Summary of "Mythos has been unleashed (we have results)"

Overview

The video covers controversy around Anthropic’s Mythos, an AI model allegedly capable of finding software vulnerabilities and chaining them into working exploits. The host argues that early public fear/hype (e.g., “cybersecurity is dead,” “too dangerous for the public”) had moved faster than publicly available evidence—until results from a real-world test became available.

Key arguments and analysis

Public claims vs. lack of data

The host notes that much early coverage relied on headlines and social media speculation, with little or no public benchmarking to validate Mythos’s claimed advantages.

Why the test matters (curl / libcurl)

The video centers on a report by Project Glasswing, which used Mythos to audit libcurl, a widely used component powering the curl tool. Because a vulnerability here could be impactful, the stakes are described as “real.”

Overall results are “underwhelming”

According to the video:

Mythos reportedly produced five confirmed issues, but these effectively reduced to one low-severity CVE.
No memory-safety vulnerabilities were found in curl—issues that are often most valuable for exploit development.
False positives were common: of the five issues submitted to curl’s security team, three were false positives, one was just a bug, and only one was a real vulnerability (rated low).

curl is an unusually well-defended target

The host argues that curl is among the most fuzzed and audited C codebases, with extensive fuzzing, review, tests, and security practices. That makes it less likely an AI audit would uncover many new issues—especially in “hot paths,” such as default TLS/HTTP parsing behavior.

Context on AI vulnerability research (historical problems)

The host recalls an earlier incident where Dan Stenberg temporarily removed curl’s HackerOne bug bounty after a surge of fake AI-generated bug reports. The concern was that the volume of noise would overwhelm triage and potentially hide real vulnerabilities—suggesting AI initially could hallucinate vulnerabilities, causing social/operational harm.

AI capability is improving—so “not dead,” but claims still uncertain

The video contrasts early hallucination problems with measurable improvement over time, citing benchmarks where models increase success rates in finding real vulnerabilities (e.g., CyberJim.io trends).

It also distinguishes two capability categories:

Finding vulnerabilities Public evidence is limited, and the curl audit suggests Mythos may not outperform much in practice for a hardened target.
Writing/chaining exploits This would be more dangerous, because exploit chaining generally needs strong primitives (e.g., arbitrary read/write) to progress to RCE.

Example mentioned (OpenBSD)

The video notes that Mythos allegedly identified a long-standing OpenBSD issue, but the host emphasizes it required significant token spend and led to denial of service, not remote code execution—meaning it did not provide enabling primitives for RCE.

Conclusion / stance

The host rejects the “cyber apocalypse” framing. Mythos may be improving vulnerability research, but the curl results don’t support the idea that it “instantly breaks everything.” The limited findings are presented as a likely outcome of curl’s strong security posture, not proof that AI cannot do better elsewhere.