk a chance to try out the advanced tech.
Logan Graham, who heads Anthropic’s frontier red team, recently wrote on X that his cybersecurity team is bringing Mythos “to defenders as fast as we responsibly can.”
“Security is always a team sport,” Nair said. “The model companies need to figure out that is how security works. And they are.”
Have a tip? Contact this reporter via email a scouncil@insider.com, or over text, Signal, Telegram, or WhatsApp at 415-757-8198. Use a personal email address, a nonwork WiFi network, and a nonwork device; here’s our guide to sharing information securely.
