AI and the Future of Cybersecurity: Why Openness Matters
What is Mythos?
Mythos is a “frontier AI model,” a large language model (LLM) designed to process software code. This follows a trend where LLMs are increasingly being trained on troves of data related to software, leading to significant improvements in their performance for tasks like finding and patching software vulnerabilities. What makes Mythos particularly noteworthy is the system it’s embedded within: It’s this system that has enabled Mythos to rapidly uncover and address these vulnerabilities. Understanding how the system operates alongside the model is crucial for grasping current trends in AI cybersecurity.
Mythos demonstrates that a powerful recipe includes:
- substantial compute resources
- models trained on extensive software-related data
- a framework designed to handle the task of identifying and patching vulnerabilities in code
- speed, enabled by both computational power and financial backing
- a degree of system autonomy
This combination allows for the discovery and resolution of software vulnerabilities. It’s not just about the model itself; it’s how this model is integrated with a robust system that makes such capabilities possible.
The significance here lies in the fact that others can build comparable systems, albeit potentially more affordably. Smaller models embedded within systems developed using deep security expertise could achieve similar outcomes at a lower cost, offering particular promise for defensive strategies. We’re still early in exploring what it means when AI systems are capable of operating autonomously to find and address vulnerabilities.
How Openness Can Be a Structural Advantage
As autonomous systems that detect software vulnerabilities proliferate (and they will), open code and tooling can help level the playing field. Software security involves four stages: detection, verification, coordination, and patch propagation. In an open ecosystem, these tasks are distributed across a community, where more centralized projects keep knowledge and action within a single organization, potentially creating a point of failure for security. Open development is robust against such constraints, especially in communities with dedicated security professionals like the Linux kernel team, the Open Source Security Foundation, and Hugging Face’s work on model and supply-chain security.
A common argument for maintaining closed systems is proprietary obscurity—where underlying code remains inaccessible. However, this provides less protection than it once did. AI tools are increasingly capable of reverse-engineering stripped binaries, making such closed-source code more accessible to attackers as well. When companies adopt AI coding tools under the wrong incentives (such as evaluating engineers based on feature volume rather than code quality), AI-accelerated development can introduce vulnerabilities into proprietary code that traditional methods would have avoided. These vulnerabilities then remain hidden behind a single organization’s firewall, where only one entity can find and fix them.
There’s also the risk created by how AI is being used within closed codebases. If companies adopt AI tools under misguided incentives, they might inadvertently introduce more vulnerabilities into their proprietary code than traditional methods would have. These vulnerabilities then sit behind a firewall where only one organization can see and fix them, while AI-enabled attackers are increasingly capable of discovering and exploiting these vulnerabilities from the outside.
Underlying all this is the asymmetry in capabilities between attackers and defenders. Open models and tools narrow that gap by giving both sides access to similar capabilities—capabilities previously concentrated within a small number of well-resourced entities.
Building Defenses with Open Tools and Semi-Autonomous Agents
Cybersecurity defense benefits from the integration of open source and AI agents. Based on our analysis, Mythos operates with near-full autonomy, which we’ve cautioned against due to potential loss of control. Instead, a semi-autonomous approach where the types of actions an agent can perform are prespecified and require human approval strikes a good balance. In this setup, AI agents assist in finding vulnerabilities and patching code under their organization’s control.
This is only possible when these systems are built on open components such as open agent scaffolding, rule engines, and auditable decision logs and traces. The “human in the loop” is meaningful only if the human can inspect what the AI did and why. This is much more feasible with open systems than black-box approaches.
Companies don’t need to build everything from scratch; they have a rich ecosystem of security tools, including vulnerability scanners, intrusion detection systems, log analyzers, and fuzzing frameworks, which can be integrated into AI agents for defensive purposes.
Why This Matters Especially for High-Stakes Organizations
For high-stakes organizations, starting from open, auditable foundations means security teams can actually inspect how their monitoring works. Trust in a single vendor’s claims is replaced by rigorous analysis of the system’s components. This is particularly important when sensitive data and processes are involved, and it’s generally preferable to keep such material within an organization’s own control.
The Path Forward
Attackers will develop models that take advantage of vulnerabilities. A key part of the answer lies in adopting transparent practices: open security reviews, published threat models, shared vulnerability databases, and open tooling that any team can adopt. The alternative of each organization attempting to secure itself alone with proprietary tools doesn’t scale against attackers who are coordinating and sharing techniques within their own communities.
The future of AI cybersecurity will be shaped more by the ecosystems surrounding these systems rather than a single model. Openness provides defenders with visibility, control, community support, and shared infrastructure to stay ahead.
Key Takeaways
- Open code and tooling can level the playing field in cybersecurity by distributing tasks across a community rather than centralizing them within a single organization.
- Semi-autonomous AI agents, when built on open components, offer a balanced approach that maintains human oversight while leveraging AI capabilities for defense.
- High-stakes organizations benefit from starting with open foundations as it allows for rigorous analysis and control over their security systems.
Stay ahead of AI. Get the most important stories delivered to your inbox — no spam, no noise.
