Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'll share the first-hand account I recently got from someone else.

> We've used it at work

> it is... not as hype as everyone is concerned about

> I'd argue the framework around it for security scanning is the arguably more useful side of the tool, definitely doesnt take a huge model to get all the issues it flagged on our systems

> For us, it absolutely flooded us with noise

> I mean hundreds if not thousands of false positives or minor issues or not applicable

> For every one reasonable issue

> The biggest issue it created was the execs treated every issue it produced like it was a drop everything and fix the issue type deal

> I'm talking company wide drop all things "we need to patch nginx because this module that no one uses and is disabled by default has this RCE vulnerability™

> Or "all ec2 AMIs need to be upgraded because it flagged a a version specific docker vulnerability", it flagged every single machine with docker regardless of if the actual vulnerability was relevant

> Vulnerability was with a very specific Auth plugin configuration you could enable with docker and specifically the Mosley docker compatible tool, but it is clear it only knew there was a vulnerability in docker, not if it was applicable or not

> Meanwhile dirtyfrag and friends not a single peep from btw despite it allowing for container escape

> Idk, I was underwhelmed with the quality of the reporting it gave really. If the company allowed me to get information about all the infrastructure in our entire organisation to run Claude over it repeatedly looking for recent CVEs I'm sure I could produce the same results...



It seems like there is a genuine communication breakdown between management and engineering. Engineers know that there are vulnerabilities all over the place and that there have been for ages and that where the rubber hits the road every vulnerability does not represent a successful exploit by some nefarious actor.

Management can often treat cybersecurity like a black box that represents millions upon millions in liability. If Mythos represents an opportunity to bring management's understanding of the amount of "security vulnerability debt" everyone carries into the real world, it might be a good thing


I had a geniunely surreal conversation with the security team the past week, it went like:

'Hi, we are reaching out to you because our tool flagged a large data transfer between such and such services'

'Wait, the source endpoint is an internal service, the target endpoint is an internal S3 bucket (I was doing a routine DB backup) Neither are reachable from the internet. How is it a security issue?'

'Our tool has flagged it'


Almost all the corporate security professionals I have dealt with have been tool runners with no more than Helpdesk level skills.


As someone with over 30 years experience in computer security, both in corporate as well as boutique security and startup shops, who has been consistently fighting this trend, and recently bearing witness to and engaging in the current AI surge: I can say with absolute confidence that it is only getting and going to get even worse yet.

People like me who know there is a better way are getting pushed harder to lean on AI tooling even though we know that it is making things worse. This isn’t just because our founder/funding overlords are pressing us to do it. The sheer volume of new mission critical code being pumped out enabled by vibe coding is also leaving us little choice but to lean in too just to try and keep up.

We can all see it as clear as day: The tech isn’t ready for any of this. But nobody wants to hear that and everyone is marching off the cliff together anyway. We’re all going to land in the same waste pit together. Raise a glass and whimper.


AI is far better at security than the majority of security professionals. It is a net positive.

People constantly compare AI to this very rare expert human rather than the reality of who is already employed. Experts like you are a major culprit of this. And it puts you at odds with yourself to both admit the industry is full of subpar workers and then lament that they will be replaced with workers that are better, but still worse than you.

What is wrong with someone to make them think in this manner? Is it just a kneejerk response with little thought? Is it ego? Is it a coping mechanism? I find it very strange and interesting and annoying.


I also don’t like your framing, here.

We need experts to know when AI is wrong, which it is all the time.

Earlier this week someone commented here that we shouldn’t expect a language model to know that you need to drive a car to a car wash, to wash a car.

So then, what do we expect it to know? Who’s responsible for when it’s wrong?

Also, why can’t Mythos just fix all these issues itself if it’s so smart. And test them to make sure they work?


I actually agree somewhat with jatora. However a large segment of the top ~20% of security folks are being forced to become reverse centaurs, as opposed to centaurs (disempowered vs empowered) due to the factors I mentioned. I genuinely see value in the tech, but it is currently being deployed recklessly and stupidly.


> why can’t Mythos just fix all these issues itself if it’s so smart. And test them to make sure they work?

“Why”: because you didn’t ask it. It’s not its job in this case.

You don’t hire an accountant and tell them “why can’t you fix my cash-flow problems and make me money if you’re so smart”


Ah ok, sure. The difference being the model should know how to do both based on what I’ve been told.

So why didn’t Anthropic ask it for me?


You are leaping to the assumption that I don’t actually believe in the tech. This is incorrect. I am griping with the way it is being recklessly and stupidly deployed by poeople who really don’t know what they’re doing.


That means you aren't high enough up to deal with the non helpdesk level security people.


True. It is a well-known fact that braincells per capita, and technical competence and understanding rapidly increase the higher you are on the management ladder.


To be fair though, models might be changing the calculus for what constitutes a vulnerability that is too small / too obscure to care about.

