Last August, some of the best cybersecurity teams in the business gathered in Las Vegas to show off their AI bug-finding systems at DARPA’s Artificial Intelligence Cyber Challenge (AIxCC). The setup was straightforward: DARPA had injected artificial flaws into 54 million lines of real software code. The teams were supposed to find those bugs. They did—mostly.
But here’s the part that should make you nervous. Their automated tools went beyond the assignment. They found more than a dozen bugs that DARPA hadn’t inserted at all. Real, live vulnerabilities sitting in production code, waiting for someone to exploit them. The AI found them by accident.
That was August. Fast forward to this month, and Anthropic dropped Claude Mythos—a new model that seems to find vulnerabilities at a rate that makes previous tools look like toys. The security community is still processing the implications, but I’ve been watching this space long enough to know where this is headed.
The script kiddie problem gets an upgrade
We’ve spent years worrying about nation-state actors and organized cybercrime rings. But the democratization of AI-powered hacking tools changes the calculus. The term “script kiddie” has always been dismissive—some kid downloading tools they don’t understand to deface websites. But give that kid access to an AI that can find zero-days in real code, and suddenly they’re not a joke anymore.
The DARPA results showed that AI can find bugs humans miss. The problem is that the same technology is available to attackers. Claude Mythos isn’t locked in a government vault. It’s a product. Anyone with an API key can point it at code and ask it to find weaknesses.
This is higher than I expected. I’ve been skeptical of AI’s ability to replace human security researchers, but the data from AIxCC changed my mind. The tools didn’t just find planted bugs—they found real ones that had survived years of human review. That’s not incremental improvement. That’s a step change.
The asymmetry problem
Defenders have to find every bug. Attackers only need one. AI flips this equation in favor of attackers because it scales finding. A human researcher might spend days auditing a codebase. An AI can do it in minutes, and it doesn’t get tired or bored.
What worries me most isn’t the sophisticated state actors. They already have resources. It’s the thousands of bored teenagers who now have access to tools that can find real vulnerabilities. The barrier to entry just dropped from “learn assembly and reverse engineering” to “write a prompt.”
This approach has been tried before. We’ve seen automated vulnerability scanners for decades. But those were pattern-matching tools that flagged obvious issues like SQL injection. What we’re seeing now is different. These AIs understand code semantics. They can trace complex logic flows and find subtle logic errors that humans would miss.
The response so far
Anthropic has been careful about how Claude Mythos is deployed. They’ve implemented safeguards and rate limits. But the cat is out of the bag. The underlying techniques will be replicated, and open-source models will catch up. It’s only a matter of time before someone releases a fine-tuned model specifically designed for finding vulnerabilities.
The security industry needs to rethink its approach. Patching individual bugs won’t be enough when attackers can find new ones faster than we can fix them. We need AI-powered defenses that can match the offensive capability. We need automated patching, real-time monitoring, and systems that can adapt faster than attackers can exploit.
Some companies are already working on this. Microsoft has been deploying AI for vulnerability detection internally. Google’s Project Zero has experimented with fuzzing tools that use machine learning. But the pace of defensive innovation needs to accelerate.
I’m not saying the sky is falling. But I am saying that the script kiddie problem just got a lot more serious. The kid in their basement with an API key might be the biggest security threat we face in the next five years. And we’re not ready.
Comments (0)
Login Log in to comment.
Be the first to comment!