Cybersecurity looks like proof of work now
Anthropic's Mythos LLM is so adept at finding cybersecurity exploits that it's changing the game, according to a new report. The author argues this turns cybersecurity into a "proof of work" challenge, where spending more computational "tokens" than attackers is the new imperative. This sparked a contentious discussion on HN, debating if AI truly reshapes security or merely highlights existing realities.
The Lowdown
The article posits that the advent of highly capable AI models like Anthropic's Mythos is fundamentally altering the landscape of cybersecurity, likening it to a "proof of work" system. It begins by discussing the recent revelation of Mythos, an LLM so skilled at computer security tasks that Anthropic initially restricted its release to critical software makers for system hardening.
- Anthropic's Mythos LLM demonstrates "striking capabilities" in computer security, including performing complex corporate network attacks.
- The AI Security Institute's (AISI) third-party analysis supports Anthropic's claims, showing Mythos completed a 32-step corporate network attack simulation, which normally takes humans 20 hours, in 3 out of 10 attempts, while other models failed.
- This performance suggests that hardening systems will require spending more tokens (computational resources, effectively money) to discover exploits than attackers spend to exploit them, akin to cryptocurrency's proof of work.
- The AISI report notes no diminishing returns for Mythos with increased token budgets, implying a continuous need for investment.
- The author draws two main conclusions:
- Open-source software remains crucial, as collective token spending to secure it could make it more robust than individual efforts.
- Agentic coding processes will likely evolve to a three-phase cycle: Development, Review, and Hardening, with the latter being a continuous, budget-limited, AI-driven exploit identification process.
The core argument is that while code creation might become cheap, secure code will remain expensive, as security becomes a continuous arms race driven by token expenditure, shifting from cleverness to raw computational investment.
The Gossip
Skepticism and Shady Sales
Many commenters expressed strong skepticism regarding the claims made about Mythos's capabilities, particularly questioning the impartiality of the "AI Security Institute" given its ties to the AI industry and lack of security experts. Personal anecdotes trying to replicate similar LLM-driven vulnerability findings often yielded disappointing or non-actionable results, leading some to suspect "AI boosting" or commercial interests (e.g., selling more GPUs) behind the narrative, rather than a genuine paradigm shift.
Recycling Security Realities
A significant portion of the discussion centered on whether the article's conclusions presented genuinely novel insights or merely repackaged long-understood principles of cybersecurity. Commenters argued that the idea of security being a resource battle, where adversaries commit resources, is an age-old concept. Comparisons were drawn to established software engineering adages like "A little copying is better than a little dependency," suggesting that some "new" ideas are simply rediscoveries or rephrasing of existing wisdom, rather than fundamental shifts caused by AI.
Perpetual Defender's Predicament
The debate around whether AI fundamentally shifts the "advantage defender" vs. "advantage attacker" balance was prominent. Some argued that defenders have asymmetric advantages (full source code, internal knowledge) that could make their token spending more efficient than attackers' reverse-engineering efforts. However, others countered with the classic dilemma: defenders must find *all* vulnerabilities, while attackers only need *one*, and AI doesn't necessarily change this. Suggestions for formal verification as a path to "no vulnerabilities" were also raised, offering an alternative to the token-burning arms race.