If AI is reducing the cost of using the long tail of small vulnerabilities or is making possible chaining them together into something more profound, then those small, less-concerning issues might requiring addressing in a way that was previously not required.


It won't bring understanding though is the problem. You get situations like the parent, where the execs don't have the knowledge, time, or care to learn beyond "vulnerability bad, must patch now"

Execs/Management types getting extra visibility into the technical side, in my experience, has only ever resulted in additional but meaningless work, like just checking boxes on a compliance/audit checklist without actually considering the impacts of those changes, or whether a company is actually vulnerable to the disclosed CVE.

It's along the same lines of the BS I deal with day to day from upper management arguing back with "But ChatGPT said..." meanwhile pasting some hallucinated crap that doesn't even apply to our environment.

LLMs are basically a dunning-kruger machine for management. Engineering is best left alone and trusted to do what they are being paid to do.


Yeah, I’m getting the sense that Mythos is for cybersecurity what blockchain was for back-end finance. A bit useful. But mostly good for bringing attention to upgrading neglected systems.


This doesn’t make any sense either.

Many systems in relation to banking are very old and will stay that way - the economics are not favourable.


I recommend "How to measure anything in cybersecurity risk". Really interesting read about putting actual value on security.


In other words it is equivalent to spending a million dollars on an audit by a software security consulting company


Or to RedHat for rewriting Python core 500 times.

The "humans do it too" argument gets tiresome. Even if the consulting company fails, the money goes back to employees and back into the real economy. Now it goes to Don Amodei.

The consulting company could be local, which provides a higher degree of confidence, though not proof, that no data is exfiltrated to the US.

And so on.


I think Opus 4.6 and Mythos overall/marketing wise are key points because it told the world that LLMs are now a critical / usefull tool for security audits.

Its aligns with the significant jump in helpfulness in CTF.

But i think its good to hear that its not that crazy good. Everything slowing it down is good.


I'm pretty impressed with regular Claude Code with Opus 4.7/4.8 in finding vulnerabilities in our code. Maybe 70% are false positives though. It's a lot of work to manually push back on the findings. Still worth it.


It's similar with performance optimizations.

One example was Claude thinking we could optimize converting vector tiles to raster by operating in float32 rather than float64. It turned out the library we have to use casts to float64 anyway, so the work of casting to 32 then to 64 rather than staying at 64 actually slowed the path down by 12%.

Yet it also finds the odd thing that isn't very intuitive but leads to marked improvements I never would have uncovered because... Well, as a human with only 24 hours in a day, there's no way I'll turn over every leaf and find these items on my own.

I'm totally fine with the false positives because they're so easy the verify.


I thought one of the advantages of Glasswing was that it could produce a PoC for you. Was it producing working PoC's?


why are folks looking at the output of the first pass?

my understanding, and experience, is that you 1. run a bunch of sessions with small permutations to create variety, 2. run more sessions dedupe reports into a smaller collections of potential vulns, 3. run a handful of agents at max effort to write PoCs + write-ups, 4. rank findings, 5. finally look at what, if anything that, was found. maybe ask questions, try and understand if the PoC is running against a realistic setup.

until you can confirm a vuln report is valid, you must assume it is invalid.


What Project Glasswing claimed at launch is that Mythos can "surpass all but the most skilled humans at finding and exploiting software vulnerabilities". What you're describing sounds more like making skilled humans more effective at penetration testing. That's cool, but it's not clear how much it matters, because most security teams were not previously bottlenecked on penetration testing capacity.


i wasn't thinking about pen-testing, but vulnerability-research, which seems to match that quote. but, you're right, gp is referring to "security scanning". i just feel like, even then whoever's running the research, should triage and validate results, before passing on to mgmt.


This reminds me of when I added Snyk to our CI/CD and brought development to a standstill


Same pattern. Scanners flag everything. The problem is there's no layer between findings and everyone's inbox. Prioritization is harder than detection.


Seems like there might be a market for a product that just prefixes "The AI Said" on emails to executives about security vulns.


This is the same gripe I have over any LLM vulnerability tooling. 95% of what gets flagged is something that if taken by itself could be a vulnerability. However, the path to execute that specific vuln, in that specific function, is impossible in that particular code base and it just makes noise.


In other words it creates work. In other words Jevons paradox.

I can’t wait for the first court case where an LLM surfaces a vuln, lazy devs ignore it, and someone later sues the company into oblivion for liability.


When was the last time you remember a company being sued into oblivion for a security breach?

The cost in the US is more like “one year of credit monitoring”.


> The biggest issue it created was the execs treated every issue it produced like it was a drop everything and fix the issue type deal

While this is definitely not the ideal end of the spectrum either, execs treating security issues as something serious instead of annoyances that should only be addressed if revenue can be tied to doing so is a welcome improvement.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: