Why Claude Mythos Changes Cybersecurity Forever
In this wide-ranging discussion, host Gabe Fleisher speaks with Brendan Dolan-Gavitt, XBOW co-founder, AI researcher, and former NYU cybersecurity professor, about how artificial intelligence is changing the economics, speed, and scale of cyberattacks.
The conversation begins with the Morris worm, the first major internet worm, and the security shock it created in the 1980s. That event forced the industry to confront a new reality: once software became connected, vulnerabilities could spread far faster than organizations could respond. Brendan explains how the security community evolved from closed mailing lists and hostile vendor reactions to responsible disclosure, bug bounty programs, and more mature collaboration between researchers and software companies.
That balance is now being disrupted again.
Modern AI models can do far more than assist with code. They can identify vulnerabilities, connect obscure technical details, develop working exploits, and test attack paths continuously. Tasks that once required weeks of specialized human research can now happen in hours. Even vulnerabilities that look too limited or complex to pursue may become exploitable when an AI agent is allowed to work through them for days without stopping.
The discussion focuses on Anthropic’s Mythos model and Project Glass Wing, which are designed to give critical software vendors time to find and patch vulnerabilities before similar capabilities become widely available. Brendan argues that temporarily limiting access may help defenders, but the broader shift is unavoidable. Comparable tools are likely to spread quickly.
The near-term outlook is challenging. Organizations cannot fix every vulnerable system before advanced AI reaches more attackers. But the same technology can also strengthen defense by enabling continuous testing, faster validation, and earlier remediation.
The episode closes with XBOW’s role in that transition: using autonomous agents to test web applications, uncover real vulnerabilities, and produce proof-of-concept exploits so security teams can fix validated risks before attackers find them.