How AI Is Changing Cybersecurity: Rethinking Software Security in the Age of Autonomous Vulnerability Discovery

Two weeks ago, Anthropic announced that its new model, Claude Mythos Preview, can autonomously find and weaponize software vulnerabilities, turning them into working exploits without expert guidance. These were vulnerabilities in key software like operating systems and internet infrastructure that thousands of software developers working on those systems failed to find. Anthropic is not releasing the model to the general public, but instead to a limited number of companies.

The announcement has sparked debate in the cybersecurity community, with some speculating that Anthropic lacks the computational resources to run the model widely, while others argue the company is upholding its AI safety commitments. Critics and supporters alike acknowledge the broader implications of AI-driven vulnerability discovery for software security.

How AI Is Changing Cybersecurity

Artificial intelligence has advanced significantly in recent years, enabling large language models to excel at tasks like finding vulnerabilities in source code. While similar capabilities may have existed in earlier forms, the current pace of progress represents a meaningful shift in what automated systems can achieve. This progress does not imply a permanent advantage for attackers over defenders; instead, the impact is nuanced and depends on the nature of the software involved.

Some vulnerabilities can be identified, verified and patched automatically, particularly in cloud-hosted web applications built on standard software stacks where updates can be deployed rapidly. Others are easy to detect but difficult or impossible to patch, such as in Internet of Things devices, industrial control systems, and other legacy infrastructure that rarely receives updates. In complex distributed systems and cloud platforms, vulnerabilities may be easy to spot in code but hard to confirm in practice due to the large number of interacting services, which can produce false positives and complicate reproduction.

Rethinking Software Security Practices

To address these challenges, organizations should distinguish between patchable and unpatchable systems, and between vulnerabilities that are easy versus hard to verify. Systems that are difficult to patch or verify should be protected by additional layers of defense, such as strict firewalls that limit internet exposure. Distributed systems should follow established principles like traceability and least privilege access, ensuring each component only has the permissions it needs.

Best practices in software engineering are becoming more critical. Automated, continuous testing can now be enhanced with defensive AI agents that repeatedly test exploits against real systems to filter out false positives and confirm genuine vulnerabilities. This approach, sometimes referred to as VulnOps, may become a standard part of software development. Clear documentation helps guide both human developers and AI tools, while adherence to standard tools and libraries improves pattern recognition for both humans and machines, even in environments where code is frequently generated and deployed on demand.

While phones, web browsers, and major internet services are likely to benefit from rapid patching, devices such as cars, electrical transformers, refrigerators, and streetlights—along with legacy systems in banking and aviation—may not be updated as quickly. This could lead to a period of increased exploitation before a new equilibrium emerges, in which continuous verification and timely patching become central to software security.